Re: Can't pass traffic through IPSec VPN Site-to-site tunnel

s.debenito · ‎03-25-2007

Hi,

I have configured a site-to-site IPSec VPN tunnel on 2 2801 cisco routers. The tunnel is stablished and everything seems ok.

But when I try to send LAN traffic through the tunnel, it doesn't work. Doesn't matter which of the tunnel ends the traffic comes from: it doesn't work on both ends.

I have configured a cryto map, with one of the LAN's host IP addres as source address on the access list, and another IP address from one of the other end LAN's host as the destination address.

What should I have to do for LAN traffic be sent through the VPN tunnel? how can I route the traffic belonging to my LAN through the VPN tunnel?

Jon Marshall · ‎03-26-2007

Hi

Could you send a copy of the 2800 configs and the IP addresses you are trying to connect from and to.

What type of traffic are you trying to send ?

Jon

s.debenito · ‎03-26-2007

Hi Jon, thanks for your answer.

I'am attaching the router configuration to this post.

The other 2801 belongs to the customer, so I don't have its config. But our customer has many other VPNs ending on the same router and they are all working fine except for my VPN, so the problem is on my side for sure.

The public IP address for my side is 195.53.197.130, and the other end is 213.171.236.254.

I want that traffic coming from a host on my LAN (host IP address: 170.47.47.20/16) directed to a host on the customer's side (host IP Address: 172.20.1.1/16) be forwarded through the VPN tunnel, and viceversa.

Thank you very much for your help.

Regards.

Sergio.

Jon Marshall · ‎03-26-2007

Hi

I need to see more of the 2800 config ie. the access-list 120, the NAT etc.

Also when you post configs can you remove any sensitive information like the IPSEC key etc.

Jon

s.debenito · ‎03-30-2007

Hi Jon,

I am attaching all the config file to this post.

I uploaded a wrong file the last time, sorry.

Hope you can help me.

Regards,

Kamal Malhotra · ‎03-26-2007

Hi,

If I understood correctly then you have a tunnel configured with one host on each end as a pert the of the crypto ACL and this part is working wine however if any other host wants to send the traffic through the tunnel, then it does not work. If this is correct, then configure the crypto ACL as network to network rather than host to host. E.g. the network on one end is 192.168.1.0/24 and on the other end it is 192.168.2.0/24. You crypto ACL is probably like :

access-list permit ip host 192.168.1.x host 192.168.2.x

and the reflection of it on the other end. You would need to change it to something like :

access-list permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

HTH,

Please rate if it helps,

Regards,

Kamal

s.debenito · ‎03-30-2007

Hi Karnal,

Nope, that's not the problem here.

I have two remote LANs that need to be connected to each other through a VPN tunnel. Really, there is only ONE host on the first LAN, and ONE host on the second LAN. The address for the first LAN's host is 172.20.1.1. The adress for the second is 170.47.47.20.

The VPN tunnel is UP, so it doesn't seem to be an IPSec-related problem.

The problem is that, once the VPN tunnel is UP, I can't ping, traceroute, or whatever from 170.47.47.20 to 172.20.1.1 or viceversa.

Please, help me.

Thanks in advance.

Jon Marshall · ‎03-30-2007

Hi

It looks like you are natting the inside addresses of 170.47.47.0/24 to an outside public address. But your access-list still references the 170.x.x.x address. This would mean that the traffic is not registering as being VPN traffic.

Having said that if the traffic were not registering as interesting then the tunnel would not come up in the first place.

Jon

kaachary · ‎03-31-2007

You need to do NAT exempt for the VPN traffic here.

-Kanishka