Solved: [IPsec site-2-site]Why do i need a static route on both sides?

Eric Snijders · ‎02-02-2017

Hi guys,

I think it will be an easy question, but i can't seem to understand why i need a static route on both sides to reach eachothers local subnet (over the tunnel ofcourse). Let me explain:

I have the following topology:

I'm just doing basic NAT overload (excluded the f0/0 LAN's to eachother from NAT'ing ofcourse) so both PC's can reach eachothers "WAN" IP.

If i'm not doing any static routing to the local subnets (172.16.x.x) i'm perfectly able to ping from R1 f0/0 to R2 f0/0 over the IPsec tunnel. If i'm pinging from PC1 to PC2 it fails. As soon as i create the static route on both routers to the respective 172.16.x.x networks, the pings from PC1 to PC2 and vice-versa succeed.

Please help me understand why it works from router-to-router without a static route, but not from PC to PC.

Rahul Govindan · ‎02-02-2017

Your default route points to the interface rather than the next hop. Try the test by changing it. The difference between both is given here :

http://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-route/118263-technote-nexthop-00.html

View solution in original post

Rahul Govindan · ‎02-02-2017

Traffic to be encrypted has to sent to the WAN interface of the router, usually where the crypto map is applied. Unless you have a route for the remote subnet (or a default route) to the E3/0 or E3/1 interface, the router will never see the 'interesting traffic' to be encrypted. Once this traffic hits the WAN interface, it is matched with crypto ruleset to be sent out encrypted.

Router generated traffic in your case may be using some sort of local policy routing rather than the static routing. For example, if you have "ip default-gateway", it will apply to router generated traffic. Do you have the config from your network that you can attach?

Eric Snijders · ‎02-02-2017

Hi Rahul,

Thank you for the fast reply.

On both sides i do have a 0-route pointing to the WAN interface so i was expecting the following:

Let's say i ping from PC1 (172.16.1.100) to PC2 (172.16.2.100) without the static routes
1. PC1 sends ping to 172.16.2.100 via his default gateway R1 (172.16.1.1)
2. R1 doesn't NAT the 172.16.1.0/24 traffic to 172.16.2.0/24 traffic since it's denied by the ACL.
2. R1 doesn't have a route to the 172.16.2.0 network so sends it to the 0-route which is e3/0
3. Traffic hits the crypto map applied to e3/0 so it will be send over the encrypted tunnel.

Attached the both configs. Please explain on what step i'm going wrong or what i'm missing.

Thanks in advance!

Eric

Rahul Govindan · ‎02-02-2017

Your default route points to the interface rather than the next hop. Try the test by changing it. The difference between both is given here :

http://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-route/118263-technote-nexthop-00.html

Eric Snijders · ‎02-02-2017

Worked like a charm Rahul, thanks a lot.

For R1 i replaced "ip route 0.0.0.0 0.0.0.0 e3/0" with "ip route 0.0.0.0 0.0.0.0 1.1.1.3"
For R2 i replaced "ip route 0.0.0.0 0.0.0.0 e3/1" with "ip route 0.0.0.0 0.0.0.0 2.2.2.3"

Going through the document you provided right now.

Again, thanks a lot!