Site to Site VPN Up and Working....Problem with Router communication

Unanswered Question
Jan 16th, 2008

Hi All,

I would appreciate any advice for the following issue. I have 2 sites, A ( and B( I have created an ipsec tunnel between the two sites and end devices at both ends can communicate with each other. However, the routers cannot communicate with the other subnet. For example, at Router A, if I were to try to ping, it fails. If I try the command ping source, it works. How do I instruct the router to use the VPN tunnel for the traffic to the other subnet. As stated, end devices such as computers are able to use the tunnel fine. I need the routers to also be able to use the tunnel for interesting traffic.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Wed, 01/16/2008 - 08:34


First lets clarify what the problem is and then we can talk about how to solve it.

The issue is that the access list that defines what traffic to protect with IPSec is including traffic sourced from the network but is not including traffic sourced from the router's outbound interface. If you just ping the router will default to using the outbound interface address as the source address and it will not pass through IPSec. When you specify the source address in the ping then it does pass through IPSec.

So how do you solve this? One alternative is that for some protocols you can configure the router to specify the source address (ip telnet source-interface, ip ssh source-interface, ip ftp source-interface, ip tftp source-interface, ip tacacs source-interface, ip radius source-interface, logging source-interface, snmp-server trap-source, ntp source, ip flow-export source) and so you can have these protocols specify the source address to be included in IPSec. But probably the best solution is to revise the access list so that it not only looks for traffic sourced from and to include traffic sourced from the router other interfaces and going to destinations on the remote router.



ciscocm001 Thu, 01/17/2008 - 07:05

Thank you for the reply Rick. Your explanation makes perfect sense.

Currently, my access list for the crypto statement looks like this:

access-list 100 permit ip

If my T1 Serial interface is my outbound interface with IP address, then I would have to add an access list statement such as:

access-list 100 permit ip

Would that be adequate, or would I also have to add a different access list or static route?

Thank you again for your help.

Richard Burts Thu, 01/17/2008 - 14:55


I would think that this addition to the access list would be adequate (mostly). Remember that the access lists on each end need to mirror each other, so the remote router needs to add a similar statement. And if the remote router wants to add a statement like this so that it will include traffic sourced from its interface then you would need to add a similar statement.




This Discussion