Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
326
Views
0
Helpful
5
Replies

IPSec with 2 internet connections

jthompson43
Level 1
Level 1

‎06-22-2017 07:40 AM - edited ‎03-08-2019 11:04 AM

I am trying to set up 2 internet connections. I would like all my IPSec traffic to go through one GigE0/0/0. I would like all other internet traffic to go through GigE0/0/1. 

Here is a sanitized version of my config. I have played with this some and I can either get the IPSec Tunnels or the internet connection to work, but I can't get both going at the same time. 

crypto isakmp key ********* address 1.1.1.1
crypto ipsec transform-set R1-R2 esp-aes 256 esp-sha-hmac
 mode tunnel

crypto map R1-ALL 10 ipsec-isakmp
 set peer 1.1.1.1
set transform-set R1-R2
 match address 101

interface GigabitEthernet0/0/0
ip address 50.50.50.50 255.255.255.252
ip nat outside
media-type rj45
speed 100
duplex full
crypto map R1-ALL
lan-name outside
ip virtual-reassembly

interface GigabitEthernet0/0/1
ip address 100.100.100.100 255.255.255.252
ip nat outside
speed 100
duplex full
ip virtual-reassembly

interface GigabitEthernet0/1/0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1230
negotiation auto
ip virtual-reassembly

ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload

ip route 192.168.2.0 0.0.0.255 50.50.50.50 10
ip route 0.0.0.0 0.0.0.0 100.100.100.100 20

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 175

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎06-22-2017 07:55 AM

Why have your static routes got an AD at the end ?

And unless it is a typo your route for 192.168.2.0/24 is using the wrong mask ie. it should be 255.255.255.0.

Jon

0 Helpful

jthompson43
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 08:08 AM

The route is copy/paste error. 


The last time I tried this I had the correct subnet and it still didn't work. 

I started out without any AD but I took some shots in the dark hoping something would get it going because it seemed like I was close to getting it working. 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to jthompson43

‎06-22-2017 12:42 PM

Based on the original configuration posted (minus the typos etc.) it should work.

You don't need the ADs with your static routes.

So what exactly is the behaviour you are seeing ?

Jon

0 Helpful

jthompson43
Level 1
Level 1
In response to Jon Marshall

‎06-22-2017 12:45 PM

In this config tunnel traffic was up, but I had no access to the internet. 

I changed 

ip nat inside source route-map nonat interface GigabitEthernet0/0/0 overload

to 

ip nat inside source route-map nonat interface GigabitEthernet0/0/1 overload

and I was able to get to the internet but none of the tunnels worked. 

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to jthompson43

‎06-22-2017 01:10 PM

It should definitely be gi0/0/1 you do the NAT overload on.

I did a quick test (without IPSEC) using your configuration and it worked fine for me ie. when going to the remote VPN subnet there was no NAT  and when going to internet there was NAT for the same source IP address.

So your configuration should work.

I suspect it may be a NAT issue so can you debug it while you try and connect both via VPN and to the internet.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card