Probleme with VPN

darkmen11 · ‎10-15-2024

Hello,
I have a problem with this router configuration for establishing a VPN with a Fortinet device.
The VPN is established, but there is no connection between the PCs.
Can you please help me?
Thank you in advance.

crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 20
crypto isakmp key password address A.B.C.D
!
crypto ipsec transform-set ESP-AES-SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto map VPN-MAP 10 ipsec-isakmp
set peer A.B.C.D
set security-association lifetime seconds 43200
set transform-set ESP-AES-SHA256
set pfs group20
match address VPN-ACL
!
interface Loopback0
ip address E.F.G.H 255.255.255.255
!
interface GigabitEthernet0/0/0
description ## ##
ip address E.F.G.I 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
description ## internet circuit ##
ip address J.K.L.M 255.255.255.248
ip nat outside
negotiation auto
crypto map VPN-MAP
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/1/0
description ## ##
switchport access vlan 20
switchport mode access
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan20
description ## ##
ip address E.F.G.J 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
!
router eigrp 102
network E.F.0.0 0.0.255.255
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0
ip nat inside source route-map internet interface GigabitEthernet0/0/1 overload
ip route 0.0.0.0 0.0.0.0 J.K.L.N name Internet_Main
!
ip access-list extended VPN-ACL
20 permit ip E.F.G.O 0.0.0.255 P.Q.R.S 0.0.0.255
!
ip access-list standard 5
10 permit E.F.0.0 0.0.255.255
!
route-map internet permit 10
match ip address 5
!
route-map REDI_Static permit 10
match tag 999
!
control-plane

Rob Ingram · ‎10-15-2024

@darkmen11 hard to tell from your configuration, but the VPN traffic could be unintentially translated by your NAT configuration.

Reconfigure your NAT ACL to deny traffic between the networks in the crypto ACL, E.F.G.O 0.0.0.255 and P.Q.R.S 0.0.0.255 - this will ensure this VPN traffic is not natted. Then permit all other traffic, which will be used for internet access. You'd need to use an extended ACL instead of the standard ACL you are currently using.

Example:

ip nat inside source list 101 interface GigabitEthernet0/0/1 overload

access-list 101 deny ip E.F.G.O 0.0.0.255 P.Q.R.S 0.0.0.255
access-list 101 permit ip E.F.0.0 0.0.255.255 any

M02@rt37 · ‎10-15-2024

Hello @darkmen11

Since you're using NAT, ensure that traffic destined for the VPN is exempt from NAT.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Aref Alsouqi · ‎10-15-2024

As already mentioned, you would need to exempt the protected traffic from being NAT'ed. To do you can do the following:

access-list 100 deny ip E.F.G.O 0.0.0.255 P.Q.R.S 0.0.0.255
access-list 100 permit ip E.F.0.0 0.0.255.255 any

no ip nat inside source route-map internet interface GigabitEthernet0/0/1 overload
ip nat inside source list 100 interface GigabitEthernet0/0/1 overload

This way the protected traffic will not be NAT'ed and all the other traffic will be. You can use an extended ACL as well if you don't wish to use a numbered ACL.

darkmen11 · ‎10-16-2024

Hello,

"This solution will not prevent E.F.G.O from connecting to P.Q.R.S via VPN with the deny?

Thank you in advance for your feedback."

Aref Alsouqi · ‎10-16-2024

Hello. No it won't because this ACL is for NAT, it is not the encryption domains ACL. The deny statement you see on ACL 100 is just to say "don't NAT this traffic". The encryption domains ACL you are using is different, it is the VPN-ACL ACL.

Rob Ingram · ‎10-16-2024

@darkmen11 the solution (amending the NAT ACL) will ensure traffic between E.F.G.O and P.Q.R.S is not NATTED, and will NAT all other traffic.