Tunnel Interface connectivity via IPSec

Unanswered Question
Mar 18th, 2017
User Badges:

Hi!


I am running gre with IPSec. My interesting traffic for IPsec is 192.168.1.1 to 192.168.1.2 and when I try to establish connection from Router 1 then the FW see 172.16.1.2 IP and the IPsec tunnel never trigger.


What can be done that if I ping from 192.168.1.2 then the FW will 192.168.1.1 rather than 172.16.1.2?

See the attached picture.


Thanks

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Philip D'Ath Sat, 03/18/2017 - 16:39
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN, LAN, VPN

You need to get yourself to the stage where each firewall can ping the local 192.168.1.x address on the router.  More than likely you have routes missing.

Capricorn Sun, 03/19/2017 - 07:10
User Badges:

Hi!


Thanks for you reply.

I only want that on ASA 1 the ipsec should trigger.

I can ping 192.1681.1 from ASA1.

The problem is that Ipsec never triggers because interesting traffic 192.168.1.1 never hits outside interface so ipsec process never started.


Thanks

Capricorn Sun, 03/19/2017 - 14:54
User Badges:

Hi Philip D'Ath!


I have defined tunnel endpoints in the interesting traffic but its not working. IPsec is not triggering.


What if the other end is not aware for my 172.16 as they only have my Public IP?


Thanks



Peter Koltl Sun, 03/19/2017 - 08:10
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

It will be GRE over IPsec, that is, GRE  tunnel endpoints 172.16.x.x should be defined as interesting traffic. 192.168.1.x will be tunnel inside addresses (encrypted) so these addresses will not be seen by firewalls.

Peter Koltl Tue, 03/21/2017 - 14:48
User Badges:
  • Silver, 250 points or more
  • Community Spotlight Award,

    Member's Choice, March 2016

The referred Networkstraining page confirms my  previous comment. As you can see, tunnel IPs (10.0.0.x) are not seen by the firewall. They are encapsulated and only the tunnel source and destination addresses (50 and 20) are used in the firewall rules.

Actions

This Discussion