Multiple vlans over IPSEC VPN Tunnel

Unanswered Question
Apr 23rd, 2008
User Badges:

Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up


R1 Vlan1 is 10.10.10.0/24 network

R2 Vlan1 is 10.10.20.0/24 network


over IPSEC VPN Tunnel


I need to add a Vlan2 10.7.1.0/24 network on R1


and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.


I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?


Please help!


Thank you

Domenick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I would add:-


R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255


ADD to the above ACL the below:-


permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255


!


Current:-


access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255


ADD to the above ACL the below:-


access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255




R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-


!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

!


ADD to the above ACL the below:-


permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255




Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255



ADD to the above ACL the below:-


access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255



dlandriscinaclg Mon, 04/28/2008 - 12:28
User Badges:

I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.

The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.


The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.


Add "ip nat inside" to the vlan 2 interfaces on both sites.

dlandriscinaclg Tue, 04/29/2008 - 06:22
User Badges:

i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?


i have attached the output of the show access-list command and the show crypto again





The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.


What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.


You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.

Actions

This Discussion