cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5174
Views
25
Helpful
39
Replies

IPSec VPN with Public IP on end and other side Private WAN Address

ittechk4u1
Level 4
Level 4

Hello Experts,

 

I am trying to establish a Site-to-Site IPSec VPN between Plant A and Plant B.

 

Plant A: is feting private IP(192.168.1.2) from LTE/Vodafone router

Plant B: is directly connected to ISU and getting a public IP (88.xxx.21.xxx)

 

Is there any method to make this setup working ? Please provide me the sample config .

 

 

 

Thanks in advance.

39 Replies 39

Thanks for the updated output. It does confirm that the crypto negotiation has been successful. There is an ipsec sa but no traffic is carried over the vpn. I have seen this symptom of no traffic over the vpn be caused by the vpn traffic going through address translation. And I have seen this symptom caused by incorrect routing. Can you verify whether the router is doing address translation, and if it is can you verify that the vpn traffic is exempted from translation. Can you also verify that the routing is correct and that the traffic from the lan which should be encrypted is being routed through the interface where the crypto map is applied?

 

Another question: we are treating this like it was a traditional site to site vpn. The naming suggests that it might be DMVPN. Can you clarify whether this is site to site vpn or is DMVPN?

 

HTH

 

Rick

HTH

Rick

Thanks Richards.

 

Can you verify whether the router is doing address translation, and if it is can you verify that the vpn traffic is exempted from translation.

I dont how to check it....if i try to ping 8.8.8.8 over the interface which is connected to LTE router, it is working.

PlantA#ping vrf ISP3 8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/56/147 ms

 

Can you also verify that the routing is correct and that the traffic from the lan which should be encrypted is being routed through the interface where the crypto map is applied?

please see the attached config

 

Can you clarify whether this is site to site vpn or is DMVPN?

its a site to site VPN with crypto map.

 

Thanks again.

please help on the issue !!!

You have showed part of the config but not enough to answer our questions completely. There are no nat statements on the interfaces. So I assume that address translation is not being done. Can you tell us some more about your environment? Is this vpn across the public Internet? Or is is it over some private network? If translation is not on these routers is the traffic being translated somewhere else?

 

You show us the outside interfaces in the vrf and the routing for those interfaces. But you do not show us the interfaces for the lan and how their traffic would get to the vrf. Can you provide clarification about this?

 

HTH

 

Rick

HTH

Rick

Thanks Richards.

 

 

 

SPoke side my Cisco router is connected with Vodafone router and lte router is NATing and giving us the private IP address.

 

HUB side: I have direct public IP address on my interface on Cisco router.

 

Now i also configured :

Spoke:

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 dhcp 171

 

Hub: 

ip route 10.99.0.0 255.255.0.0 gigabitEthernet 0/0/0 171

 

 

still the same issue.

 

Thanks

 

 

 

here is the complete config attached form both routers (Hub and spoke).

 

please check and let me know what needs to be changed to make it working..

 

Thanks in advance. I really appreciate your quick help.

Hello ittechk4u1,

first of all you should understand that all of us have a job and we participate in the Cisco forums as volonteers we are not a paid support service.

 

It is useless to keep opening new threads on the same issue: I have counted 4 different threds it creates only confusion.

 

I have examined the whole configuration files that you have attached on the first thread that is the one with 20 or more replies.

 

I think you have the following basic problem:

you would like to setup a VPN over an interface gi0/0/2 that belongs to vrf ISP3 but you would like to carry traffic that belongs to global routing table because I see that all internal interfaces like SVI interfaces Vlan3, Vlan4, Vlan6.

 

all of them belong to the Global routing table :

 

Example:

 

interface Vlan4
description *** Management Transfer VLAN ***
ip address 10.99.4.252 255.255.255.0
standby 4 ip 10.99.4.254
standby 4 priority 110
standby 4 preempt
standby 4 authentication G@t4it

 

As we can see there is no vrf forwarding ISP3 statement here.

 

I think this is the root cause why you are not able to put traffic over the LAN to LAN IPsec VPN.

 

see VRF aware restrictions on the following document

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/xe-16-11/sec-ike-for-ipsec-vpns-xe-16-11-book/sec-vrf-aware-ipsec.html?dtid=osscdc000283

 

In particular we need to focus on the following point :

 

 

  • When the VRF-Aware IPsec feature is used with a crypto map, this crypto map cannot use the global VRF as the IVRF and a non-global VRF as the FVRF. However, configurations based on virtual tunnel interfaces do not have that limitation. When VTIs or Dynamic VTIs (DVTIs) are used, the global VRF can be used as the IVRF together with a non-global VRF used as the FVRF.

  • You must include the VRF in the local-address command when using the local address with VRF in the ISAKMP profile and keyring.

 

We need to look at the definitions of FVRF and IVRF:

 

Front Door VRF (FVRF) and Inside VRF (IVRF) are central to understanding the feature.

 

Each IPsec tunnel is associated with two VRF domains. The outer encapsulated packet belongs to one VRF domain, which we shall call the FVRF, while the inner, protected IP packet belongs to another domain called the IVRF. Another way of stating the same thing is that the local endpoint of the IPsec tunnel belongs to the FVRF while the source and destination addresses of the inside packet belong to the IVRF.

 

so in your case FVRF = vrf ISP3 and IVRF = global Routing table aka vrf default

 

So you are in the limitation stated above:

 

  • When the VRF-Aware IPsec feature is used with a crypto map, this crypto map cannot use the global VRF as the IVRF and a non-global VRF as the FVRF. However, configurations based on virtual tunnel interfaces do not have that limitation. When VTIs or Dynamic VTIs (DVTIs) are used, the global VRF can be used as the IVRF together with a non-global VRF used as the FVRF.

 

You need to review the network design in order to be able to make the site to site VPN to work:

either you put gi0/0/2 in global routing table and remove any vrf reference in crypto related configuration.

 

Or you put all internal client facing interfaces in a VRF (that can be different from vrf ISP3).

 

The same limitation applies to the HUB router too.

 

Hope to help

Giuseppe

I had been thinking that the issue here was related to vrf. @Giuseppe Larosa has provided excellent details and explanations about why vrf is the issue in this design. Well deserved +5.

 

I also agree with the comments about opening multiple discussions on the same problem.

 

HTH

 

Rick

HTH

Rick

Thanks both of you for valuable input.

 

Now i removed vrf on both side ...VPN is coming up but still no traffic flow.

 

PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
<ip> 192.168.178.99 QM_IDLE 1001 ACTIVE

 

 

Hello ittechk4u1,

on hub router your default static route is using a wrong next-hop it is the IP address of the router itself !!

 

>> ip route 0.0.0.0 0.0.0.0 80.152.21.187

 

The next-hop must be the IP address of the router connected to the HUB router.

 

PlantA#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
>>>>>80.152.21.187 192.168.178.99 QM_IDLE 1001 ACTIVE

 

Fix routing on HUB router and you should be able to see traffic over the LAN to LAN IPSec VPN now that any VRF has been removed.

 

Hope to help

Giuseppe

 

Thanks Giuseppe..

 

I correcte dthe Gateway IP but still facing the same issue.

Cant ping from Plant A to B means no traffic in between.

 

 

HUB#ping 10.99.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.99.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB1#
HUB#sh ip route 10.99.0.1
Routing entry for 10.99.0.0/16
Known via "static", distance 171, metric 0
Redistributing via eigrp 1, eigrp 26
Advertised by eigrp 1 metric 100000 100 255 1 1500
Routing Descriptor Blocks:
* <ip>
Route metric is 0, traffic share count is 1
HUB#

 

From Spoke:

 

SPOKE#sh ip route 10.18.35.7
% Subnet not in table

 

Thanks

Hello ittech4u1,

be aware that only LAN to LAN traffic is matched by ACL 101 for encryption.

 

when you use the ping from HUB you need to use the source option to specify an internal interface with IP address in the 10.18/16 range.

The following will use a source address of the public interface

 

HUB#ping 10.99.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.99.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
HUB1#

 

the Spoke router has no specific route because you have a default route out of ge0/0/2. So again what you see is normal.

The IP routing table will not change even with traffic flowing over the LAN to LAN IPSec VPN.

 

 

Edit:

on the HUB a possible source interface to be used is the following:

 

interface GigabitEthernet0/1
description *** LAN connection to RZ1XWAN1 Giga 1/0/21 ***
ip address 10.18.2.4 255.255.255.0

 

try to use on HUB router to make your tests

ping 10.99.0.1 source 10.18.2.4

 

the reverse order on Spoke

 

spoke:

ping 10.18.2.4 source 10.99.0.1

 

Hope to help

Giuseppe

 

 

Here is the complete ping output:

 

Hello ittechk4u1,

try to repeat the tests multiple times as it may take some time to setup the IPSEC sa.

 

post also the output of

show crypto ipsec sa

after multiple attempts to ping

 

and

show crypto isakmp sa

 

Hope to help

Giuseppe

 

Giuseppe,

 

FYI: I have to change config on HUB router as it was creating issues with other plants so now i ma using VRF again only on HUB side.

 

But i think issue is on HUB side.....

 

1. there are too MANY ipsec SAs...how to filter them

2. Spoke side i can see the counter is increasing on ACL but not on HUB side.

 

Thanks

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: