Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
3
Replies

Site to Site VPN Up and Working....Problem with Router communication

ciscocm001
Level 1
Level 1

‎01-16-2008 07:14 AM - edited ‎03-03-2019 08:16 PM

Hi All,

I would appreciate any advice for the following issue. I have 2 sites, A (10.1.0.0) and B(10.2.0.0). I have created an ipsec tunnel between the two sites and end devices at both ends can communicate with each other. However, the routers cannot communicate with the other subnet. For example, at Router A, if I were to try to ping 10.2.1.1, it fails. If I try the command ping 10.2.1.1 source 10.1.1.1, it works. How do I instruct the router to use the VPN tunnel for the traffic to the other subnet. As stated, end devices such as computers are able to use the tunnel fine. I need the routers to also be able to use the tunnel for interesting traffic.

Thanks!

Labels:
0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎01-16-2008 08:34 AM

Ger

First lets clarify what the problem is and then we can talk about how to solve it.

The issue is that the access list that defines what traffic to protect with IPSec is including traffic sourced from the 10.1.0.0 network but is not including traffic sourced from the router's outbound interface. If you just ping 10.2.1.1 the router will default to using the outbound interface address as the source address and it will not pass through IPSec. When you specify the source address in the ping then it does pass through IPSec.

So how do you solve this? One alternative is that for some protocols you can configure the router to specify the source address (ip telnet source-interface, ip ssh source-interface, ip ftp source-interface, ip tftp source-interface, ip tacacs source-interface, ip radius source-interface, logging source-interface, snmp-server trap-source, ntp source, ip flow-export source) and so you can have these protocols specify the source address to be included in IPSec. But probably the best solution is to revise the access list so that it not only looks for traffic sourced from 10.1.0.0 and to include traffic sourced from the router other interfaces and going to destinations on the remote router.

HTH

Rick

HTH

Rick
0 Helpful

ciscocm001
Level 1
Level 1
In response to Richard Burts

‎01-17-2008 07:05 AM

Thank you for the reply Rick. Your explanation makes perfect sense.

Currently, my access list for the crypto statement looks like this:

access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

If my T1 Serial interface is my outbound interface with IP address 12.1.1.1 255.255.255.248, then I would have to add an access list statement such as:

access-list 100 permit ip 12.1.1.1 255.255.255.248 10.2.0.0 0.0.255.255

Would that be adequate, or would I also have to add a different access list or static route?

Thank you again for your help.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ciscocm001

‎01-17-2008 02:55 PM

Ger

I would think that this addition to the access list would be adequate (mostly). Remember that the access lists on each end need to mirror each other, so the remote router needs to add a similar statement. And if the remote router wants to add a statement like this so that it will include traffic sourced from its interface then you would need to add a similar statement.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card