We have a client we need to establish a S2S IPSEC tunnel with, it also requires source NAT from an IP they specified (not within the remote host subnet ranges.)
Site A (Our Site):
Local Subnet: 10.252.0.0/16
WAN IP: 1.1.1.1
Site B (Client Site):
WAN IP: 2.2.2.2
Source NAT IP: 10.125.0.1/24 (Traffic must come through this IP)
Local Subnets: 10.240.0.0/16, 10.225.0.0/16
Can anyone see what we are doing wrong?
We have tried both Route based and Policy based VPN configurations.
------ Relevant Route Based configuration we have tried:
crypto ikev2 keyring vpn-keyring
peer 2.2.2.2
address 2.2.2.2
pre-shared-key INSERT_PSK_HERE
!
crypto ikev2 proposal vpn-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
crypto ikev2 policy vpn-policy
proposal vpn-proposal
exit
ip access-list extended nat-vpn-acl
permit ip 10.252.0.0 0.0.255.255 10.225.0.0 0.0.255.255
permit ip 10.252.0.0 0.0.255.255 10.240.0.0 0.0.255.255
deny ip any any
crypto ipsec transform-set vpn-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
crypto ikev2 profile vpn-profile
match address local interface GigabitEthernet8
match identity remote address 2.2.2.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local vpn-keyring
crypto map vpn-cmap 1 ipsec-isakmp
set peer 2.2.2.2
set security-association lifetime seconds 28800
set transform-set vpn-ipsec-proposal-set
set pfs group2
set ikev2-profile vpn-profile
match address nat-vpn-acl
crypto ipsec profile vpn-vti
set transform-set vpn-ipsec-proposal-set
set ikev2-profile vpn-profile
!
interface Tunnel11
description VPN
ip address 10.125.0.1 255.255.255.0
ip mtu 1438
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1350
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel destination 2.2.2.2
tunnel protection ipsec profile vpn-vti
route-map NAT_VPN permit 10
match ip address nat-vpn-acl
ip nat inside source route-map NAT_VPN interface Tunnel11 overload
ip route 10.225.0.0 255.255.0.0 Tunnel11
ip route 10.240.0.0 255.255.0.0 Tunnel11
