Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1060
Views
0
Helpful
2
Replies

Multiple local subnets IPSec VPN

BHconsultants88
Level 1
Level 1

‎04-17-2019 10:25 AM - edited ‎02-21-2020 09:37 PM

Hi everyone

 

I hope someone can help with an IPSec issue I’m currently facing. I’ve attached a fairly basic diagram which highlights the general setup.

 

We have a Cisco ASA acting as a concentrator in the DC. Remote site network has a Draytek router which IPSec tunnel is configured. This is on a leased line.

 

Draytek - 192.168.4.0/24
ASA - 10.99.0.0/16

 

All fine so far. The tunnel is up and traffic is passing as expected. Everything is working fine.

 

Now to the problem...

The remote site has a separate ADSL line with a completely separate subnet (manufacturing devices). Subnet is 10.20.21.0/24. This is configured on a Digi Transport router (router for industrial environments). We have a separate IPSec tunnel on this device to the same ASA as above.

 

I am trying route the 10.20.21.0/24 traffic over the leased line VPN without taking down the ADSL link (this router also has two OpenVPN tunnels configured for a third party so I can’t bring the wan link down).

 

I’ve tried static routes on the Digi and the Draytek router but I’m just not having any joy.

 

Is what I’m trying to do actually possible? I would appreciate any help with this one.

 

Many thanks

Labels:
Preview file
73 KB
0 Helpful
2 Replies 2

Mohammed al Baqari
Level 11
Level 11

‎04-17-2019 11:54 PM

Are you including this subnet in crypto ACLs to be part of the SAs.
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎04-18-2019 01:00 AM

Hi,

I think Phase 2 is not configured properly as Source and destination subnet is not allowed in the ACL or not denied in the NAT ACL. 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents