03-06-2020 01:08 PM
I have 2 IPSec tunnels setup identical except for the Peer Address and Remote Network are different on each. I am able to Tx/Rx on the original tunnel no problem, but unable to Tx on the 2nd IPsec tunnel. I believe it to be a routing issue, but do not know where that routing issue is occurring (if it even is a routing issue).
The general setup is as follows for each tunnel:
- Tunnel 1 (Works) = Local Network (10.1.1.0/24) -----> Gateway (1.1.1.1) -----> Peer Address (2.2.2.2) -----> Remote Network (10.2.2.2)
- Tunnel 1 (Does not Work) = Local Network (10.1.1.0/24) -----> Gateway (1.1.1.1) -----> Peer Address (3.3.3.3) -----> Remote Network (10.3.3.3)
Solved! Go to Solution.
07-16-2020 02:21 PM
I was to solve the issue with another NAT rule for the 2nd tunnel.
03-06-2020 04:44 PM
Hi,
what are the devices u r using, it will be helpful if you post your configuration.
As u said about Routing, 3.3.3.3 should be reachable from tunnel source i.e 1.1.1.1 . Make sure both can reach each other.
03-07-2020 12:28 AM
on your firewall have you define a default router towards your ISP. if that is case than its not an issue with routing. secondly, what version of you setup ikev1 or ikev2?
is nat exemption in place? with access-list mating in crypto map ACL. would be great if you upload your configuration so we can advise you what could be wrong.
03-07-2020 05:30 AM
Hi,
First question is, does the second tunnel come up (Control-Plane) wise (do you see both phases UP), as otherwise you would have to look at the config on both sides.
Make sure of the following:
- gateway 1.1.1.1 has a route for 10.2.2.2 network facing your ISP next-hop; the same for network 10.3.3.3 ( if the next-hop is the same, you have only one ISP link, a default route would be enough); likewise for gateway 2.2.2.2, needs a route for 10.1.1.0/24 facing the ISP and gateway 3.3.3.3 need a route for 10.1.1.0/24 facing the ISP
- traffic going both ways on both tunnels is exempted from NAT (10.1.1.0/24 to 10.2.2.2, 10.2.2.2 to 10.1.1.0/24, 10.1.1.0/24 to 10.3.3.3 and 10.3.3.3 to 10.1.1.0/24)
- your inbound or outbound to global ACL allows the traffic to flow
Regards,
Cristian Matei.
07-16-2020 02:21 PM
I was to solve the issue with another NAT rule for the 2nd tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide