Tunnel Interface connectivity via IPSec

Capricorn · ‎03-18-2017

Hi!

I am running gre with IPSec. My interesting traffic for IPsec is 192.168.1.1 to 192.168.1.2 and when I try to establish connection from Router 1 then the FW see 172.16.1.2 IP and the IPsec tunnel never trigger.

What can be done that if I ping from 192.168.1.2 then the FW will 192.168.1.1 rather than 172.16.1.2?

See the attached picture.

Thanks

Philip D'Ath · ‎03-18-2017

You need to get yourself to the stage where each firewall can ping the local 192.168.1.x address on the router. More than likely you have routes missing.

Capricorn · ‎03-19-2017

Hi!

Thanks for you reply.

I only want that on ASA 1 the ipsec should trigger.

I can ping 192.1681.1 from ASA1.

The problem is that Ipsec never triggers because interesting traffic 192.168.1.1 never hits outside interface so ipsec process never started.

Thanks

Capricorn · ‎03-19-2017

Hi Philip D'Ath!

I have defined tunnel endpoints in the interesting traffic but its not working. IPsec is not triggering.

What if the other end is not aware for my 172.16 as they only have my Public IP?

Thanks

Capricorn · ‎03-21-2017

Looking for IPsec implemention for exact same scenario.

http://www.networkstraining.com/configuring-gre-tunnel-through-a-cisco-asa-firewall/comment-page-1/#comment-384712

Peter Koltl · ‎03-19-2017

It will be GRE over IPsec, that is, GRE tunnel endpoints 172.16.x.x should be defined as interesting traffic. 192.168.1.x will be tunnel inside addresses (encrypted) so these addresses will not be seen by firewalls.

Peter Koltl · ‎03-21-2017

The referred Networkstraining page confirms my previous comment. As you can see, tunnel IPs (10.0.0.x) are not seen by the firewall. They are encapsulated and only the tunnel source and destination addresses (50 and 20) are used in the firewall rules.