Hi all
I have 2 sites connected via an IPSec tunnel. No dynamic routing, just crypto map on the interface & ACLs.
Head Office is a 1941, address 10.0.0.1 & subnet 10.0.0.0/24, Branch Office is an 867, address 10.1.0.1 & subnet 10.1.0.0/24
Both routers are also providing internet access, including NAT. Relevant config excerpt below.
The tunnel is up and working fine, every device from Head Office can reach devices in Branch Office and vice versa, except for the routers.
Pings from the routers themselves (via console/SSH) do not reach the other side unless the LAN address is specified as source.
For example, from the branch router (10.1.0.1);
BRANCHROUTER#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
BRANCHROUTER#ping 10.0.0.1 source 10.1.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.0.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/23/24 ms
This is expected behavior, AFAIK it's normal for routers to require the source specified when pinging across an IPSec tunnel without dynamic routing & tunnel IP addresses.
There is one issue though - I'm trying to setup Config Management, which involves a script issuing a command to copy the running-config via TFTP at midnight each night. The scripts is running from a server in head office - it will login to the head office router and the copy runs with no problems. But when it comes to the branch router, the router cannot connect to the sever at head office via TFTP.
So the question is - are there any modifications I can make to enable the routers to ping each other across the tunnel without explicitly specifying the source interface? (the config management is a 3rd party program with closed source, I cannot force it to use the source parameter in the copy command).
Possibly establishing a loopback interface on the branch office router with a static route to the head office server?
I can also potentially re-configure this to use dynamic routing with tunnel addresses, but I'm uncertain if the 867 base license supports this. I've had trouble getting DMVPN on an 867 in the past.
Relevant config excerpt from the branch router (this is mirrored on the head office router;
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key *Secret* address *HeadOfficeWANIP*
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto map Branch2HeadOffice 10 ipsec-isakmp
set peer *HeadOfficeWANIP*
set transform-set ESP-3DES-SHA
match address 101
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname *************
ppp chap password *************
ppp ipcp dns request
crypto map Branch2HeadOffice
!
ip nat inside source list NAT_SOURCES interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended NAT_SOURCES
deny ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 10.1.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
access-list 101 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255
Thanks in advance
Sam
