Destination Interface Null for all Internet Based Traffic Over IPSec VPN

Andrew Morris · ‎04-11-2016

Hi All,

Can someone please assist me with this issue which has me scratching my head?

Scenario:

Customer Site A has a Cisco 1921 router running c1900-universalk9-mz.SPA.152-4.M5.bin version of code. It is connected to a broadband service provider with the Dialer interface setup with the respective chap credentials for authentication.

I'm running an IPSec VPN over that to the HQ site where the VPN terminates on a Cisco Meraki MX80 device giving Customer Site A access to all other corporate sites reachable via the HQ site.

The HQ site is also the point at which Internet access is given both to Corporate sites connected via a traditional carrier network and remote sites which VPN into the HQ office.

The VPN is operational and I have connectivity to ALL corporate sites without issue. What I cannot get to work from this Customer Site A is the connectivity to the internet. A ping to google.com or any other pingable internet address sourcing from any of the LAN subnets at Customer Site A does not work however a ping to any internet site sourcing from the Dialer interface does work. A trace route to google.com as an example sourcing from the Dialer interface shows the path taken does not include the HQ site and appears to be using the service providers default internet exit point for internet services. This is what is confusing me as the VPN is or should be setup to ensure that all outbound traffic lands on the HQ concentrator and routes accordingly from there.

From what I can tell, there is routing in place (via a default route pointing out the dialer interface) and no ACL to prohibit this traffic (again as far as I can tell).

Router configuration:

* Please see attached files showing router configuration as well as router output of show version and show ip cache flow.

I would be grateful if anyone could shed some light on the matter?

Kind Regards

Andrew Morris

Mark Malone · ‎04-12-2016

Hi Andrew

had a quick look at this , i dont see any ip nat inside on your interfaces only 1 set and i dont see any ip nat outside so im guessing thats why internet is only working from dialer and not lan , everything else looks good

add ip nat inside to lan sub ints and ip nat outside to dialer and try again , let me know

Andrew Morris · ‎04-12-2016

Hi Mark,

Thanks for the response. So ordinarily yes, you would apply nat as you mentioned however the Internet access is out of the HQ site where the source nat occurs at a firewall for Internet bound traffic so it is the intention for packets to arrive at the HQ site via VPN with a source address = Lan subnet address = private address.

A user from one of the LAN subnets accessing Google.com for instance should land on the HQ VPN concentrator with the 10.200.xx.xx address as the source and then default routing at that point will direct traffic towards the firewall to be source natted. It's only there where Internet bound traffic needs to be source natted.

Is there something else I'm missing or have I potentially hit a bug?

Mark Malone · ‎04-12-2016

ah sorry my bad everything should go to HQ including internet traffic to break out , not a bug.

what about using a route-map matching against anything web based traffic from source of the lan and redirecting it down the vpn as next hop so it doesn't break out dialer locally ?

This link talks about it

http://www.cisco.com/c/en/us/products/collateral/security/ios-easy-vpn/prod_white_paper0900aecd805f0bd6.html

Ip access-list extended INTERNETTRAFFIC
permit tcp (LAN SUBNETS) any eq www

route-map INTERNETTRAFFIC permit 10
match ip address INTERNETTRAFFIC
set ip next-hop X.X.X.X(FAR END VPN PEER)

interface D1
ip policy route-map INTERNETTRAFFIC

Andrew Morris · ‎04-12-2016

Hi Mark,

Think you may be onto something there. That makes sense. I'll give this a go during the next available change window.

Thanks and will feedback once I've had an opportunity to test this out.

Mark Malone · ‎04-12-2016

Yes its a bit ugly but all the docs seem to be point to pbr as the solution for this , you would think there would be something a bit smoother from Cisco , maybe someone else will add in before your next window comes around with something better , il check bit further myself anyway if i find something il post it here

Andrew Morris · ‎04-12-2016

Hi Mark,

I've also had a thought which I will try next time which I don't know why I had not thought to try?

I'll amend the default route to have next hop as far end VPN peer rather than out of the Dialer interface.

If I am not mistaken, this should probably also do the trick?

chrissnop · ‎04-12-2016

I think you should change your username or else you will be busy deleting spam.

Mark Malone · ‎04-12-2016

yes sounds good you should try that as well , if its doesn't work yes would be best to put PBR on lan interface rather than dialer

Andrew Morris · ‎04-12-2016

Thanks Mark,

Will let you know how I get on!

milan.kulik · ‎04-13-2016

Hi,

you might need to add some route to reach the VPN peer then?

BR,

Milan

Andrew Morris · ‎04-12-2016

Hi Mark,

Also, the PBR route-map would need to be applied to the LAN interfaces if I am not mistaken as that is where the traffic will arrive on first?

You mentioned applying to Dialer interface but is that correct?