Re: Routing issue traffic from local router CLI is not sent over ipsec crypto map

jobfactory · ‎10-02-2019

Dear all,

I’m using thewer following setup:

I have PCs connected to a Cisco 1921. The Cisco 1921 is connecting the clients to the head quarter:

PC (192.168.123.100) > GigabitEthernet0/0, NAT > Dialer 1 > Cellular0/0/0 > ipsec VPN to peer > head quarter (172.16.0.0/16)
No NAT for traffic sent to 172.16.0.0/16, but traffic is sent to peer over ipsec

Working:

Remote PCs can browse internet and access headquarter network over VPN.
I can ping the router and remote PC from the headquarter.

Issue: However, I can’t ping the headquarter from the remote router CLI.

Relevant extract from config:

Spoiler

interface GigabitEthernet0/0

ip address 192.168.123.1 255.255.255.0

ip nat enable

ip virtual-reassembly in

duplex auto

speed auto

interface Dialer1

ip address negotiated

ip mtu 1460

ip nat enable

encapsulation slip

ip tcp adjust-mss 1420

dialer pool 1

dialer idle-timeout 0

dialer string hspa-R7

dialer persistent delay initial 60

dialer-group 1

crypto map mymap

crypto map mymap 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set myset

match address 101

access-list 101 permit ip 192.168.123.0 0.0.0.255 172.16.0.0 0.0.255.255

interface Cellular0/0/0

description WWAN 3G Link

ip address negotiated

ip mtu 1460

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer pool-member 1

dialer-group 1

async mode interactive

routing dynamic

ip nat source route-map nonat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

route-map nonat permit 10

match ip address 110

access-list 110 deny ip 192.168.123.0 0.0.0.255 172.16.0.0 0.0.255.255

access-list 110 permit ip 192.168.123.0 0.0.0.255 any

interface GigabitEthernet0/0 ip address 192.168.123.1 255.255.255.0 ip nat enable ip virtual-reassembly in duplex auto speed auto interface Dialer1 ip address negotiated ip mtu 1460 ip nat enable encapsulation slip ip tcp adjust-mss 1420 dialer pool 1 dialer idle-timeout 0 dialer string hspa-R7 dialer persistent delay initial 60 dialer-group 1 crypto map mymap crypto map mymap 10 ipsec-isakmp set peer xxx.xxx.xxx.xxx set transform-set myset match address 101 access-list 101 permit ip 192.168.123.0 0.0.0.255 172.16.0.0 0.0.255.255 interface Cellular0/0/0 description WWAN 3G Link ip address negotiated ip mtu 1460 ip virtual-reassembly in encapsulation slip dialer in-band dialer pool-member 1 dialer-group 1 async mode interactive routing dynamic ip nat source route-map nonat interface Dialer1 overloadip route 0.0.0.0 0.0.0.0 Dialer1 route-map nonat permit 10 match ip address 110 access-list 110 deny ip 192.168.123.0 0.0.0.255 172.16.0.0 0.0.255.255access-list 110 permit ip 192.168.123.0 0.0.0.255 any

Thanks for your help!

Best regards,

Florian

balaji.bandi · ‎10-02-2019

you will not able to ping as per the below message

Issue: However, I can’t ping the headquarter from the remote router CLI.

becuase your WAN IP address not part of ACL

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Richard Burts · ‎10-02-2019

Florian

When you attempt to ping headquarters from the router by default it will make the source address using the address of the Wan interface. And that address does not match the acl used to identify traffic for the vpn. Perhaps a solution would be to ping and specify that the source address should be the Lan interface address.

HTH

Rick

HTH

Rick

jobfactory · ‎10-02-2019

Hi Balaji,

Thanks for your response. I'm aware of this.

However, how can I include the Dialer interface (that is WAN) in the ACL, an IP is dynamically assigned.

Thanks,

Florian

Deepak Kumar · ‎10-02-2019

Hi,

My advice to use the source keyword along with PING command from the Router CLI

as

Ping x.x.x.x source interface <LAN Interface? or source LAN interface IP.

or

add a WAN subnet (ISP range of IP address for your WAN connection) add in the ACL.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

jobfactory · ‎10-03-2019

Hi Deepak,

This is an acceptable work-a-round to successfully ping the headquarter.

e.g. ping 172.16.8.1 source GigabitEthernet 0/0 -> success rate 100 %

However, I would like to send "crypto isakmp nat keepalive" and use archive ftp" feature towards the headquarter networks.

Do you know a solution to send all traffic coming from the Cisco Router to the 172.16.0.0/16 network trough the crypto map?

Thanks,

Florian

Deepak Kumar · ‎10-03-2019

Hi,

Yes, we can send the all traffic through the tunnel. As I understand that you want to route your complete traffic including internet over the VPN (correct me if I am wrong)

Change ACL as

IP access-list ext 100 10.x.x.x x.x.x.x 255.255.255.0 any

10.x.x.x is source subnet of traffic.

and deny same in the NATing ACL (If any)

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Georg Pauwen · ‎10-03-2019

Hello,

as Richard and Balaji indicated, you need to add the address of the WAN interface to the access list matching the crypto map. Since the public IP address can be a random address from your ISP range, I guess your only option would be to find out what range your ISP has by using the website below, and then add a line to your access list allowing ICMP from that range to your headquarters. Let's say the IP address assigned to the dialer interface is 84.24.0.3, via the website below you can see that this address belongs to range 84.24.0.0/13. This is what you add to the access list. The 'echo-reply' keyword makes sure that you can ping headquarters, but headquarters cannot ping you.

access-list 101 permit icmp 84.24.0.0 0.7.255.255 172.16.0.0 0.0.255.255 echo-reply

https://suip.biz/?act=ipintpr

jobfactory · ‎10-03-2019

Hi Georg,

Thanks for your reply. The ISP is bluewin (178.197.224.165), who using more than 100 networks.

In order to keep VPN alive I might end up in scheduling a ping every 10 seconds towards the headquarter's gateway.

Is there no option to force traffic coming from the Dailer1 (only local Router traffic) to go through the crypto map?

Thanks,

Florian

balaji.bandi · ‎10-03-2019

There is 2 options i can think of now.

If you WAN IP address not part of VPN, you should able to ping WAN side IP to WAN side for monitoring.

If this is fails any way the VPN connection breaks.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jobfactory · ‎10-03-2019

Hi everyone!

Thanks for all your help!
I don't want to redirect all traffic to the headquarter, a local internet break-out is preferred.

I established a ping script that should keep my VPN connection active:

event manager applet vpn-keep-alive
 event timer watchdog name timer time 20
 action 010 cli command "enable"
 action 020 cli command "ping 172.16.8.1 source GigabitEthernet 0/0 size 36 repeat 2"
 action 030 syslog msg "VPN keep alive ping sent"

172.16.8.1 is an IP at the headquarter.

As of now that seems to keep the VPN session open.

I will perform an overnight testing,

Regards,

Florian

Richard Burts · ‎10-03-2019

Florian

I am glad that you have found something that seems to be working to keep the vpn active. As far as sending traffic generated by the router over the vpn be aware that some protocols, like ftp, have an option where you can specify the source address for that protocol. So if you configure those protocols to use Gig0/0 as the source address then that traffic would be carried over the vpn.

HTH

Rick

HTH

Rick