Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
6
Replies

VTI configuration

corey.burden
Level 1
Level 1

‎02-23-2016 02:43 PM

So I'm configuring a VTI tunnel.   The remote site is able to ping my 147.117 which is then natted to 10.10.1.6.  However I cannot ping the remote side.  From my router, I can ping the remote site's tunnel and LAN IP (30.18 and 75.22)  but when I go move back to the load balancers which are next in line, I cannot ping the either remote site's IP.  I can only ping my tunnel IP 30.17.  When I do a debug on ICMP, I see responses for my IP but there are no responses for the remote site IP's.  It's as if the router is not receiving the packets for the remote site  or not routing the packets to the tunnel interface.  But obviously, if I can ping my local tunnel IP the router is receiving the packets.  So any ideas as to why I can't ping the remote site or see any debug packets when I ping the remote site?  These are the configs

interface Tunnel10
 description rVTI
 ip address x.x.30.17 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1340
 tunnel source Serial2/0
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.25
 tunnel protection ipsec profile protect-gre
end

!

crypto ipsec profile protect-gre
 set transform-set VTI
 set pfs group5

!

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 5

!

crypto isakmp key "key" address x.x.x.25

!

crypto ipsec transform-set VTI esp-aes 256 esp-sha-hmac

!

ip route x.x.x.25 255.255.255.255 x.x.x.181

ip route x.x.x.16 255.255.255.248 Tunnel10

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-23-2016 11:50 PM

Can you post a topology diagram?  I can not workout how your setup is connected together.

0 Helpful

corey.burden
Level 1
Level 1
In response to Philip D'Ath

‎02-24-2016 04:25 AM

Here is a drawing.

Preview file
7 KB
0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to corey.burden

‎02-24-2016 10:36 AM

I would be most suspicious about this load balancer and its NAT.

Does the load balancer vender say that IPSec traffic will work via it?

0 Helpful

corey.burden
Level 1
Level 1
In response to Philip D'Ath

‎02-24-2016 10:51 AM

It doesn't specifically say "IPsec via NAT".  It only states IPsec supported.  But that being said.  When I ping, I'm pinging from the exterior interface  before any NAT happens.  Also, it's leaving the load balancer as basic IP.   It's encapsulated into the GRE tunnel and transported over the IPsec at the router. 

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to corey.burden

‎02-24-2016 10:59 AM

Can you please tell me the model number of the two routers and the software version running on them please.

0 Helpful

corey.burden
Level 1
Level 1
In response to Philip D'Ath

‎02-24-2016 11:30 AM

The remote site is an ASR1004 but I'm not sure of the OS.  The local site is a 3845, 15.1(4)

0 Helpful
Customers Also Viewed These Support Documents