04-15-2011 05:37 AM
Hi Everyone
I've just set up a sit-to-site VPN from a branch office (cisco 1921) to our HQ (not cisco)
The VPN establishes but I can not route traffic across the VPN.
Currently the branch router has a public IP address set up on the LAN interface as this is how it was set up oringally - but moving forward we want to reconfigure this with a private addressing scheme..... so for the time being I've set up this LAN interface with a Private secondary IP address. Therefore there is no NAT configured as it's not needed
Secondary IP address of the LAN interface is 192.168.106.5......the HQ LAN is 192.168.20.0/22
the VPN is set up and connected, both sides verify this.....but from the branch router I cannot see the LAN of the HQ and vica-versa.....
what am I missing here - config file is attached.
Please help
Thanks.
04-15-2011 05:52 AM
Hi Mark,
The config looks solid.
But the traffic will only go across the VPN tunnel if the source ip and destination ip match the access-list 100.
In your post you had mentioned that the LAN has a public ip address scheme, and the access-list 100 has a private addressing scheme.
Maybe thats why you can't access the HQ LAN as yet.
Hope this helps.
-Shrikant
04-15-2011 06:00 AM
Hi
thanks for the reply
Sorry for the confusion
The branch router has a Public IP address as it's primary and has a private IP address of 192.168.106.5 as it's secondary....eventually we will scrap the public addressing on this interface
so I am only interested in routing for the private address scheme.....well for now the private IP address of 192.168.106.5
shouldn't I be able to ping from my branch router to the network of the HQ?
just of note..... I can't even ping my seondary IP address even whilst telnetted to the router which is strange.... Whilst on the router I cannot ping 192.168.106.5 even though it is a secondary IP address for that interface and the interface is most definitely up
04-15-2011 06:14 AM
Hi Mark,
Could you check the router's routing table to see if it has a route to 192.168.106.5?
And also check the ip and gateway settings on the test PC that you have.
-Shrikant
04-15-2011 06:15 AM
actually - correction
after a reload of the router the secondary interface responds to pings form itself....strange definitely wasn't before.
might have more success now.......just trying
04-15-2011 06:22 AM
Hi.
well it has a route for 192.168.106.5 as it's directly connected
however....there are no routes for the HQ router.....192.168.20.0/22
should there be? or does the router know that this is on the VPN interface so to speak
if i need a route for the HQ LAN how do I add this and point it to the VPN interface?
04-15-2011 07:04 AM
would the line
ip route 0.0.0.0 0.0.0.0 86.62.x.x
cause problems?
it shouldn't should it? as the HQ network is directly connected to the VPN? I shouldn't need a specific rule?
04-15-2011 07:58 AM
aaarrrgghhh!
I'm so stupid
OK - there isn't actually a problem....well not with the config anyway
basically i was trying to ping from the branch router to the HQ subnet - I can see this wouldn't work as the originating IP address wouldn't match the ACL....
but my ping from the HQ to the branch should work - however i was doing the ping form the HQ router iteself.... we had no devices configured with this as a gateway to test....the HQ router wouldn't get a ping reply so didn't bother configuring a client to test....
however...configuring a client with the HQ router as a DG got me to get replies!!!
so this was working all along....
thanks for all the help
cheers
04-16-2011 08:51 AM
Hi Mark,
Actually you can ping from router itself to remote site to test if the VPN is working or not.Jus follow below command.
ping remote_router_LAN_IP source Local_router_LAN_IP
With condtion both site Router LAN port should be UP.So in this case you no need to setup host pointing DG as router and do test.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide