cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1011
Views
0
Helpful
9
Replies

IPSec Routing Problem

Eliufoo.Mahinda
Level 1
Level 1

Hi All,

We have successfully configure site to site IPSec. If interesting traffic hits the outgoing interface, the tunnel comes up on both ends, you can also see packets been encrypted.

I'm having routing problems local, I don't have route that points local remote traffic via the IPSec VPN.

remote peer: 89.3.2.1

remote local: 192.168.1.0/24

local peer: 50.3.3.1

local private: 10.2.5.0/24

tried the following locally:

ip route 192.168.1.0 255.255.255.0 89.3.2.1

'didn't work'

ip route 192.168.1.0 255.255.255.0 50.3.3.1

'didn't work'

Please help!!!

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

Hi

You don't need a route for this traffic. The crypto map access-list tells the router/firewall which traffic needs to be encrypted. If a packet matches the crypto access-list it is encrypted and automatically sent down the tunnel.

Jon

dcarlton
Level 1
Level 1

Are you using crypto maps? What does your interesting traffic access look like?

I'm using crypto maps. My local access list is

access-list 144 permit ip 10.2.5.0 0.0.0.255 192.168.1.0 0.0.0.255

If I run "show access-list 144" I can see interesting traffic. Also, if i run "show crypto engine connection active" I can see traffic been encrypted. But, I don't have {192.168.1.0/24} route in the routing table. And traffic is not going through the tunnel.

do this:

1- under your crypto map, you need this:

reverse-route

2- do sh ip route, you will see a static route

in the routing table,

3- redistribute that static route into your

routing protocol so that downstream router(s)

can see it,

4- test again

CCIE Security

Now, I've the route into my routing table and I still can't reach the remote end.

If i run a traceroute from the local host, it stops at my internal router interface. Where else should I check?

i. My VPN is up

ii. Route to remote host is available

When you did the trace route, what did you use for the source interface? This source interface has to have a match in the access list.

I'm running a trace route from 10.2.5.2 (a local node).

If I run a ping test to 192.168.1.6 (active remote node), the acl sees the interesting traffic, brings up the VPN and Encaps destn traffic. But i still don't reach the remote node.

kaachary
Cisco Employee
Cisco Employee

You traffic has already left the device if you see encrypts. It seems either the replies are not coming back from the other end, or the packet drops after it leaves the local device.

Do you see encrypts/decrypts on the other end of the tunnel ?

Source a ping from the LAN intf of VPN device itself, and ping the remote ends LAN interface (provided it is part of crypto ACL).

HTH,

-Kanishka

SOLVED!!! :-)

After writing some emails to my ISP, manage to see remote encry traffic.

Thanks everyone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: