cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1564
Views
0
Helpful
8
Replies

Site to Site VPN - routing over tunnel

markmilenkovic
Level 1
Level 1

Hi Everyone

I've just set up a sit-to-site VPN from a branch office (cisco 1921) to our HQ (not cisco)

The VPN establishes but I can not route traffic across the VPN.

Currently the branch router has a public IP address set up on the LAN interface as this is how it was set up oringally - but moving forward we want to reconfigure this with a private addressing scheme..... so for the time being I've set up this LAN interface with a Private secondary IP address. Therefore there is no NAT configured as it's not needed

Secondary IP address of the LAN interface is 192.168.106.5......the HQ LAN is 192.168.20.0/22

the VPN is set up and connected, both sides verify this.....but from the branch router I cannot see the LAN of the HQ and vica-versa.....

what am I missing here - config file is attached.

Please help

Thanks.

8 Replies 8

Shrikant Sundaresh
Cisco Employee
Cisco Employee

Hi Mark,

The config looks solid.

But the traffic will only go across the VPN tunnel if the source ip and destination ip match the access-list 100.

In your post you had mentioned that the LAN has a public ip address scheme, and the access-list 100 has a private addressing scheme.

Maybe thats why you can't access the HQ LAN as yet.

Hope this helps.

-Shrikant

Hi

thanks for the reply

Sorry for the confusion

The branch router has a Public IP address as it's primary and has a private IP address of 192.168.106.5 as it's secondary....eventually we will scrap the public addressing on this interface

so I am only interested in routing for the private address scheme.....well for now the private IP address of 192.168.106.5

shouldn't I be able to ping from my branch router to the network of the HQ?

just of note..... I can't even ping my seondary IP address even whilst telnetted to the router which is strange.... Whilst on the router I cannot ping 192.168.106.5 even though it is a secondary IP address for that interface and the interface is most definitely up

Hi Mark,

Could you check the router's routing table to see if it has a route to 192.168.106.5?

And also check the ip and gateway settings on the test PC that you have.

-Shrikant

actually - correction

after a reload of the router the secondary interface responds to pings form itself....strange definitely wasn't before.

might have more success now.......just trying

Hi.

well it has a route for 192.168.106.5 as it's directly connected

however....there are no routes for the HQ router.....192.168.20.0/22

should there be? or does the router know that this is on the VPN interface so to speak

if i need a route for the HQ LAN how do I add this and point it to the VPN interface?

would the line

ip route 0.0.0.0 0.0.0.0 86.62.x.x

cause problems?

it shouldn't should it? as the HQ network is directly connected to the VPN? I shouldn't need a specific rule?

aaarrrgghhh!

I'm so stupid

OK - there isn't actually a problem....well not with the config anyway

basically i was trying to ping from the branch router to the HQ subnet - I can see this wouldn't work as the originating IP address wouldn't match the ACL....

but my ping from the HQ to the branch should work - however i was doing the ping form the HQ router iteself.... we had no devices configured with this as a gateway to test....the HQ router wouldn't get a ping reply so didn't bother configuring a client to test....

however...configuring a client with the HQ router as a DG got me to get replies!!!

so this was working all along....

thanks for all the help

cheers

Hi Mark,

Actually you can ping from router itself to remote site to test if the VPN is working or not.Jus follow below command.

ping remote_router_LAN_IP source Local_router_LAN_IP

With condtion both site Router LAN port should be UP.So in this case you no need to setup host pointing DG as router and do test.

Regards, Nagis