RVS4000: very odd VPN issue

Unanswered Question
Mar 2nd, 2010

Hi All,

I am experiencing a very odd issue with an RVS4000 configured with a site to site vpn.

(addresses changed)

RVS400 config:

Local Network: 192.168.200.x

External (and endpoint) IP: 100.1.1.11

Office Config:

Local Network: 192.168.10.x

External (and endpoint) IP: 200.1.1.20

The site to site vpn works mostly fine, but here's the problem: I can not connect to any services published on the public office IPs anymore.

For example, trying to browse to a website published on 200.1.1.21 times out.

In the access logs I can see "attempts" to connect to 200.1.1.21:80, but there's no response. I also checked the office firewall (where the website is published), and there's no traffic whatsoever arriving there.

It seems to me something in the routing tables on the RVS4000 is messed up and that the connection attempt to 200.1.1.21 is somehow being routed through the tunnel.

Am I missing some configuration step somewhere?

Thx in advance!

Rgds - Marcus.

PS: yes, I did test it with another (non-vpn) router. works fine .... ;-)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Alejandro Gallego Wed, 03/03/2010 - 21:21

First off, Welcome to Cisco Communities!

Have you or are you trying to access the Web Sites using the DNS (FQDN) name; such as "www.mywebsite.com" or just by public IP?

Depending on your site structure (whether you have a local DNS server for your sites) specifying the DNS name or public IP will find you in the same place; nowhere!

You are correct about the routing, but not because it is broken but because the way IPSec works. I will explain what I feel may be happening and please correct me if I have misunderstood your network topology.

Remote Site                                                                                Local Site

WAN: 24.0.0.1                                                                             WAN: 12.0.0.2

LAN: 172.27.0.0/16         <=== IPSec Tunnel ===>                        LAN: 172.16.0.0/16

                                                                                                  WebServer 1                                                    

                                                                                                  LAN: 172.16.0.10/16

Note that I am pointing the IPSec tunnel to the LAN (Network IDs), this is how you should look at an IPSec connection. The reason is that when we build the tunnel we are really creating a Route Statement; which says, "For network 172.27.0.0/16 go to the next hop IP of 24.0.0.1" so now both routers know two remote locations, WAN IP of the opposite site and also the LAN IP.

What may be happening is that we are going out one interface but the response is being sent on an other. So from Local Router we go out the WAN but we are being responded to on the LAN (the IPSec tunnel). This is the most likely scenario; albeit, could be LAN out, WAN in, either way that would cause the behavior.

Please run a trace route from your computer and post results. Also, let us know if a local DNS server is being used and if so, is there an "A" record for the website specified?

On Windows, open the command prompt and type "tracert " then hit enter.

On UNIX, open Terminal and type "traceroute " then hit enter

digitaldose Thu, 03/04/2010 - 17:23

Hi there,

thanks for the welcome :)

I'm not trying to access a webserver/resources using internal addresses, I'm talking about resources on the external side of the office network.

In your example, that would be Webserver1 at 12.0.0.5 (for example).

Thx again.

Actions

This Discussion

Related Content