Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
794
Views
0
Helpful
4
Replies

Failing to send traffic over VPN

John Quick
Level 1
Level 1

‎09-09-2013 02:53 AM

I am trying to setup a VPN connection between two sites. The remote site is a 3650 switch connecting to a Palo alto firewall. I can bring up the VPN with no problems but I am unable to send traffic over the VPN.

Here is the config from the Cisco switch

crypto isakmp policy 10

<removed>

<removed>

<removed>

crypto isakmp key xxxxxxxx address 10.1.1.252

!

crypto ipsec transform-set myset <removed>

!

crypto map GNFVPN 10 ipsec-isakmp

set peer 10.1.1.252

set transform-set myset

<removed>

match address VPN-Traffic

!

interface Vlan41

ip address 10.10.0.70 255.255.255.192

crypto map GNFVPN

!

interface Vlan100

ip address 10.20.0.1 255.255.248.0

!

ip access-list extended VPN-Traffic

permit ip 10.20.0.0 0.0.255.255 any log

!

ip route 0.0.0.0 0.0.0.0 10.10.0.65

When I ping an address that should go over the VPN from 10.10.0.70 I see a log message that says traffic has hit the ACL and it goes over the VPN. When I try from a PC in Vlan 41 I see nothing and it goes out on the correct interface but not within the VPN.

Any help would be great!

Labels:
0 Helpful
4 Replies 4

Markus Thun
Level 1
Level 1

‎09-09-2013 03:06 AM

Hi,

you must create an rule that traffic from vlan 41 will be permit through the VPN tunnel. dont forget the exampt nat for vlan 41 for vpn use.

Regards

Markus

0 Helpful

John Quick
Level 1
Level 1
In response to Markus Thun

‎09-09-2013 03:17 AM

Thanks for your reply.

There is already an ACL applied.

     ip access-list extended VPN-Traffic

     permit ip 10.20.0.0 0.0.255.255 any log

This covers a number of other vlan's that are not in the config above.

This is a a LAN-to-LAN VPN where we do not NAT any of the IP addresses.

0 Helpful

Markus Thun
Level 1
Level 1
In response to John Quick

‎09-09-2013 03:29 AM

So the VPN tunnel go not through the internet?

This configuration is for Vlan 41????????

"

ip access-list extended VPN-Traffic

     permit ip 10.20.0.0 0.0.255.255 any log

"

0 Helpful

John Quick
Level 1
Level 1
In response to Markus Thun

‎09-09-2013 04:32 AM

No this VPN does not go over the internet.

We have 4 vlan's on this network that needs to go over the VPN and is covered by the ACL 'VPN-Traffic'. The default route is for all traffic to go out on VLAN 41.

Whe I ping a PC with a source IP address of  Vlan100 (10.20.0.1) it goes over the VPN with no problems. When I try to ping from a PC on Vlan100 with an IP address of 10.20.0.250 it just goes out on the interface but no over the VPN.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents