08-14-2021 07:41 AM
I have two ISR4431s with an IPSec VPN LAN to LAN connection. I also have a multicast source device with an internal source IP of 10.1.1.2 that has static NAT to 10.0.0.5 on the outside network.
I can access all internal devices of Router 1 VLAN 300 from Router 2 VLAN 400, except I cannot access device 10.1.1.2 from Router 2 through the IPSec VPN LAN to LAN connection. Also, Router 2 does not receive the multicast groups, other devices in this network receive the multicast data.
Here are the relevant IPSec VPN and NAT portions of the configurations:
.
Router 1:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key presharedkey address 10.0.0.2
ip access-list extended VPN-TRAFFIC
permit ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TS
match address VPN-TRAFFIC
interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.248
ip pim sparse-dense-mode
ip nat outside
crypto map CMAP
ip nat inside source list 100 interface GigabitEthernet0/0/3 overload
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
vlan 300
ip addess 10.1.1.1 255.255.255.0
ip pim-sparse-dense mode
ip nat inside source static 10.1.1.2 10.0.0.5
Router 2:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key presharedkey address 10.0.0.1
ip access-list extended VPN-TRAFFIC
permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TS
match address VPN-TRAFFIC
ip nat inside source list 100 interface GigabitEthernet0/0/3 overload
access-list 100 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.4.0 0.0.0.255 any
interface GigabitEthernet0/0/3
ip address 10.0.0.2 255.255.255.248
ip nat outside
crypto map CMAP
vlan 400
ip address 10.1.4.0 255.255.255.0
If anyone has some insight related to my IPSec VPN connection issue with device 10.1.1.2 on Router 1 from Router 2 VLAN 400, it is appreciated.
Solved! Go to Solution.
08-14-2021 08:00 AM
You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.
Just configure a stafic VTI on each router, examples:-
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
08-14-2021 08:00 AM
You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.
Just configure a stafic VTI on each router, examples:-
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
08-14-2021 09:20 AM
I require unicast access to the multicast source device. I do not require multicast data in the secure connection.
Would this require the change to Flex VPN?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide