Site to Site IPsec VPN problem while access http traffic

Unanswered Question
Sep 25th, 2010

Hi,

I cannot access the web traffic after established the site to site Ipsec VPN but can access HTTPS.  I have tried so many time ,  Site to Site  IPsec  VPN between Cisco 3825 and 1812 routers.  but cannot findout  the   exact problem. my Network topology is attached herewidth. BO and  HO are  Cisco Routers where i have tried to setup Site to Site Ipsec   VPN between Bo and Ho.at Ho Fortinet is used as Firewall and edge  router. The  DMZ (mail server, Active  Directory, Web Server etc..) are  connected via firewall . The VPN Phase 1 and Phase2  are Seems up and  working perfectly while debuging i cannot findout any  problem . I can  ping all the DMZ as well as internet with jumbo frames  and can access  https, Mail .But cannot  browse HTTP and AD(Active  Directory) while  using Site to Site Ipsec VPN between them. if i will remove the vpn   then it work perfectly. can you please advice me.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Sat, 09/25/2010 - 15:02

Given the description of the symptoms I would guess that the most probable cause of the problem was something in the access list used on the routers to identify traffic which should be encrypted. Can you post the access list from each of the routers?

It might also be helpful if you could post the other parts of the configuration for the site to site VPN.

HTH

Rick

ramkrishnapariyar Sat, 09/25/2010 - 22:51

Hi Richard,

The configuration of IPsec between HO and Bo  are as following.

HO

--------

The Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 , 192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network and 192.168.254.0/24 is my P2P network among BO and HO and 192.168.253.0/24 is my Bo Lan Network.

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any

BO

-------

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255

stuffy001 Thu, 12/17/2015 - 03:16

I think i have the same problem. Can you remember your solution for this?

Thanks

Jennifer Halim Sat, 09/25/2010 - 17:00

How are you trying to access those HTTP and AD? via DNS or IP Address?

You would also have to make sure that the ip address that you use to access those are part of your crypto ACL while trying to access it via VPN.

Also, you would also have to make sure that the return traffic from those HTTP and AD servers are back to the VPN routers.

ramkrishnapariyar Sat, 09/25/2010 - 23:01

Hi Jennifer,

I am testing to access web server and  AD via ip as well as DNS  but cannot success. as i know that the return traffice also via VPN. The HTTP and HTTPS both Services are hosted at the Same machine, I can access HTTPS but cannot HTTP and AD.

Jennifer Halim Sun, 09/26/2010 - 03:00

Can you please share the router configuration? Do you have any ACL that might block other traffic except HTTPS? What about the server itself?

is there any personal/server firewall that might be blocking HTTP and AD access? Are you able to telnet on port 80 on the server's private ip address?

ramkrishnapariyar Sun, 09/26/2010 - 03:14

The configuration of IPsec between HO and Bo  are as following.

HO

--------

The  Network 192.168.0.0/24 , 192.168.1.0/24 , 192.168.5.0/24 ,  192.168.18.0/24 ,192.168.100/24 and 192.168.204.0/24 are my DMZ Network  and 192.168.254.0/24 is my P2P network among BO and HO and  192.168.253.0/24 is my Bo Lan Network.

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.2

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.2
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.18.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 permit ip 192.168.204.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 100 deny ip any any

BO

-------

crypto isakmp policy 102
encr 3des
authentication pre-share
group 5
crypto isakmp key abc123 address 192.168.254.1

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
crypto map mymap 101 ipsec-isakmp
set peer 192.168.254.1
set transform-set ESP-3DES-SHA
match address 100

access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 permit ip 192.168.253.0 0.0.0.255 192.168.204.0 0.0.0.255

I can telnet the port 80 of http Server. The Web Server is Windows 2003 Server.i have disabled the default firewall also. There is no any ACL policy except interesting traffic I can easy access http and AD also if by pass the VPN.Is there any paramater missing at my configuration ?.

Jennifer Halim Sun, 09/26/2010 - 03:34

If you can telnet on port 80 to the web server through the VPN tunnel, that means as far as network connectivity is concern through the VPN tunnel, it is working just fine.

It is probably more an application layer issue with HTTP. I assume that you have no proxy server or anything that might be the issue, right?

What about checking the logs on the Windows 2003 server itself? It might give you some clue as to why HTTP via browser is not working.

Actions

This Discussion