Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem routing traffic between two VPN tunnels

Hello,

Attach you can find a picture with our network topology.

The problem I have is that I cannot reach network 10.201.64.0 (R3) from 192.168.2.0 (R2), but it works perfectly from R1

As you can see from the attached picture traffic from R2 to R3 goes through R1.

All traffic source ip addressed to 10.201.64.0 is first translated to 10.202.64.1 and then sent to 10.201.64.0 network.

ping R2 -> R3 (100% loss)

ping 10.201.64.1 source 192.168.2.1

PING 10.201.64.1 (10.201.64.1) from 192.168.2.1 : 56(84) bytes of data.

--- 10.201.64.1 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 3999ms

ping R1 -> R3 (100% success)

ping 10.201.64.1 source 192.168.100.1

Sending 5, 100-byte ICMP Echos to 10.201.64.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.100.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms

ping R1->R2 (100% success)

ping 192.168.2.1 source 192.168.100.1

Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.100.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/12/12 ms

ping R2->R1 (100% success)

ping 192.168.100.1 source 192.168.2.1

PING 192.168.100.1 (192.168.100.1) from 192.168.2.1 : 56(84) bytes of data.

--- 192.168.100.1 ping statistics ---

5 packets transmitted, 5 received, 0% packet loss, time 4048ms

rtt min/avg/max/mdev = 4.576/5.677/6.277/0.721 ms

As you can see only packet flow from R2 to R3 doesn't work.

R1: cisco config:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 30

encr aes 256

authentication pre-share

group 5

crypto isakmp key XXXXXXXXXXXXXXXXXXXXXX address 94.xxx.xxx.58  

crypto isakmp key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX address 193.xxx.xxx.243

crypto isakmp keepalive 3600

!

!

crypto ipsec transform-set vpn-transform esp-aes esp-sha-hmac

mode transport

crypto ipsec transform-set vpn-transform-aes esp-aes esp-sha-hmac

mode tunnel

!

!

crypto map cisco 11 ipsec-isakmp

description Tunnel to 94.xxx.xxx.58

set peer 94.xxx.xxx.58

set transform-set vpn-transform

match address 100

crypto map cisco 12 ipsec-isakmp

description Tunnel to Hermes

set peer 193.xxx.xxx.243

set security-association lifetime kilobytes 2560

set transform-set vpn-transform-aes

set pfs group5

match address 102

!

interface GigabitEthernet0/0

description $ES_LAN$$ETH-LAN$

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-WAN$

ip address 193.xxx.xxx.220 255.255.255.192

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map cisco

!

!

ip nat pool METRONET 193.xxx.xxx.220 193.xxx.xxx.220 netmask 255.255.255.192

ip nat pool HERMES 10.202.64.1 10.202.64.1 netmask 255.255.255.252

ip nat inside source route-map HERMES_RMAP_1 pool HERMES overload

ip nat inside source route-map SDM_RMAP_1 pool METRONET overload

ip route 0.0.0.0 0.0.0.0 193.xxx.xxx.193

ip route 192.168.1.0 255.255.255.0 192.168.100.254

ip route 192.168.222.0 255.255.255.0 192.168.100.254

!

ip sla auto discovery

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip any 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=18

access-list 101 remark IPSec Rule

access-list 101 deny   ip any 192.168.2.0 0.0.0.255

access-list 101 deny   ip any 10.201.64.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.100.0 0.0.0.255 any

access-list 101 permit ip 192.168.222.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule for Hermes VPN

access-list 102 permit ip 10.202.64.0 0.0.0.255 10.201.64.0 0.0.0.255

access-list 103 remark CCP_ACL Category=18

access-list 103 remark Hermes VPN NAT rule

access-list 103 deny   ip 10.202.64.0 0.0.0.255 10.201.64.0 0.0.0.255

access-list 103 permit ip any 10.201.64.0 0.0.0.255

!

route-map HERMES_RMAP_1 permit 1

match ip address 103

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

2 REPLIES
New Member

Re: Problem routing traffic between two VPN tunnels

Hi Herman!

I have a few questions to ask you though?

Are you trying to do a site to site or you wanting to do a DMVPN? That's what this topology seems like to me. I mean if you have direct internet connection from R2 and R3, My suggestion would be do it directly on then rather than going via R1.

You might need to implement some routing and if so I'll suggest you do DMVPN where by R1 is the hub while R2 & R3 are spoke to R1. At least to the best of my knowledge that should work.  Here are some resource for DMVPN configs below that might help you.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_A.html

http://www.fir3net.com/Cisco-Router/dmvpn-tutorial.html

http://blog.ine.com/2008/08/02/dmvpn-explained/

The sites where you have R2 and R3 I believe they both have different ISP? just saying from the ip address scheme you indicated.

Another scenario is that you probably want to do have a site btw R1, R2, R3 where both R2 & 3 are accessing resource from R1. That's a different ball game all together.

I hope this helps out though!

Have a good one.

Cheers

Teddy

New Member

Re: Problem routing traffic between two VPN tunnels

Hi Teddy,

To answer your questions first:

Q: Are you trying to do a site to site or you wanting to do a DMVPN?

A: DMVPN

Q:The sites where you have R2 and R3 I believe they both have different ISP?

A: Yes, they are on different ISPs

R2->R3 vpn is not possible.

Consider R1 as a main company router

R2 is a branch office router

R3 is router on a vendor side.

The goal is to access network 10.201.64.0 from 192.168.2.0 (R2->(R1)->R3).

This currently doesn't work and I don't know why

This is exactly what i want to achieve except that I am using nat

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml

Cheers

Herman

361
Views
0
Helpful
2
Replies