Multiple vlans over IPSEC VPN Tunnel

Unanswered Question
Apr 23rd, 2008

Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up

R1 Vlan1 is 10.10.10.0/24 network

R2 Vlan1 is 10.10.20.0/24 network

over IPSEC VPN Tunnel

I need to add a Vlan2 10.7.1.0/24 network on R1

and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.

I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?

Please help!

Thank you

Domenick

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

I would add:-

R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

ADD to the above ACL the below:-

permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

!

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

!

ADD to the above ACL the below:-

permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

dlandriscinaclg Mon, 04/28/2008 - 12:28

I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.

dlandriscinaclg Tue, 04/29/2008 - 06:22

i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?

i have attached the output of the show access-list command and the show crypto again

The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.

What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.

You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.

Actions

This Discussion