Solved: Re: IP Sec VPN LAN to LAN with NAT on Multicast Source

donaldhughes743301172 · ‎08-14-2021

I have two ISR4431s with an IPSec VPN LAN to LAN connection. I also have a multicast source device with an internal source IP of 10.1.1.2 that has static NAT to 10.0.0.5 on the outside network.

I can access all internal devices of Router 1 VLAN 300 from Router 2 VLAN 400, except I cannot access device 10.1.1.2 from Router 2 through the IPSec VPN LAN to LAN connection. Also, Router 2 does not receive the multicast groups, other devices in this network receive the multicast data.

Here are the relevant IPSec VPN and NAT portions of the configurations:

.

Router 1:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

crypto isakmp key presharedkey address 10.0.0.2

ip access-list extended VPN-TRAFFIC
permit ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TS
match address VPN-TRAFFIC

interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.248

ip pim sparse-dense-mode
ip nat outside
crypto map CMAP

ip nat inside source list 100 interface GigabitEthernet0/0/3 overload

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

vlan 300
ip addess 10.1.1.1 255.255.255.0

ip pim-sparse-dense mode

ip nat inside source static 10.1.1.2 10.0.0.5

Router 2:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

crypto isakmp key presharedkey address 10.0.0.1
ip access-list extended VPN-TRAFFIC

permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TS
match address VPN-TRAFFIC

ip nat inside source list 100 interface GigabitEthernet0/0/3 overload

access-list 100 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.4.0 0.0.0.255 any

interface GigabitEthernet0/0/3
ip address 10.0.0.2 255.255.255.248

ip nat outside
crypto map CMAP

vlan 400
ip address 10.1.4.0 255.255.255.0

If anyone has some insight related to my IPSec VPN connection issue with device 10.1.1.2 on Router 1 from Router 2 VLAN 400, it is appreciated.

Rob Ingram · ‎08-14-2021

Hi @donaldhughes743301172

You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.

Just configure a stafic VTI on each router, examples:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

View solution in original post

Rob Ingram · ‎08-14-2021

Hi @donaldhughes743301172

You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.

Just configure a stafic VTI on each router, examples:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

donaldhughes743301172 · ‎08-14-2021

I require unicast access to the multicast source device. I do not require multicast data in the secure connection.

Would this require the change to Flex VPN?