ipsec site to site failing to work cisco 8200l router

clovisug · ‎03-30-2023

Am trying to configure ipsec VPN on 8200l router but it is failing.

am doing NAT for the encrypted domain and the same configuration is working on 1142 router

Kindly advise if there is any extra configuration required to be done on the 8200l router model for the vpn to work

MHM Cisco World · ‎03-30-2023

NATing to Loopback?

clovisug · ‎03-30-2023

NATing the encrypted traffic on the tunnel...this ipsec site to site tunnel

MHM Cisco World · ‎03-30-2023

NATing traffic in VTI tunnel?

clovisug · ‎03-30-2023

yes on the WAN interface

MHM Cisco World · ‎03-30-2023

can you share the config ?

clovisug · ‎03-30-2023

acl for the allowed subnet to access from the peer side
the acl is refered to cryto map section
doing PAT for the local subnet

that is all about the config and the same config is working on the old router but on the new router is failing.

MHM Cisco World · ‎03-30-2023

friend
NATing with IPsec
local-LAN-R1-R2-remote-LAN
ACL of IPsec permit local-LAN remote-LAN

ACL for PAT
ACL of no-nat deny local-LAN remote-LAN
ACL of nat permit local-LAN any

this will encrypt traffic ONLY if the destination is remote-LAN if other destination then the traffic will NOT encrypt and will NATing to WAN interface

clovisug · ‎03-30-2023

i will share the configs when i get bat to site by saturday

clovisug · ‎03-31-2023

below is the configuration.

crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to PEERTEST
set peer PEERTEST-IP
set transform-set ESP-AES-256-SET
set pfs group5
match address TESTTRAFFIC

ip access-list extended TESTTRAFFIC
10 permit ip host X.X.X.X host Y.Y.Y.Y
20 permit ip host X.X.X.X host Y.Y.Y.Y

ip nat inside source list TESTTRAFFIC interface GigabitEthernet0/0/0 overload

ip route X.X.X.X 255.255.255.255 Y.Y.Y.Y
ip route X.X.X.X 255.255.255.255 Y.Y.Y.Y

MHM Cisco World · ‎04-01-2023

that not work

match address TESTTRAFFIC <<- OK

ip access-list extended TESTTRAFFIC <<- OK
10 permit ip host X.X.X.X host Y.Y.Y.Y
20 permit ip host X.X.X.X host Y.Y.Y.Y

ip nat inside source list TESTTRAFFIC interface GigabitEthernet0/0/0 overload <<-NOT

ip nat inside source list TESTTRAFFIC-NONAT interface GigabitEthernet0/0/0 overload

ip access-list extended TESTTRAFFIC-NONAT
10 deny ip host X.X.X.X host Y.Y.Y.Y
20 deny ip host X.X.X.X host Y.Y.Y.Y
30 permit ip x.x.x.x x.x.x.x any

Note:- your static route you hide the IP but the static route must point to interface you config crypto map under it

clovisug · ‎04-01-2023

ip nat inside source list TESTTRAFFIC interface GigabitEthernet0/0/0 overload not required in the configuration right

MHM Cisco World · ‎04-01-2023

if you want host x.x.x.x to
to access host y.y.y.y via IPsec tunnel
to internet
then you need NAT overload

clovisug · ‎04-01-2023

for internet is already configured and up and running

clovisug · ‎04-01-2023

Below is the final configuration on the router.

crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel to PEERTEST
set peer PEERTEST-IP
set transform-set ESP-AES-256-SET
set pfs group5
match address TESTTRAFFIC

ip nat inside source list TESTTRAFFIC-NONAT interface GigabitEthernet0/0/0 overload
ip access-list extended TESTTRAFFIC
10 permit ip host X.X.X.X host Y.Y.Y.Y
20 permit ip host X.X.X.X host Y.Y.Y.Y
ip access-list extended TESTTRAFFIC-NONAT
10 deny ip host X.X.X.X host Y.Y.Y.Y
20 deny ip host X.X.X.X host Y.Y.Y.Y
30 permit ip any any

ip route X.X.X.X 255.255.255.255 Y.Y.Y.Y
ip route X.X.X.X 255.255.255.255 Y.Y.Y.Y where Y.Y.Y.Y is the ip address where the crypto map is applied