Solved: IPSec Site to Site with VTI

Huan NG · ‎06-16-2025

Hi all,

I'm testing out the configuration for an IPsec VTI Site-to-Site VPN and have successfully initiated an IPsec tunnel connection between two Cisco peers (R1 & R2) as shown below. The Tunnel interface on each router is up and running.
Each router has routes to networks on the other end. However, for some reason, I still can't ping between R3 & R4 (R3 has a default route pointing to R1's F0/1, and R4 has a default route pointing to R2's F0/1).
Any opinion on what's going wrong in the configuration of both peer routers would be much appreciated.

M02@rt37 · ‎06-16-2025

I'm on Cisco Modeling Lab. I confirm that your config is OK. R3 and R4 default route are configured and no more in order to have reachability beteween 13.13.13.0/24 and 24.24.24.0/24.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

MHM Cisco World · ‎06-16-2025

Defualt route not force traffic to pass via tunnel

You need to static route using tunnel as egress interface in both R1 abd R2.

MHM

Huan NG · ‎06-16-2025

Hi,

Does it mean I need to set a static route on R3 & R4?

MHM Cisco World · ‎06-16-2025

Route needed

R3 and R4 have defualt route

R1 and R2 have defualt route

R1 abd R2 have static route toward R3/R4 IP using tunnel as egress interface

I.e. R1 have static route for R4 using tunnel interface

MHM

M02@rt37 · ‎06-16-2025

Hello @Huan NG

On R3 and R4 have you got default route configured ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Huan NG · ‎06-16-2025

Hi,

As per screenshot, only dynamic routes (BGP and OSPF) on R1 and R2.

M02@rt37 · ‎06-16-2025

Ok @Huan NG . So you need routing on R3 and R4. Add default route on each of them.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Huan NG · ‎06-16-2025

Hi M02@rt37
Confirming that R3 has a default route pointing to R1's F0/1, and R4 has a default route pointing to R2's F0/1
But still they can't ping each other, which is strange.
Any other opinions on this?

M02@rt37 · ‎06-16-2025

Hello @Huan NG

@I did yesterday nothing else...nothing more than your configuration.

RIB on R1 ald R2 are the same also...

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Huan NG · ‎06-16-2025

M02@rt37 Thanks for confirming.
One thing I forgot to mention is that I'm testing out this lab on GNS3.
It may be a GNS3 limitation

M02@rt37 · ‎06-16-2025

I'm on Cisco Modeling Lab. I confirm that your config is OK. R3 and R4 default route are configured and no more in order to have reachability beteween 13.13.13.0/24 and 24.24.24.0/24.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

M02@rt37 · ‎06-16-2025

@Huan NG

Since OSPF is Ok over your IPSec Site to Site/VTI tunnel, you only need default route on R3 and R4.

It is good after that:

On R4 you will see IP ADD of your tunnel as Next hop on hop#2:

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Huan NG · ‎06-16-2025

Hi M02@rt37
Confirming that R3 has a default route pointing to R1's F0/1, and R4 has a default route pointing to R2's F0/1
But still they can't ping each other, which is strange.
Any other opinions on this?

MHM Cisco World · ‎06-19-2025

This issue solved ?

MHM

Huan NG · ‎06-19-2025

Hi, yes it's resolved.
Nothing wrong with config on all routers.
It must be an issue with GNS3 as the lab works fine on Cisco Modeling Lab.
Thanks for following up.
Regards,