Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
1
Helpful
2
Replies

Site to Site VPN - IPSec route all traffic over tunnel

Go to solution
HaydenJ
Level 1
Level 1

‎02-17-2024 02:40 PM

Hi everyone, 

I've set up a site to site IPsec tunnel, from a Cisco 1100 series router to a Palo Alto firewall. I'm doing a route based VPN and so far everything seems to be working fine, the tunnel is up and the remote site can reach anything on our internal network and vice versa. 

I have a static route on route which points anything to our internal network over the tunnel interface. The default route is still going over the outside interface on the router, however whenever I change the default route point everything to the tunnel it drops the connection and I cant reach anything internal or external anymore.

I want all traffic to go through the tunnel however I can't seem to see where I'm going wrong. It's probably something really simple I'm missing so would really appreciate some extra eyes to have a look. I'm also using DDNS so I would still probably need a static route to the outside interface with a higher AD for when the site goes offline.

 

IPSec Config:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ###### address 1.1.1.1
!
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_PROFILE
set transform-set TRANSFORM_SET
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TRANSFORM_SET
set pfs group2
match address 100

access-list 100 permit ip 10.3.48.0 0.0.15.255 any
access-list 100 permit ip any 10.3.48.0 0.0.15.255

 

Tunnel config:

interface Tunnel9998
ip address 10.3.63.11 255.255.255.248
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VPN_PROFILE

 

NAT config:

ip nat inside source list 50 interface Cellular0/2/0 overload
access-list 50 permit 10.3.48.0 0.0.15.255

 

ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip route 10.0.0.0 255.0.0.0 Tunnel9998

 

 

__PRESENT

__PRESENT

__PRESENT

__PRESENT

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-17-2024 02:56 PM

@HaydenJ dont have 2 default routes with the same cost. Create a single /32 static route to the VPN peer IP (ip route 1.1.1.1 255.255.255.255 Cellular0/2/0) via the cellular interface and leave the default route via the Tunnel interface. Forcing traffic to the VPN peer IP to always go via the cellular interface. Yes add a higher cost on the default route via the cellular interface for when the tunnel interfaces goes down.

Why do you have a crypto map and a tunnel interface? just use the tunnel interface.

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎02-17-2024 02:56 PM

@HaydenJ dont have 2 default routes with the same cost. Create a single /32 static route to the VPN peer IP (ip route 1.1.1.1 255.255.255.255 Cellular0/2/0) via the cellular interface and leave the default route via the Tunnel interface. Forcing traffic to the VPN peer IP to always go via the cellular interface. Yes add a higher cost on the default route via the cellular interface for when the tunnel interfaces goes down.

Why do you have a crypto map and a tunnel interface? just use the tunnel interface.

Go to solution
HaydenJ
Level 1
Level 1
In response to Rob Ingram

‎02-17-2024 09:24 PM

Thanks Rob, that's exactly what I needed, much appreciated! 

And yeah I was playing around with the crypto maps, now realising that it's not even required when using a tunnel int. Not to mention really out dated.

Thanks again

0 Helpful
Customers Also Viewed These Support Documents