03-25-2007 12:45 PM - edited 02-21-2020 02:56 PM
Hi,
I have configured a site-to-site IPSec VPN tunnel on 2 2801 cisco routers. The tunnel is stablished and everything seems ok.
But when I try to send LAN traffic through the tunnel, it doesn't work. Doesn't matter which of the tunnel ends the traffic comes from: it doesn't work on both ends.
I have configured a cryto map, with one of the LAN's host IP addres as source address on the access list, and another IP address from one of the other end LAN's host as the destination address.
What should I have to do for LAN traffic be sent through the VPN tunnel? how can I route the traffic belonging to my LAN through the VPN tunnel?
03-26-2007 12:24 AM
Hi
Could you send a copy of the 2800 configs and the IP addresses you are trying to connect from and to.
What type of traffic are you trying to send ?
Jon
03-26-2007 06:50 AM
Hi Jon, thanks for your answer.
I'am attaching the router configuration to this post.
The other 2801 belongs to the customer, so I don't have its config. But our customer has many other VPNs ending on the same router and they are all working fine except for my VPN, so the problem is on my side for sure.
The public IP address for my side is 195.53.197.130, and the other end is 213.171.236.254.
I want that traffic coming from a host on my LAN (host IP address: 170.47.47.20/16) directed to a host on the customer's side (host IP Address: 172.20.1.1/16) be forwarded through the VPN tunnel, and viceversa.
Thank you very much for your help.
Regards.
Sergio.
03-26-2007 07:00 AM
Hi
I need to see more of the 2800 config ie. the access-list 120, the NAT etc.
Also when you post configs can you remove any sensitive information like the IPSEC key etc.
Jon
03-30-2007 01:52 AM
03-26-2007 07:18 AM
Hi,
If I understood correctly then you have a tunnel configured with one host on each end as a pert the of the crypto ACL and this part is working wine however if any other host wants to send the traffic through the tunnel, then it does not work. If this is correct, then configure the crypto ACL as network to network rather than host to host. E.g. the network on one end is 192.168.1.0/24 and on the other end it is 192.168.2.0/24. You crypto ACL is probably like :
access-list
and the reflection of it on the other end. You would need to change it to something like :
access-list
HTH,
Please rate if it helps,
Regards,
Kamal
03-30-2007 02:02 AM
Hi Karnal,
Nope, that's not the problem here.
I have two remote LANs that need to be connected to each other through a VPN tunnel. Really, there is only ONE host on the first LAN, and ONE host on the second LAN. The address for the first LAN's host is 172.20.1.1. The adress for the second is 170.47.47.20.
The VPN tunnel is UP, so it doesn't seem to be an IPSec-related problem.
The problem is that, once the VPN tunnel is UP, I can't ping, traceroute, or whatever from 170.47.47.20 to 172.20.1.1 or viceversa.
Please, help me.
Thanks in advance.
03-30-2007 02:13 AM
Hi
It looks like you are natting the inside addresses of 170.47.47.0/24 to an outside public address. But your access-list still references the 170.x.x.x address. This would mean that the traffic is not registering as being VPN traffic.
Having said that if the traffic were not registering as interesting then the tunnel would not come up in the first place.
Jon
03-31-2007 03:25 AM
You need to do NAT exempt for the VPN traffic here.
-Kanishka
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: