Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
0
Helpful
4
Replies

Site to Site VPN connects but it is not routing the traffice through the tunnell

ndazzi.rdac
Level 1
Level 1

‎05-25-2011 05:58 PM

Hey guys,

I am trying to make an IPSEC tunnell between a Cisco 857 and a  Sonicwall NSA240.

The tunnell goes up but the traffic from the 857 seems to be pushed outside the router to the public internet, not into the tunnel.

Following configuration:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxx address 111.111.111.111 no-xauth
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set xxxx esp-3des esp-md5-hmac
!
crypto map xxxx 1 ipsec-isakmp
description VPN to xxxx
set peer 1111.111.1111.111
set security-association lifetime seconds 3600
set transform-set xxxx
set pfs group2
match address 115

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!

access-list 115 permit ip 172.28.3.0 0.0.0.255 192.168.22.0 0.0.0.255

If I try a traceroute the traffic is not pushed into the tunel but it seems the it tries to route the traffice over the internet using Dialer0.

any advices?

thanks

Labels:
0 Helpful
4 Replies 4

Loren Kolnes
Cisco Employee
Cisco Employee

‎05-25-2011 06:13 PM

Hi Nicola,

The configuration you have will encrypt traffic from 172.28.3.0/24 to 192.168.22.0/24.

The problem could be with NAT, does dialer 1 have nat configured? If so you would need to exempt this traffic from being natted so it will match the IPSec SA that is built.

If you use an access-list with the nat command try denying this traffic in that access-list before any permits.

If you use a route map in the nat statement do the same as above in the route map access-list.

Let me know if this helps.

Thanks,

Loren

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-25-2011 06:14 PM

Kindly ensure that NAT exemption is configured, otherwise if traffic from 172.28.3.0/24 towards 192.168.22.0/24 is getting NATed/PATed to a public IP address or Dialer interface, then it will not match the crypto ACL 115, hence will not get pushed towards the VPN tunnel.

0 Helpful

ndazzi.rdac
Level 1
Level 1

‎05-29-2011 03:38 PM

thanks guys you were absolutely right, I am not that familiar with these boxes...

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to ndazzi.rdac

‎05-30-2011 05:25 PM

Pls kindly mark the post as answered if that resolves the issue and you have no further question. Thanks.

0 Helpful
Customers Also Viewed These Support Documents