04-02-2014 03:45 AM
Hi All,
I'm having some issues with a site to site to site VPN. i've attached a diagram to help.
In the topology i have a Pepwave HD2, Cisco 861 and another cisco device. The pepwave provides both cabled LAN traffic and failover 3G traffic. I have created a VPN tunnel between the two cisco devices that is up and active and able to route incoming cabled traffic from the pepwave between the cisco devices on the VPN tunnel.
My goal is to get traffic from 192.168.40.X to 10.71.1.0 via the 3G VPN for the failover scenario.
I've configured a VPN for the pepwave HD2 3G traffic using a dynamic map. The tunnel comes up but is idle - and the second diagram attached shows the tunnel is active for LAN traffic 172.16.17.0 to 192.168.224.192, but wont come up for 192.168.40.X to 10.71.1.0.
Someone in the cisco community suggested that only one interface can support one VPN tunnel at once from the same address range.
I've attached my config of the 861 router, does anyone know how i can route this traffic via the VPN tunnels on IOS as the same-security-traffic permit inter-intraface
same-security-traffic permit intra-interface commands dont work on IOS.
Thanks,
04-02-2014 04:39 AM
When you say that the VPN connection on the Cisco router is idle, do you mean that the show crypto isakmp output says QM_Idle? If so, this means that the tunnel is up.
--
Please remember to rate and select a correct answer
04-02-2014 05:23 AM
Hi,
Yes the tunnel comes up but wont route the required traffic.
I can only seem to route VPN traffic from router A to router B, and from router B to router C. What i cant do is route via the VPN from router A to route C (in Failover Mode).
A B C
pepwave Cat 5 cable <----------> Cisco 861 <------VPN------> Cisco device Normal mode
Pepwave <-----3GVPN-----> Cisco 861 <------VPN------> Cisco device Failover Mode
192.168.40.X 192.168.224.193 10.71.1.0
The cisco tunnel from the 861 to the cisco device works fine and i can ping between the LANs. The first ACL for the cisco 861 to Cisco device is 192.168.40.X to 10.71.1.0 from the physical cat5 cable from the pepwave to the Cisco 861, this passed traffic to 10.71.1.0 with no issues. But the failover 3G VPN with the Second ACL also 192.168.40.X to 10.71.1.0 wont send traffic between 192.168.40.X and 10.71.1.0, it only lets traffic from pepwave Lan 192.168.40.X to Cisco 861 192.168.224.193 in the tunnel.
I'm not sure if i have to add some special command or routing information. The pictures and conf should help explain.
Thanks,
04-02-2014 05:42 AM
It doesn't look like you have permitted the traffic in the crypto ACL:
ip access-list extended VPN-TRAFFIC permit ip 192.168.224.190 0.0.0.7 172.16.17.0 0.0.255.255 permit ip 192.168.224.190 0.0.0.7 192.168.40.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 10.21.0.0 0.0.255.255 permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.40.0 0.0.0.255 172.16.10.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 172.16.11.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 172.16.12.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 10.53.16.0 0.0.1.255 permit ip 192.168.40.0 0.0.0.255 10.53.133.0 0.0.0.255
But also you have mentioned a few different IPs. In the diagram it mentions 21.71.1.0 while in your post you mention 10.71.1.0. But neither of these are defined as interesting traffic. can you confirm this please.
--
Please remember to rate and select a correct answer
04-02-2014 05:54 AM
Yes sorry, was a typo and looking at to many diagrams!
interesting traffic is:
permit ip 192.168.224.190 0.0.0.7 192.168.40.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 10.21.0.0 0.0.255.255 permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255 permit ip 192.168.40.0 0.0.0.255 172.16.10.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 172.16.11.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 172.16.12.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 10.53.16.0 0.0.1.255 permit ip 192.168.40.0 0.0.0.255 10.53.133.0 0.0.0.255
Traffic on Router A LAN (192.168.40.X) can't reach Router C LAN (10.21.0.0, 192.168.0.0, 172.16.10.0, 172.16.11.0, etc)
04-02-2014 11:59 PM
is the ACL101 the NAT ACL?
If not do you have NAT configured on the routers? If yes, have you excluded the VPN traffic from being NATed on both routers.
Also, have you confirmed that the crypto ACL is correctly configured at the far end router (that the ACL is the mirror image of the config you posted)?
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: