Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Routing Problem

Hi All,

We have successfully configure site to site IPSec. If interesting traffic hits the outgoing interface, the tunnel comes up on both ends, you can also see packets been encrypted.

I'm having routing problems local, I don't have route that points local remote traffic via the IPSec VPN.

remote peer: 89.3.2.1

remote local: 192.168.1.0/24

local peer: 50.3.3.1

local private: 10.2.5.0/24

tried the following locally:

ip route 192.168.1.0 255.255.255.0 89.3.2.1

'didn't work'

ip route 192.168.1.0 255.255.255.0 50.3.3.1

'didn't work'

Please help!!!

9 REPLIES
Hall of Fame Super Blue

Re: IPSec Routing Problem

Hi

You don't need a route for this traffic. The crypto map access-list tells the router/firewall which traffic needs to be encrypted. If a packet matches the crypto access-list it is encrypted and automatically sent down the tunnel.

Jon

New Member

Re: IPSec Routing Problem

Are you using crypto maps? What does your interesting traffic access look like?

New Member

Re: IPSec Routing Problem

I'm using crypto maps. My local access list is

access-list 144 permit ip 10.2.5.0 0.0.0.255 192.168.1.0 0.0.0.255

If I run "show access-list 144" I can see interesting traffic. Also, if i run "show crypto engine connection active" I can see traffic been encrypted. But, I don't have {192.168.1.0/24} route in the routing table. And traffic is not going through the tunnel.

Silver

Re: IPSec Routing Problem

do this:

1- under your crypto map, you need this:

reverse-route

2- do sh ip route, you will see a static route

in the routing table,

3- redistribute that static route into your

routing protocol so that downstream router(s)

can see it,

4- test again

CCIE Security

New Member

Re: IPSec Routing Problem

Now, I've the route into my routing table and I still can't reach the remote end.

If i run a traceroute from the local host, it stops at my internal router interface. Where else should I check?

i. My VPN is up

ii. Route to remote host is available

New Member

Re: IPSec Routing Problem

When you did the trace route, what did you use for the source interface? This source interface has to have a match in the access list.

New Member

Re: IPSec Routing Problem

I'm running a trace route from 10.2.5.2 (a local node).

If I run a ping test to 192.168.1.6 (active remote node), the acl sees the interesting traffic, brings up the VPN and Encaps destn traffic. But i still don't reach the remote node.

Cisco Employee

Re: IPSec Routing Problem

You traffic has already left the device if you see encrypts. It seems either the replies are not coming back from the other end, or the packet drops after it leaves the local device.

Do you see encrypts/decrypts on the other end of the tunnel ?

Source a ping from the LAN intf of VPN device itself, and ping the remote ends LAN interface (provided it is part of crypto ACL).

HTH,

-Kanishka

New Member

Re: IPSec Routing Problem

SOLVED!!! :-)

After writing some emails to my ISP, manage to see remote encry traffic.

Thanks everyone.

163
Views
0
Helpful
9
Replies
CreatePlease login to create content