02-17-2024 02:40 PM
Hi everyone,
I've set up a site to site IPsec tunnel, from a Cisco 1100 series router to a Palo Alto firewall. I'm doing a route based VPN and so far everything seems to be working fine, the tunnel is up and the remote site can reach anything on our internal network and vice versa.
I have a static route on route which points anything to our internal network over the tunnel interface. The default route is still going over the outside interface on the router, however whenever I change the default route point everything to the tunnel it drops the connection and I cant reach anything internal or external anymore.
I want all traffic to go through the tunnel however I can't seem to see where I'm going wrong. It's probably something really simple I'm missing so would really appreciate some extra eyes to have a look. I'm also using DDNS so I would still probably need a static route to the outside interface with a higher AD for when the site goes offline.
IPSec Config:
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key ###### address 1.1.1.1
!
crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN_PROFILE
set transform-set TRANSFORM_SET
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TRANSFORM_SET
set pfs group2
match address 100
access-list 100 permit ip 10.3.48.0 0.0.15.255 any
access-list 100 permit ip any 10.3.48.0 0.0.15.255
Tunnel config:
interface Tunnel9998
ip address 10.3.63.11 255.255.255.248
tunnel source Cellular0/2/0
tunnel mode ipsec ipv4
tunnel destination 1.1.1.1
tunnel protection ipsec profile VPN_PROFILE
NAT config:
ip nat inside source list 50 interface Cellular0/2/0 overload
access-list 50 permit 10.3.48.0 0.0.15.255
ip route 0.0.0.0 0.0.0.0 Cellular0/2/0
ip route 10.0.0.0 255.0.0.0 Tunnel9998
__PRESENT
__PRESENT
__PRESENT
__PRESENT
Solved! Go to Solution.
02-17-2024 02:56 PM
@HaydenJ dont have 2 default routes with the same cost. Create a single /32 static route to the VPN peer IP (ip route 1.1.1.1 255.255.255.255 Cellular0/2/0) via the cellular interface and leave the default route via the Tunnel interface. Forcing traffic to the VPN peer IP to always go via the cellular interface. Yes add a higher cost on the default route via the cellular interface for when the tunnel interfaces goes down.
Why do you have a crypto map and a tunnel interface? just use the tunnel interface.
02-17-2024 02:56 PM
@HaydenJ dont have 2 default routes with the same cost. Create a single /32 static route to the VPN peer IP (ip route 1.1.1.1 255.255.255.255 Cellular0/2/0) via the cellular interface and leave the default route via the Tunnel interface. Forcing traffic to the VPN peer IP to always go via the cellular interface. Yes add a higher cost on the default route via the cellular interface for when the tunnel interfaces goes down.
Why do you have a crypto map and a tunnel interface? just use the tunnel interface.
02-17-2024 09:24 PM
Thanks Rob, that's exactly what I needed, much appreciated!
And yeah I was playing around with the crypto maps, now realising that it's not even required when using a tunnel int. Not to mention really out dated.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide