Hi,
I want to use a direct connection between to routers as "first" way for the traffic and as fallback I want to route the traffic to VPN.
The setup is / shoud use bfd for static routes.
But I am not able to route the traffic trough the VPN. So where is my mistake?
R1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxxxx address xxxxxxxxxxxxxxx
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer xxxxxxxxxxxxxxxxxxxxxxx
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
interface Loopback0
ip address 179.31.4.49 255.255.255.240
!
interface Loopback1
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/0/0
description Uplink Richtfunkstrecke
ip address 179.31.4.17 255.255.255.240
negotiation auto
bfd interval 500 min_rx 500 multiplier 5
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
description Uplink Firewall
ip address 179.31.4.2 255.255.255.240
crypto map CMAP
!
interface Vlan2
no ip address
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface Vlan1 overload
ip route static bfd GigabitEthernet0/0/0 179.31.4.18 group group1
ip route 0.0.0.0 0.0.0.0 179.31.4.1
ip route 10.0.1.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.18
ip route 10.1.1.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.18
ip route 10.32.1.0 255.255.255.0 179.31.4.1
ip route 10.32.10.0 255.255.254.0 179.31.4.1
ip route 10.32.22.0 255.255.255.0 179.31.4.1
ip route 10.112.80.0 255.255.255.0 Loopback0 179.31.4.65 20
ip route 179.23.12.0 255.255.255.0 179.31.4.1
ip route 179.31.4.32 255.255.255.240 GigabitEthernet0/0/0 179.31.4.18
ip route 192.168.50.0 255.255.255.0 179.31.4.1
ip ssh version 2
!
!
ip access-list extended VPN-TRAFFIC
permit ip 179.31.4.48 0.0.0.15 179.31.4.64 0.0.0.15
permit ip 179.31.4.0 0.0.0.15 179.31.4.64 0.0.0.15
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 179.31.4.48 0.0.0.15 179.31.4.64 0.0.0.15
access-list 100 permit ip 179.31.4.48 0.0.0.15 any
access-list 100 remark
R2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address xxxxxxxxxxx
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer xxxxxxxxxxxxxxxx
set transform-set TS
match address VPN-TRAFFIC
!
!
!
!
!
!
!
!
interface Loopback0
ip address 179.31.4.65 255.255.255.240
!
interface Loopback2
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 179.31.4.18 255.255.255.240
negotiation auto
bfd interval 500 min_rx 500 multiplier 5
!
interface GigabitEthernet0/0/1
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
ip address 179.31.4.34 255.255.255.240
crypto map CMAP
!
interface Vlan2
no ip address
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface Vlan1 overload
ip route static bfd GigabitEthernet0/0/0 179.31.4.17 group group1
ip route 0.0.0.0 0.0.0.0 179.31.4.33
ip route 10.0.0.1 255.255.255.255 GigabitEthernet0/0/0 179.31.4.17
ip route 10.32.1.0 255.255.255.0 Loopback0 179.31.4.49 20
ip route 10.32.10.0 255.255.254.0 GigabitEthernet0/0/0 179.31.4.17
ip route 10.32.22.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17
ip route 10.112.80.0 255.255.255.0 179.31.4.33
ip route 179.23.12.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17
ip route 179.31.4.0 255.255.255.240 GigabitEthernet0/0/0 179.31.4.17
ip route 192.168.50.0 255.255.255.0 GigabitEthernet0/0/0 179.31.4.17
!
!
ip access-list extended VPN-TRAFFIC
permit ip 179.31.4.64 0.0.0.15 179.31.4.48 0.0.0.15
permit ip 179.31.4.0 0.0.0.15 179.31.4.0 0.0.0.15
!
access-list 100 remark -=[Define NAT Service]=-
access-list 100 deny ip 179.31.4.64 0.0.0.15 179.31.4.48 0.0.0.15
access-list 100 permit ip 179.31.4.64 0.0.0.15 any
access-list 100 remark
