cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
772
Views
5
Helpful
2
Replies

IP Sec VPN LAN to LAN with NAT on Multicast Source

I have two ISR4431s with an IPSec VPN LAN to LAN connection.  I also have a multicast source device with an internal source IP of 10.1.1.2 that has static NAT to 10.0.0.5 on the outside network.     

 

I can access all internal devices of Router 1 VLAN 300 from Router 2 VLAN 400, except I cannot access device 10.1.1.2 from Router 2 through the IPSec VPN LAN to LAN connection.   Also, Router 2 does not receive the multicast groups, other devices in this network receive the multicast data.

 

Here are the relevant IPSec VPN and NAT portions of the configurations:

Router 1:

 

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

crypto isakmp key presharedkey address 10.0.0.2

ip access-list extended VPN-TRAFFIC
permit ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TS
match address VPN-TRAFFIC

 

interface GigabitEthernet0/0/3
ip address 10.0.0.1 255.255.255.248

ip pim sparse-dense-mode
ip nat outside
crypto map CMAP

 

ip nat inside source list 100 interface GigabitEthernet0/0/3 overload


access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any

vlan 300
ip addess 10.1.1.1 255.255.255.0

ip pim-sparse-dense mode

 

ip nat inside source static 10.1.1.2 10.0.0.5

 

Router 2:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400

 

crypto isakmp key presharedkey address 10.0.0.1
ip access-list extended VPN-TRAFFIC


permit ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255

crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map CMAP 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TS
match address VPN-TRAFFIC

 

ip nat inside source list 100 interface GigabitEthernet0/0/3 overload


access-list 100 deny ip 10.1.4.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.4.0 0.0.0.255 any


interface GigabitEthernet0/0/3
ip address 10.0.0.2 255.255.255.248

ip nat outside
crypto map CMAP

vlan 400
ip address 10.1.4.0 255.255.255.0

 

 

If anyone has some insight related to my IPSec VPN connection issue with device 10.1.1.2 on Router 1 from Router 2 VLAN 400, it is appreciated.

1 Accepted Solution

Accepted Solutions

Hi @donaldhughes743301172 

You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.

 

Just configure a stafic VTI on each router, examples:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

View solution in original post

2 Replies 2

Hi @donaldhughes743301172 

You cannot do multicast over a policy based VPN that you are using. You'd need to migrate to a route based VPN, such as FlexVPN which replicates the multicast packets to each router. FlexVPN uses a tunnel interface (VTI) instead of the crypto map.

 

Just configure a stafic VTI on each router, examples:-

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

I require unicast access to the multicast source device.   I do not require multicast data in the secure connection.  

 

Would this require the change to Flex VPN?