IPSec default interface

cdpoff123 · ‎10-30-2012

I have IPsec setup between two networks 172.18.1.0 (remote office) and 172.16.0.0 (corporate office) accross the public internet. Except for one minor issue everything works well. If I telnet to the remote office router and then ping an address on 172.16.0.0 the ping fails, unless I first set the source interface to the interface on network 172.18.1.0 using the command "ping 172.16.0.1 source vlan1" (this is where 172.18.1.0 is configured). If I run a trace, it reveals that traffic is attempting to route access the internet as opposed to routing through the IPsec tunnel. If I run a trace and set the source interface to vlan1 (this is where 172.18.1.0 is configured) everything works, and the trace reveals the traffic is routing across the IPsec tunnel.

I want to be able to TFTP my configuration to an address on 172.16.0.0 using the command "copy start tftp". The problem is, the TFTP traffic attempts to reach 172.16.0.0 across the internet and the copy command does not allow me to set the source interface. Any ideas on how to solve for this? Thanks.

Karsten Iwen · ‎10-30-2012

By default the router uses the source-ip of the interface where the packet leaves the router. If your VPN is build with crypto-maps, then it is the IP of the external interface. The easiest way to solve the problem is to configure the source for the relevant protocols (replace Loop0 with your preferred interface):

ip tftp source-interface Loopback0

ip ssh source-interface Loopback0

If your two VPN-devices are both IOS-routers, then converting the config to virtual tunnel-interfaces would be even better:

http://www.cisco.com/en/US/partner/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

cdpoff123 · ‎10-30-2012

Thank you. Setting the source interface for the specific protocol worked.