Lan to Lan VPN, traffic dont pass on tunnel

kapishmohole.cisco · ‎12-21-2005

Hi,

I am tying to establish LAN to LAN VPN using two VPN concentrators with public IPs assigned.

Details-

Local range 192.168.1.0/24

Remote range 10.0.0.0/8

I have configures IKE, IPsec parameters, tunnel gets established. Also defined filter rule to define traffic to be encrypted on tunnel. Routing is also proper.

But the user traffic isn’t going on tunnel, not able to ping end devices.

Is NATing compulsory in this case?

Also, SA defined for filter rule is in transport mode. I tried both tunnel and transport mode.

One thing I observed is that, concentrator is forwarding user traffic to next hope/internet router but the IP header is the same, its with original IPs (private IPs, 192.xxx). The packet I am receiving on local internet router from local concentrator is with its original/private IP. Because of this router is not able to route, rather user traffic is not able to get on internet.

I guess in tunnel, all traffic should be carried under public IP of concentrator.

What is the problem in this?

Regards

fawad.alam · ‎12-21-2005

Based on the scenario you described you have two options:

1. Do NATting for the 192.168.x.x & 10.x.x.x IP address to public IP addresses.

2. Have proper routing configured on both sides. For example your remote site should have route to 192.168.x.x segment and vice versa.

When the packet is getting decrypted on the remote side it will appear as coming from source IP of 192.168.x.x address - not from the public IP address

of your VPN device.

Thanks..Fawad