05-25-2011 05:58 PM
Hey guys,
I am trying to make an IPSEC tunnell between a Cisco 857 and a Sonicwall NSA240.
The tunnell goes up but the traffic from the 857 seems to be pushed outside the router to the public internet, not into the tunnel.
Following configuration:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address 111.111.111.111 no-xauth
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set xxxx esp-3des esp-md5-hmac
!
crypto map xxxx 1 ipsec-isakmp
description VPN to xxxx
set peer 1111.111.1111.111
set security-association lifetime seconds 3600
set transform-set xxxx
set pfs group2
match address 115
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 115 permit ip 172.28.3.0 0.0.0.255 192.168.22.0 0.0.0.255
If I try a traceroute the traffic is not pushed into the tunel but it seems the it tries to route the traffice over the internet using Dialer0.
any advices?
thanks
05-25-2011 06:13 PM
Hi Nicola,
The configuration you have will encrypt traffic from 172.28.3.0/24 to 192.168.22.0/24.
The problem could be with NAT, does dialer 1 have nat configured? If so you would need to exempt this traffic from being natted so it will match the IPSec SA that is built.
If you use an access-list with the nat command try denying this traffic in that access-list before any permits.
If you use a route map in the nat statement do the same as above in the route map access-list.
Let me know if this helps.
Thanks,
Loren
05-25-2011 06:14 PM
Kindly ensure that NAT exemption is configured, otherwise if traffic from 172.28.3.0/24 towards 192.168.22.0/24 is getting NATed/PATed to a public IP address or Dialer interface, then it will not match the crypto ACL 115, hence will not get pushed towards the VPN tunnel.
05-29-2011 03:38 PM
thanks guys you were absolutely right, I am not that familiar with these boxes...
05-30-2011 05:25 PM
Pls kindly mark the post as answered if that resolves the issue and you have no further question. Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide