Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
567
Views
0
Helpful
5
Replies

IOS 861. VPN Spoke to Spoke?

Joel Johnson
Level 1
Level 1

‎04-02-2014 03:45 AM

Hi All,

I'm having some issues with a site to site to site VPN. i've attached a diagram to help. 

In the topology i have a Pepwave HD2, Cisco 861 and another cisco device. The pepwave provides both cabled LAN traffic and failover 3G traffic. I have created a VPN tunnel between the two cisco devices that is up and active and able to route incoming cabled traffic from the pepwave between the cisco devices on the VPN tunnel.

My goal is to get traffic from 192.168.40.X to 10.71.1.0 via the 3G VPN for the failover scenario.

I've configured a VPN for the pepwave HD2 3G traffic using a dynamic map. The tunnel comes up but is idle - and the second diagram attached shows the tunnel is active for LAN traffic 172.16.17.0 to 192.168.224.192, but wont come up for 192.168.40.X to 10.71.1.0.

Someone in the cisco community suggested that only one interface can support one VPN tunnel at once from the same address range.

I've attached my config of the 861 router, does anyone know how i can route this traffic via the VPN tunnels on IOS as the same-security-traffic permit inter-intraface
same-security-traffic permit intra-interface commands dont work on IOS.

Thanks,

Labels:
Preview file
49 KB
Preview file
6 KB
Preview file
31 KB
0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎04-02-2014 04:39 AM

When you say that the VPN connection on the Cisco router is idle, do you mean that the show crypto isakmp output says QM_Idle?  If so, this means that the tunnel is up.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Joel Johnson
Level 1
Level 1
In response to Marius Gunnerud

‎04-02-2014 05:23 AM

Hi,

Yes the tunnel comes up but wont route the required traffic.

I can only seem to route VPN traffic from router A to router B, and from router B to router C. What i cant do is route via the VPN from router A to route C (in Failover Mode). 

 

     A                                                         B                                                     C

pepwave Cat 5 cable <---------->     Cisco 861      <------VPN------>   Cisco device Normal mode 

Pepwave     <-----3GVPN----->     Cisco 861      <------VPN------>   Cisco device Failover Mode

192.168.40.X                             192.168.224.193                                10.71.1.0

The cisco tunnel from the 861 to the cisco device works fine and i can ping between the LANs. The first ACL for the cisco 861 to Cisco device is 192.168.40.X to 10.71.1.0 from the physical cat5 cable from the pepwave to the Cisco 861, this passed traffic to 10.71.1.0 with no issues. But the failover 3G VPN with the Second ACL also 192.168.40.X to 10.71.1.0 wont send traffic between 192.168.40.X and 10.71.1.0, it only lets traffic from pepwave Lan 192.168.40.X to Cisco 861 192.168.224.193 in the tunnel.

I'm not sure if i have to add some special command or routing information. The pictures and conf should help explain.

 

Thanks, 



 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Joel Johnson

‎04-02-2014 05:42 AM

It doesn't look like you have permitted the traffic in the crypto ACL:

ip access-list extended VPN-TRAFFIC
 permit ip 192.168.224.190 0.0.0.7 172.16.17.0 0.0.255.255
 permit ip 192.168.224.190 0.0.0.7 192.168.40.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 10.21.0.0 0.0.255.255
 permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.40.0 0.0.0.255 172.16.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 172.16.12.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 10.53.16.0 0.0.1.255
 permit ip 192.168.40.0 0.0.0.255 10.53.133.0 0.0.0.255

But also you have mentioned a few different IPs.  In the diagram it mentions 21.71.1.0 while in your post you mention 10.71.1.0.  But neither of these are defined as interesting traffic.  can you confirm this please.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Joel Johnson
Level 1
Level 1
In response to Marius Gunnerud

‎04-02-2014 05:54 AM

Yes sorry, was a typo and looking at to many diagrams! 

 

interesting traffic is:  

 permit ip 192.168.224.190 0.0.0.7 192.168.40.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 10.21.0.0 0.0.255.255
 permit ip 192.168.40.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit ip 192.168.40.0 0.0.0.255 172.16.10.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 172.16.11.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 172.16.12.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 10.53.16.0 0.0.1.255
 permit ip 192.168.40.0 0.0.0.255 10.53.133.0 0.0.0.255

 Traffic on Router A LAN (192.168.40.X) can't reach Router C LAN (10.21.0.0, 192.168.0.0, 172.16.10.0, 172.16.11.0, etc) 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Joel Johnson

‎04-02-2014 11:59 PM

is the ACL101 the NAT ACL?

If not do you have NAT configured on the routers?  If yes, have you excluded the VPN traffic from being NATed on both routers.

 

Also, have you confirmed that the crypto ACL is correctly configured at the far end router (that the ACL is the mirror image of the config you posted)?

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents