Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple vlans over IPSEC VPN Tunnel

Hi , I have 2 Cisco 1811 routers with the advanced ip svc ios set on it. I currently have it running with everything communicating properly but I need to add another VLAN to each router and cant get it to recognize.. here is the set up

R1 Vlan1 is 10.10.10.0/24 network

R2 Vlan1 is 10.10.20.0/24 network

over IPSEC VPN Tunnel

I need to add a Vlan2 10.7.1.0/24 network on R1

and Vlan2 10.7.2.0/24 network on R2 and have them work over this tunnel.

I already created the VLAN's in the vlan data base and gave them addresses of 10.7.1.1 and 10.7.2.1 respectively. What else am I missing.. I am positive I configured the access lists wrong or something?

Please help!

Thank you

Domenick

11 REPLIES

Re: Multiple vlans over IPSEC VPN Tunnel

Domenick,

Can you supply the configs please? with sensitive information removed of course!

New Member

Re: Multiple vlans over IPSEC VPN Tunnel

Absolutely.. here go thank you very much!

Re: Multiple vlans over IPSEC VPN Tunnel

Do you only want the new VLAN's to talk to each other over the VPN or do you want VLAN 1 on both sites to be able to route also?

New Member

Re: Multiple vlans over IPSEC VPN Tunnel

yes I need both vlan1 and vlan2 to route over the vpn.

Re: Multiple vlans over IPSEC VPN Tunnel

I would add:-

R1-AVEX>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

ADD to the above ACL the below:-

permit 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

permit 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

!

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

access-list 101 permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

R2-57st>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Current:-

!

ip access-list extended SDM_2

remark SDM_ACL Category=4

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

remark IPSec Rule

permit ip 10.10.20.0 0.0.0.255 10.7.1.0 0.0.0.255

!

ADD to the above ACL the below:-

permit 10.7.2.0 0.0.0.255 10.7.1.0 0.0.0.255

permit 10.7.2.0 0.0.0.255 10.10.10.0 0.0.0.255

Current:-

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.10.20.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.7.2.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

ADD to the above ACL the below:-

access-list 101 permit ip 10.7.1.0 0.0.0.255 10.7.2.0 0.0.0.255

New Member

Re: Multiple vlans over IPSEC VPN Tunnel

I added all ACL's described but unfortunately I am unable to ping any host from the 10.10.10.0 network to the 10.7.2.0 network or back and forth.

Re: Multiple vlans over IPSEC VPN Tunnel

are the ACL's being hit? Provide output of "show access-list"

Can you see the IPSEC SA with the new ACL's in them? Provide output of "sh crypto ipsec sa"

New Member

Re: Multiple vlans over IPSEC VPN Tunnel

Here is the output you requested.

Thank you!

Re: Multiple vlans over IPSEC VPN Tunnel

The encryption domans are in the IPSE SA = Good. no packets encrypted or decrypted = Bad.

The ACL's for the "interesting traffic" are not being hit = bad, BUT I did notice you are performing some NAT with route maps.

Add "ip nat inside" to the vlan 2 interfaces on both sites.

New Member

Re: Multiple vlans over IPSEC VPN Tunnel

i added the ip nat inside and seems that there is some activity going on... i still cant ping a host on either network from either router.. but then again i cant ping any host from any router on opposite sides.. any insight into that?

i have attached the output of the show access-list command and the show crypto again

Re: Multiple vlans over IPSEC VPN Tunnel

The acl's are being hit, you are no longer nat'ing the IP to IP internal. The crypto Sa looks OK - apart from some packet number mis-match.

What debugging have you done? Have you performed any trace routes? have you debuged the IP NAT? Have you debugged any ICMP - all these will give an idea on what could be the issue.

You may want to try clearing down the IPSEC VPN and let the routers form a new one, this sometimes helps.

4018
Views
0
Helpful
11
Replies