Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
925
Views
0
Helpful
5
Replies

IPsec traffic destined to the internet not traversing gateway

DavidBruce954
Level 1
Level 1

‎11-20-2020 03:50 PM - edited ‎11-20-2020 05:12 PM

Hello,

 

I am trying to forward IPsec traffic to the internet from my outside interface and I am having difficulty with configuring my router. I confirmed from the tunnel is operational on phase one and phase two and had a device on the opposite end traceroute to an internet address which shows traffic stops on my end of the tunnel. I believe I am not correctly configuring either routing or an ACL. Please see my config below.

 

crypto map TUNNEL-CMAP 40 ipsec-isakmp

set peer 2.2.2.2

set transform-set TS

match address 172

!

!

!

!

!

interface Tunnel0

ip address 172.31.250.2 255.255.255.252

tunnel source 1.1.1.2

tunnel destination 2.2.2.2

!

!

interface GigabitEthernet0/0

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

!

interface GigabitEthernet0/2

ip address 1.1.1.2 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map TUNNEL-CMAP

!

!

router bgp 11111

no synchronization

bgp log-neighbor-changes

neighbor 172.31.250.1 remote-as 6167

neighbor 172.31.250.1 default-originate

no auto-summary

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list nat interface GigabitEthernet0/2 overload

ip nat inside source route-map nonat interface GigabitEthernet0/2 overload

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

ip access-list extended nat

permit ip 192.168.100.0 0.0.0.255 any

 

access-list 172 permit gre host 1.1.1.2 host 2.2.2.2

 

Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎11-20-2020 04:06 PM

Ipsec is config under gre tunnel with 

ipsec profile.

and this crypto ipsec profile not need acl because it is route based not policy based.

the traffic that will forward via gre will protect with ipsec 

0 Helpful

DavidBruce954
Level 1
Level 1
In response to MHM Cisco World

‎11-20-2020 05:13 PM

The IPsec VPN traffic flows from the 2.2.2.2 side to the 1.1.1.2 of the tunnel but I do not know how to configure to go out the 1.1.1.1 gateway. The GRE tunnel is working as BGP is functional. 

0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎11-22-2020 02:05 AM

Hi,

I see you are using GRE over IPSEC. My recommendation is go VTI. This makes
the IPSEC part simple. Then you can focus on natting.

Then share a traceroute from the client to 8.8.8.8

**** please remember to rate useful posts
0 Helpful

MHM Cisco World
VIP
VIP

‎11-22-2020 03:13 AM

R1-R2
between these two router there is :-
direct link,
we config BGP between the two routers.
R2 (ISP) advertise default route to R1,

BUT 
there is GRE between R1-R2,
that make us in other situation,
we must allow BGP through the GRE here.
and this will make default route toward tunnel not directly toward the R2.
config IPSec under GRE make traffic more secure 

0 Helpful

pccw258103
Level 1
Level 1

‎11-22-2020 05:44 PM

May be  "NAT Traversal is a feature that is auto detected by VPN devices."

crypto ipsec nat-transparency udp-encapsulation

 

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_dplane/configuration/15-2mt/sec-ipsec-nat-transp.html#GUID-E22B358E-FDE7-4EE3-B24A-1E67C90D98CB

 

0 Helpful
Customers Also Viewed These Support Documents