03-06-2004 04:44 PM - edited 02-21-2020 01:03 PM
I have a site-to-site IOS IPSEC VPN solution in place - (20 spoke routers and 1 hub) - everything is working fine.
I now need the spoke routers to be able to access a radius server host over the VPN tunnel at the HUB end.
I am not able to ping/access the radius server from the CONSOLE/TERMINAL of the router but clients on the LAN side (spoke end) can. This means the spoke routers cannot talk to the radius server over the VPN tunnel.
Is there a way I can get around this problem?
Thanks for any help...
03-08-2004 10:15 PM
If you ping FROM the router console then the source of the packet is the router's outside IP address and therefore doesn't match your crypto access-list, and therefore doesn't get encrypted. If you source the ping packet from the inside interface of the router, then this will match the ACL and everything will work.
Similarly, you need to have the router source all its Radius packets from the inside interface so it will get encrypted. Use the command:
ip radius source-interface
You'll need to change your Radius server and add the NAS's in with the inside IP address rather than the outside.
03-10-2004 11:16 PM
Excellent, that did the trick! Thank you very much...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide