11-18-2018 09:47 AM
Can anyone explain and provide guidance one how to address why traffic that is supposed to be routed to a VPN address gets routed to the Default gateway?
Traceroute result from VLAN20 (local Machine IP 10.100.20.11)
C:\WINDOWS\system32>tracert 192.168.10.100
Tracing route to 192.168.10.100 over a maximum of 30 hopsvpn, traffi
1 1 ms 5 ms 5 ms 10.100.20.253vpn, traffi
2 1 ms <1 ms <1 ms 192.168.110.1 <-----------VPN Router
3 1 ms <1 ms <1 ms 192.168.101.1 <------------Default Gateway of local internet router
4 9 ms 9 ms 15 ms 10.19.184.1
5 * * * Request timed out.
6 ^C
From the switch (sg300) I can ping across the vpn router without an issues.
SW1#ping 192.168.10.100 Pinging 192.168.10.100 with 18 bytes of data: 18 bytes from 192.168.10.100: icmp_seq=1. time=40 ms 18 bytes from 192.168.10.100: icmp_seq=2. time=20 ms 18 bytes from 192.168.10.100: icmp_seq=3. time=20 ms 18 bytes from 192.168.10.100: icmp_seq=4. time=20 ms
I have static route on the VPN router and it can ping the workstation on VALN20
I am attaching current running config and a remedial network diagram.
guidance and assistance is greatly appreciated thank you in advance.
11-18-2018 11:07 AM
Hi,
This issue belongs to the VPN router configuration. As you the destination 192.168.10.x must be encrypted by the router and send over the VPN but it is not happening. Your SG switch is doing his task correctly.
As per your tracert command output from the system, SG routing this traffic correctly and traffic heating to the VPN router as well.
Now check VPN router configuration and most properly issue belongs to the ACL (VPN interesed traffic ACL). Add your VLAN 20 subnet in that ACL.
Regards,
Deepak Kumar
11-18-2018 11:53 AM
Deepak,
Thank you for taking the time and effort and your guidance.
Would setting the ACL still need to be preformed if the VPN is already active and PC's on that Network can communicate across it? PC on the 192.168.110.x can see and use resources from 192.168.10.0
also, that VPN router router is not Cisco but rather a TP-Link (TL-600VPN). there is an access control section, but nothing that will allow the addition a of Cisco VLAN20 (which i have tried both enabled and disabled.)
11-18-2018 09:00 PM
Hi,
Please share IPSEC-VPN page screenshot.
Regards,
Deepak Kumar
11-19-2018 04:42 AM
IPsec policy consists of three sections
IKE (VPN passphrase)
IpSec - Connection information
SA List - (list of active connections)
Thank you again.
11-19-2018 10:13 AM
Hi,
VLAN 20 subnet is not added in the Local Subnet under the List of IPSec Policy. Please add VLAN 20 subnets in local subnet and at the remote site also add in the remote subnet.
Regards,
Deepak Kumar
11-19-2018 04:28 PM
I tried this previously (i think), without success. I may have the address incorrect or i may be missing something else where. Please let me know.
Excuse my ignorance, new to all this stuff. thank you again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide