09-04-2024 05:09 AM - edited 09-04-2024 05:15 AM
Bonjour à tous,
Je suis actuellement en train de configurer un VPN IPSec entre un routeur Cisco et un routeur Bintec, et je rencontre un problème que je n'arrive pas à résoudre seul.
Le tunnel VPN semble fonctionner correctement, il est bien affiché comme "UP-Active" des deux côtés. Cependant, le trafic ne passe pas, et je ne parviens pas à effectuer de ping entre les deux sous-réseaux :
J'ai quelques soupçons que cela pourrait être lié à une configuration NAT, mais je n'en suis pas certain. Voici ce que j'ai vérifié jusqu'à présent :
Je sollicite l'avis de la communauté pour m'aider à diagnostiquer ce problème. Est-ce que quelqu'un pourrait m'apporter son expertise ou des pistes supplémentaires pour avancer vers une solution ?
Merci beaucoup pour votre aide !
Solved! Go to Solution.
09-05-2024 05:43 AM
Sure I will share some filter to see if VPN traffic is NATing or not
MHM
09-05-2024 06:19 AM
Alright, I'll wait then. Thank you!
09-05-2024 06:50 AM
this for you
R1 LAN 10.0.0.0
R2 LAN 20.0.0.0
there is VPN IPsec between two router and this encrypt the traffic between 10.0.0.0 and 20.0.0.0
in same time there is NAT overload config in R1 to NATing any 10.0.0.0 to interface f0/0
I use
debug ip nat 10<<- 10 is standard acl permit 10.0.0.0/24
show ip nat translations icmp verbose
to see if encrypt traffic is NAT or NOT and you can see it NAT
then you can use global IP appear in show ip nat translat icmp verbose to know which NAT line effect your traffic
09-05-2024 06:59 AM
Here is the result of the command after attempting to ping from the Bintec network to Cisco.
In the other direction, I don't get anything more, which confirms that everything comes in fine, but nothing is going out.
09-05-2024 07:07 AM
Yes it NATing and Now we sure and since global IP 90.x.x.x you more sure it NATing
NOW
ping 100 times remote VPN LAN (use any PC connect to router)
show ip access-list <<- many times
see which ACL is increase the VPN ACL must increase and deny ACL of first NAT overload
other ACL must not be show any hit
MHM
09-05-2024 07:32 AM
I would like more details, as I'm afraid I haven't fully understood the procedure to follow, haha.
09-05-2024 07:34 AM
Commande Show ip access-lists
09-05-2024 07:57 AM - edited 09-05-2024 07:57 AM
ip route 0.0.0.0 0.0.0.0 90.X
ip route 0.0.0.0 0.0.0.0 77.X
only ACL 100 have match !!!!! that wrong are you sure the traffic pass through .90 no through .77 ?
MHM
09-05-2024 08:00 AM
To keep it simple, I removed the route to 77. The VPN stays up, and now only 90 remains.
09-05-2024 08:03 AM
Do show ip access-list again
Check which of ACL get hit (matches)
MHM
09-06-2024 12:04 AM
Hi, I hope you're doing well.
Regarding the command, everything is still going through 100.
09-06-2024 12:10 AM
ip access-list extended VPN <<- Are this ACL of IPsec?
10 permit ip 192.168.X 0.0.0.255 192.168.100.0 0.0.0.255
30 permit ip 192.168.X 0.0.0.255 192.168.100.0 0.0.0.255
40 permit ip host 90X host 77X <<- WHAT IS THIS
MHM
09-06-2024 12:14 AM
09-06-2024 12:15 AM
and yes this ACL is for IPsec
09-06-2024 12:30 AM
To keep it simple, I removed the route to 77. The VPN stays up, and now only 90 remains. <<- still only 90 is UP?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide