Can't access VPN Remote Network from Router

cbpapi · ‎04-29-2016

Hello,

I have successfully set up a site-to-site IPSec Tunnel connection with the following details, using 2 2821 Routers:

Router A

Internal Network: 192.168.1.0/24

Internal Interface: g0/1 192.168.1.1

External Address: 7.7.7.1

External Interface: g0/0

Router B

Internal Network: 192.168.2.0/24

Internal Interface: g0/1 192.168.2.1

External Address: 7.7.7.2

External Interface: g0/0

A host in Network A can ping/access a host in Network B (including Router B) via the IPSec Tunnel and a host in Network B can ping/access a host in Network A (inlcuding Router A).

The problem is that Router A can't ping Router B or any hosts in Network B and Router B can't ping Router A or any hosts in Network A.

So on Router A, the command: ping 192.168.2.1, times out.

Yet, when I try on Router A the command: ping 192.168.2.1 source g0/1, everything works right.

I suspect that both routers try to access the remote internal networks using their external interfaces instead of using the IPSec Tunnel. How could I fix that?

Richard Burts · ‎04-30-2016

You have not provided any details of your configuration but it is a safe guess that your crypto acl on router A says permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255. This is why router A is not able to ping router B unless you specify the source address.

The explanation is that IOS routers by default use the IP address of the exit interface as the source address of their ping packets. So router A ping will have source address of 7.7.7.1 and the ping does not match the acl and so does not use the tunnel.

If you want traffic from router A to go through the tunnel then you need to add and entry in your acl that permits that traffic. Perhaps something like permit ip host 7.7.7.1 192.168.2.0 0.0.0.255.

HTH

Rick

HTH

Rick