02-23-2016 02:43 PM
So I'm configuring a VTI tunnel. The remote site is able to ping my 147.117 which is then natted to 10.10.1.6. However I cannot ping the remote side. From my router, I can ping the remote site's tunnel and LAN IP (30.18 and 75.22) but when I go move back to the load balancers which are next in line, I cannot ping the either remote site's IP. I can only ping my tunnel IP 30.17. When I do a debug on ICMP, I see responses for my IP but there are no responses for the remote site IP's. It's as if the router is not receiving the packets for the remote site or not routing the packets to the tunnel interface. But obviously, if I can ping my local tunnel IP the router is receiving the packets. So any ideas as to why I can't ping the remote site or see any debug packets when I ping the remote site? These are the configs
interface Tunnel10
description rVTI
ip address x.x.30.17 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1340
tunnel source Serial2/0
tunnel mode ipsec ipv4
tunnel destination x.x.x.25
tunnel protection ipsec profile protect-gre
end
!
crypto ipsec profile protect-gre
set transform-set VTI
set pfs group5
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key "key" address x.x.x.25
!
crypto ipsec transform-set VTI esp-aes 256 esp-sha-hmac
!
ip route x.x.x.25 255.255.255.255 x.x.x.181
ip route x.x.x.16 255.255.255.248 Tunnel10
02-23-2016 11:50 PM
Can you post a topology diagram? I can not workout how your setup is connected together.
02-24-2016 04:25 AM
02-24-2016 10:36 AM
I would be most suspicious about this load balancer and its NAT.
Does the load balancer vender say that IPSec traffic will work via it?
02-24-2016 10:51 AM
It doesn't specifically say "IPsec via NAT". It only states IPsec supported. But that being said. When I ping, I'm pinging from the exterior interface before any NAT happens. Also, it's leaving the load balancer as basic IP. It's encapsulated into the GRE tunnel and transported over the IPsec at the router.
02-24-2016 10:59 AM
Can you please tell me the model number of the two routers and the software version running on them please.
02-24-2016 11:30 AM
The remote site is an ASR1004 but I'm not sure of the OS. The local site is a 3845, 15.1(4)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide