Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1836
Views
0
Helpful
4
Replies

2 IPSec VPN Tunnels to Same Peer and Local Network (Unable to Tx)

Go to solution
Larry_9580
Level 1
Level 1

‎03-06-2020 01:08 PM

I have 2 IPSec tunnels setup identical except for the Peer Address and Remote Network are different on each. I am able to Tx/Rx on the original tunnel no problem, but unable to Tx on the 2nd IPsec tunnel. I believe it to be a routing issue, but do not know where that routing issue is occurring (if it even is a routing issue).

 

The general setup is as follows for each tunnel:
- Tunnel 1 (Works) = Local Network (10.1.1.0/24) -----> Gateway (1.1.1.1) -----> Peer Address (2.2.2.2) -----> Remote Network (10.2.2.2)
- Tunnel 1 (Does not Work) = Local Network (10.1.1.0/24) -----> Gateway (1.1.1.1) -----> Peer Address (3.3.3.3) -----> Remote Network (10.3.3.3)

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Larry_9580
Level 1
Level 1

‎07-16-2020 02:21 PM

I was to solve the issue with another NAT rule for the 2nd tunnel.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎03-06-2020 04:44 PM

Hi,

 

what are the devices u r using, it will be helpful if you post your configuration.

 

As u said about Routing, 3.3.3.3 should be reachable from tunnel source i.e 1.1.1.1 . Make sure both can reach each other.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP

‎03-07-2020 12:28 AM

on your firewall have you define a default router towards your ISP. if that is case than its not an issue with routing. secondly, what version of you setup ikev1 or ikev2?

is nat exemption in place? with access-list mating in crypto map ACL. would be great if you upload your configuration so we can advise you what could be wrong.

please do not forget to rate.
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-07-2020 05:30 AM

Hi,

 

First question is, does the second tunnel come up (Control-Plane) wise (do you see both phases UP), as otherwise you would have to look at the config on both sides.

 

   Make sure of the following:

          - gateway 1.1.1.1 has a route for 10.2.2.2 network facing your ISP next-hop; the same for network 10.3.3.3 ( if the next-hop is the same, you have only one ISP link, a default route would be enough); likewise for gateway 2.2.2.2, needs a route for 10.1.1.0/24 facing the ISP and gateway 3.3.3.3 need a route for 10.1.1.0/24 facing the ISP

          - traffic going both ways on both tunnels is exempted from NAT (10.1.1.0/24 to 10.2.2.2, 10.2.2.2 to 10.1.1.0/24, 10.1.1.0/24 to 10.3.3.3 and 10.3.3.3 to 10.1.1.0/24)

          - your inbound or outbound to global ACL allows the traffic to flow

 

Regards,

Cristian Matei.

         

0 Helpful

Go to solution
Larry_9580
Level 1
Level 1

‎07-16-2020 02:21 PM

I was to solve the issue with another NAT rule for the 2nd tunnel.

0 Helpful
Customers Also Viewed These Support Documents