Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
3
Replies

Remote LAN accessibility with secondary ip on VPN

Go to solution
tabish_patel
Level 1
Level 1

‎08-10-2020 01:59 AM - edited ‎08-10-2020 03:12 AM

Hello everyone ! Kinda newbie in the vpn area. So, I have been trying to setup a vpn between the branch and head office using C881-K9 routers. Below points will provide you the scenario.

1- Branch has a single /24 network 10.0.17.0/24.

2- HO has 2 x /24 networks configured on the same interface, one subnet 10.0.19.0/24 (users) as the primary and other 10.0.0.0/24 (systems) as secondary.

3- Long story short - VPN tunnel is up primary network 10.0.19.0/24 is reachable from the branch but secondary network is not 10.0.0.0/24. I have posted the configuration below, any advice will help. There was a recent migration of the systems and I want to avoid changing the system IPs !

 

BranchRouter#
!
interface Vlan1 (LAN)
ip address 10.0.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2 (WAN)
ip address xx.xx.xx.xx 255.255.255.248 (public IP)
ip nat outside
ip virtual-reassembly in
crypto map Cisco
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key Cisco address yy.yy.yy.yy
!
crypto ipsec transform-set Cisco esp-des esp-md5-hmac
mode tunnel
!
access-list 101 permit ip 10.0.17.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip 10.0.17.0 0.0.0.255 10.0.19.0 0.0.0.255
!
crypto map Cisco 10 ipsec-isakmp
set peer yy.yy.yy.yy (public IP)
set transform-set Cisco
match address 101
!
ip nat inside source list 100 interface Vlan2 overload
access-list 100 deny ip 10.0.17.0 0.0.0.255 10.0.19.0 0.0.0.255
access-list 100 deny ip 10.0.17.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
!
BranchRouter#sh crypto session br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
yy.yy.yy.yy Vl2 yy.yy.yy.yy 5d00h UA

BranchRouter#sh crypto session
Crypto session current status

Interface: Vlan2
Session status: UP-ACTIVE
Peer: yy.yy.yy.yy port 500
Session ID: 0
IKEv1 SA: local xx.xx.xx.xx/500 remote yy.yy.yy.yy/500 Active
IPSEC FLOW: permit ip 10.0.17.0/255.255.255.0 10.0.19.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 10.0.17.0/255.255.255.0 10.0.0.0/255.255.255.0
Active SAs: 2, origin: crypto map

BranchRouter#sh crypto ipsec sa

interface: Vlan2
Crypto map tag: Cisco, local addr xx.xx.xx.xx

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.19.0/255.255.255.0/0/0)
current_peer yy.yy.yy.yy port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 53068, #pkts encrypt: 53068, #pkts digest: 53068
#pkts decaps: 52609, #pkts decrypt: 52609, #pkts verify: 52609
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0xCA8DD468(3398292584)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6F47857(116684887)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 527, flow_id: Onboard VPN:527, sibling_flags 80004040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4310973/3390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCA8DD468(3398292584)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 528, flow_id: Onboard VPN:528, sibling_flags 80004040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4310973/3390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.17.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer yy.yy.yy.yy port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8079409, #pkts encrypt: 8079409, #pkts digest: 8079409
#pkts decaps: 7645573, #pkts decrypt: 7645573, #pkts verify: 7645573
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x6916FE1(110194657)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xF54AE179(4115325305)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 517, flow_id: Onboard VPN:517, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4335632/270)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6916FE1(110194657)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 518, flow_id: Onboard VPN:518, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4335530/270)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

BranchRouter#ping 10.0.19.1 source vl1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.19.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.17.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms
BranchRouter#ping 10.0.0.1 source vl1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.17.1
.....
Success rate is 0 percent (0/5)

 


HeadOffice#
interface Vlan1
ip address 10.0.0.1 255.255.255.0 secondary
ip address 10.0.19.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address yy.yy.yy.yy 255.255.255.248
ip nat outside
ip virtual-reassembly in
crypto map Cisco
!
access-list 117 permit ip 10.0.0.0 0.0.0.255 10.0.17.0 0.0.0.255
access-list 117 permit ip 10.0.19.0 0.0.0.255 10.0.17.0 0.0.0.255
!
crypto map Cisco 17 ipsec-isakmp
description Branch
set peer xx.xx.xx.xx
set transform-set Cisco
match address 117
!
crypto ipsec transform-set Cisco esp-des esp-md5-hmac
mode tunnel
!
crypto isakmp key Cisco address xx.xx.xx.xx
!
ip nat inside source list 100 interface Vlan2 overload
access-list 100 deny ip 10.0.19.0 0.0.0.255 10.0.17.0 0.0.0.255
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.0.17.0 0.0.0.255
access-list 100 permit ip any any
access-list 100 permit ip 10.0.19.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any

HeadOffice# sh crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
xx.xx.xx.xx Vl2 xx.xx.xx.xx 5d00h UA

HeadOffice# sh crypto session
Interface: Vlan2
Session status: UP-ACTIVE
Peer: xx.xx.xx.xx port 500
Session ID: 0
IKEv1 SA: local yy.yy.yy.yy/500 remote xx.xx.xx.xx/500 Active
IPSEC FLOW: permit ip 10.0.19.0/255.255.255.0 10.0.17.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 10.0.0.0/255.255.255.0 10.0.17.0/255.255.255.0
Active SAs: 2, origin: crypto map

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.17.0/255.255.255.0/0/0)
current_peer xx.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 115064, #pkts decrypt: 115064, #pkts verify: 115064
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: yy.yy.yy.yy, remote crypto endpt.: xx.xx.xx.xx
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x7E3A8F9E(2117767070)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x9CD871F5(2631430645)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 25, flow_id: Onboard VPN:25, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4343371/1249)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x7E3A8F9E(2117767070)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 26, flow_id: Onboard VPN:26, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4343442/1249)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.17.0/255.255.255.0/0/0)
current_peer xx.xx.xx.xx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 33, #pkts encrypt: 33, #pkts digest: 33
#pkts decaps: 33, #pkts decrypt: 33, #pkts verify: 33
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: yy.yy.yy.yy, remote crypto endpt.: xx.xx.xx.xx
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb Vlan2
current outbound spi: 0x6F47857(116684887)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xCA8DD468(3398292584)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 27, flow_id: Onboard VPN:27, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4305662/993)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6F47857(116684887)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 28, flow_id: Onboard VPN:28, sibling_flags 80000040, crypto map: Cisco
sa timing: remaining key lifetime (k/sec): (4305662/993)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:


HeadOffice#ping 10.0.17.1 so vl1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.17.1, timeout is 2 seconds:
Packet sent with a source address of 10.0.19.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/30/36 ms

 

 

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tabish_patel
Level 1
Level 1

‎08-12-2020 05:50 AM

Just wanted to update everyone that, i reconfigured the access lists, and the issue was resolved.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-10-2020 02:15 AM

Do the traceroute and ensure that traffic is routed over the tunnel at both
sides.

**** remember to rate useful posts
0 Helpful

Go to solution
tabish_patel
Level 1
Level 1
In response to Mohammed al Baqari

‎08-10-2020 02:22 AM

Thank you for your reply Mohammed, checked for both networks and they go towards the same destination.

0 Helpful

Go to solution
tabish_patel
Level 1
Level 1

‎08-12-2020 05:50 AM

Just wanted to update everyone that, i reconfigured the access lists, and the issue was resolved.

0 Helpful
Customers Also Viewed These Support Documents