cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1183
Views
2
Helpful
14
Replies

L2L VPN & Default Gateway for Users

trustcisco
Level 1
Level 1

Hi,

I have a layer 3 switch with several vlans.

On vlan 5 (1.1.1.0/24) there is a router that has ipsec l2l with a remote site.

The problem is that, my users, have as default gateway the interface vlan 5 ip address (1.1.1.1./24) so the cannot access the remote sites through the ipsec router.

If i change the default gateway to the router's internal if (1.1.1.2/24) everything is working as expected.

Is there a way to trick this so the users wont have to change their default gw ?

Thanks.

14 Replies 14

Collin Clark
VIP Alumni
VIP Alumni

Sounds like this could be a routing issue. What does your routing table look like on your L3 switch?

There is a default route pointing to my asa firewall.

I have also inserted a route for the remote site to point to the ipsec router

e.g 2.2.2.0 255.255.255.0 1.1.1.2

where 2.2.2.0/24 is the lan subnet of my remote site and 1.1.1.2 the ipsec router.

From a user if you traceroute to the remote VPN subnet, where does it stop? Are your users in the same vlan as your IPSec router and your ASA?

Yes my users and the ipsec router are on the same vlan.

traceroute to 2.2.2.10 (remote lan)

1 -> 1.1.1.2 (ipsec router)

and then i get a destination unreachable..although my vpn tunnel is up and running...

From the other site, 2.2.2.0/24 i can ping 1.1.1.2 (ipsec router's internal if) but not any other host on 1.1.1.0/24.

Thanks for your help.

Can any users that are connected to your switch, but not in the same subnet as the IPSec router and the ASA get across the VPN tunnel?

The ASA is connected to the L3 Switch through a routed port.

At the moment the crypto access list permits pc's that are on the same vlan with the ipsec router. So unfortunately i can't test your scenario.

Does your ASA have a route for the remote VPN subnet pointing to the router? What do the logs on the router say when you try and go across the tunnel?

Yes it does, i can see matches in my crypto access list but still no connectivity...

Do you have an ACL on the inside interface of the ASA? Can you also put together a simple diagram?

When users choose the VPN router as their default GW the connection works, so I don't think the ASA is involved.  Is 1.1.1.2 the inside or outside interface of the VPN router? or does it only have 1?

           ASA

              |

--------------------------

|LAYER 3 SWITCH|  ------- (internal if - ip address 1.1.1.2/24)IPSec Router Part of Vlan5 (ext if 10.10.10.1)  = vpn tunnel = Remote Router.

--------------------------

   |        |                 |

vlan3 vlan4        vlan5(1.1.1.1/24)

Users on vlan 5 have as default gw the 1.1.1.1. If i change the default gw to my ipsec router's internal ip 1.1.1.2 i have connectivity.

On my layer 3 Switch i have an ip route command like ip route 2.2.2.0 255.255.255.0 1.1.1.2 where 2.2.2.0 is the remote router's lan.

The ipsec router has 2 interfaces as shown above.

ok, i have some new feedback on this.

When the users change their default gateway to 1.1.1.2 (ipsec router's internal if) i have connectivity but only from the remote site.

Meaning,users on the remote lan 2.2.2.0/24 can access user pc's on 1.1.1.0/24 but not vice versa.

It seems that even changing the default gateway for my users to 1.1.1.2 they cannot access 2.2.2.0/24...

Seems like some ACL in the ASA is blocking the traffic

Could you please share the routing table of the gateway routers at both sites.

It seems that there is a problem with my ISP an their ability to route 3G Traffic.

Thank you all for you help.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: