cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1597
Views
0
Helpful
12
Replies

Static Routing and Virtual Private Network

KaMaLoRa
Level 1
Level 1

Greetings,

 

I am currently creating a simple network design consists of Static Routing and Virtual Private Network. The tunnel between two routers works successful. Static Routing is configured on both sides however one router cannot reach the clients. Can someone help me out to troubleshoot the network issue. Thank you and God Bless.

12 Replies 12

Mark Malone
VIP Alumni
VIP Alumni
Hi
looks like configs didnt load , is the client subnet allowed in the vpn acl to pass down the vpn tunnel

Hi Mark. 

 

There is no ACL configured yet. In the router where the clients are connected belongs only in the same network address which is 10.x.x.x/8 and can successfully ping each other. The two routers are connected through VPN and it works but one router cannot reach the clientsUntitled.png

 

Yes but for the other router to be able to speak to the other subnet down the vpn tunnel there usually an acl associated with the vpn to stae what goes down the tunnel and what would go elsewhere

so taking this example under the crypto there is a acl which states what the routers are allowed speak to down the tunnel , in this case its acl 100 and subnet 1.1.1.x/24
is this the same setup or have you a different setup

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/20641-initaggr.html#configs

crypto map mymap 1 ipsec-isakmp
set peer 14.38.69.71
set transform-set myset
match address 100

access-list 100 permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

How can the other router successfully ping the clients regardless of ACL? The topology look like as follows.

 

Thank you Mark. God Bless.

 

Untitled.png

 

Hi what way is the VPN setup between router 1 and router 2 , is it an IPsec - IPsec tunnel each side ? need to see the config what way its been setup , if one side can ping and the other cant there must be a routing mistake somewhere or else they have wrong gateway or something like that but were only guessing without seeing what been configured

It would help if we knew details about how the VPN is configured. Mark is asking about how the ACL is configured. If this is a traditional IPsec VPN then there should be a crypto map with an ACL. But if this is done using VTI then there is not an ACL. So please provide details of the VPN configuration.

 

HTH

 

Rick

HTH

Rick

Untitled1.png

 

Here's the simple configuration. Thank you God Bless.

Hi
the statics look incorrect if traffic is supposed to be going down the tunnel , none of them are pointing out the tunnel interface ips

T1 side a static like below as example would send traffic down the tunnel interface
If there was as a 10 range behind you were tring to reach in T2 side
ip route 10.10.10.0 255.255.255.0 192.168.3.1
the next hop must be the tunnel ip of the interface 192.168.3.1

I think this might help it breaks down the GRE setup between 2 routers with example, basically what your trying to achieve in your design just with different subnets

https://supportforums.cisco.com/t5/network-infrastructure-documents/how-to-configure-a-gre-tunnel/ta-p/3131970

Mark is correct about the static routes. The very limited config that was posted does confirm that this VPN does not use VTI. So there should be a crypto map and ACLs. It would help if we could see those.

 

HTH

 

Rick

HTH

Rick

AnnaV
Level 1
Level 1
 

eybalpaypal
Level 1
Level 1

covernet-vpn.com website proposes to invent the combination of this type of XOr Patch tunnel with the Cisco VPN protocol. Do you think this is possible?

Combining an XOR patch with a Cisco VPN protocol is not a straightforward or common task, and it's important to note that attempting to modify or patch a VPN protocol may not be allowed or supported by Cisco and could potentially violate licensing and legal agreements. Furthermore, making modifications to VPN protocols can introduce security risks and may not be advisable.

If you have a specific use case or requirement that you believe necessitates making such a modification, it's essential to work with Cisco or consult with a professional who is experienced in network security and Cisco VPN solutions. Cisco's VPN protocols are designed to provide secure and reliable communication, and any modification should be done carefully to avoid compromising security.

Keep in mind that making changes to a VPN protocol can also create compatibility issues, which may prevent you from connecting to Cisco VPN servers or other network devices. If you need to customize your VPN configuration or address specific requirements, it is typically best to work with Cisco support or a network professional who can guide you through the appropriate configuration options and best practices within the existing Cisco VPN framework.

Before making any changes to your VPN setup, ensure you have a clear understanding of the security and network implications and consider consulting with professionals who specialize in network security and VPN technology.

freddycooper
Level 1
Level 1

Errors in the interface, gateway address, or subnet mask can interfere with the correct routing of traffic. One of the routers for the subnet where the clients are located might not have a static route. Traffic may be bouncing between routers indefinitely due to a routing loop that is likely the result of a misconfigured route. Verify whether either router's firewall rules are preventing traffic from passing between the subnets. Even though the tunnel seems to be working, the VPN may have internal issues that prevent certain types of traffic from being routed.

Review Cisco Networking for a $25 gift card