IPSec multisubnet routing trouble...

Unanswered Question
Apr 10th, 2010
User Badges:

Hi there,

     There are 3 subnets:

          - 1st subnet in branch office 192.1.1.0/24 lets say A

          - 2nd subnet in main office 192.168.0.0/24 lets say B

          - 3rd subnet in partner company 192.171.5.0/24 lets say C

     A and B connects via inernal IP-VPN, B and C connects via IPSec (Site-toSite) through GPRS Internet connection.From B I can "see" subnet A and C, and also I want to establish connection from A and C. When I lunch tracert from A to C last hop stops on B gateway which connects with C. When I add NAT rules for subnet A on B gateway, then tracert from A to C goes to Internet after B gateway IP. Can you help to resolve problem between A and C.Thanks...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Sat, 04/10/2010 - 07:25
User Badges:
  • Gold, 750 points or more

what device is used at site B? can you post its config with a network diagram?

Yudong Wu Sat, 04/10/2010 - 09:54
User Badges:
  • Gold, 750 points or more

You don't need change the NAT. The traffic between A and C won't be nat-ed based on your configuration on this router.

I don't see how you define ACL 118.

Does it include the traffic between A and C?

If not, you need add it on this router and the remote end at A & C as well.


I did not see the config of the 2600 router. can u post it as well.

Nilsandro Sun, 04/11/2010 - 01:09
User Badges:

Hi Kevin,

     Yes, I missed to copy 118 ACL, here it's:


access-list 118 remark ATM
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.171.5.0 0.0.0.255


As you see, there are nothing about between A and C, you adviced to include here traffic between A and C, you mean like that -


access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255 ?


Can you explain how IPSec works when it get packets from different subnet? Let's say how IPSec works when I trying to send packets from A to C, packet with source address 192.1.1.2 and destination address 192.171.5.2? Can IPSec encrypt traffic from different subnet? Though, when we configured Site-to-Site IPSec, we entered 192.171.5.0/24 as Remote Subnet for C on B, and entered 192.168.0.0/24 as remote subnet for B on C. So B and C works without any problem. May be we have to include in IPSec config also 192.1.1.0/24 as remote subnet for A on C? But I have no idea how do it. May be this is wrong oponion. Also, you wrote that - "traffic between A and C won't be nat-ed based", can you explain, how then traffic from A goes to C without nat, through Internet? Config of router 2600 has a simple rules and there are nothing about IPSec, it's just connected to 2811, if it's important, then let me know about it and i'll post config of 2600.

Yudong Wu Sun, 04/11/2010 - 20:44
User Badges:
  • Gold, 750 points or more

Yes, you need add "access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255" in ACL 118.


All traffic match ACL 118 will go into IPSec tunnel.

You don't need NAT those IPsec traffic since IPSec will add the other IP header with public IP. You can search on Cisco Website to find some document which explain how IPSec works.


Here is how packet from A is forwarded to C via IPSec.

1. At A branch, you need add the entry "permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255" in the ACL which is used by Crypto map. The traffic from A to C will match this ACL entry and be encrypted to send to Main office via IPSec tunnel.

2. Router 2610 will decrypt it and forward it to router 2811. Since this packet will match ACL 118, it will be encrypted and sent to C via IPSec tunnel between Main office and C.

3. At C - Partner office, the packet will be decrypted and forwarded to the destination.

you need add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255"  in the ACL which is used by crypto map.

You probably need add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255" in ACL which is used by cyrpto map on router 2610 as well.

Nilsandro Mon, 04/12/2010 - 04:34
User Badges:

Kevin, thanks for the reply!

     A and B (2610) connects via Internal private VPN (not IPSec), you can see it in diagram. And the traffic between A and B did not encrypted. After adding rule in 118:


access-list 118 remark ATM
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.0.0 0.0.0.255 192.171.5.0 0.0.0.255
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.1.1.0 0.0.0.255 192.171.5.0 0.0.0.255


tracert from A to C shows the packets goes till 192.168.0.1 (B IPSec gatewey), here is trace log:



Gate#tra  192.171.5.1

Type  escape sequence to abort.

Tracing  the route to 192.171.5.1

  1  192.1.1.250 0 msec 4 msec 0 msec

  2  192.168.90.5 52 msec 52 msec 48 msec

  3  192.168.0.50 52 msec 52 msec 48 msec

  4 192.168.0.1 48 msec 52 msec 56 msec

  4   *  *  *

   5  *  *  *

   6  *  *  *

   7  *


If I add NAT fules for A then traffic goes through Internet:


1  192.1.1.250 0 msec 0 msec 0 msec

   2 192.168.90.5 48 msec 52 msec

  3  192.168.0.1 48 msec 60 msec 60 msec

  4  194.84.XXX.XXX 52 msec 52 msec 52 msec

  5  195.151.XXX.XXX 56 msec 52 msec 52 msec

  6  193.232.XXX.XXX 52 msec 52 msec 56 msec

  7  57.86.XXX.XXX 76 msec 76 msec 80 msec

.....

May be besides ACL I have to add other rules?


Yudong Wu Mon, 04/12/2010 - 08:47
User Badges:
  • Gold, 750 points or more

Did you add "permit ip  192.171.5.0 0.0.0.255 192.1.1.0 0.0.0.255"  in the ACL which is used by crypto map at the C site?

If not, please add it and rebuild the tunnel.

Actions

This Discussion