Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Route all traffic over IPsec tunnel.

We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.

Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.

Any suggestions would be greatly appreciated.

21 REPLIES

Route all traffic over IPsec tunnel.

Hello Jonathan,

On the Crypto ACL you need to match all traffic (ip) and do not nat the traffic as well.

That should do it

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

This is what I was using and I could not figure out why it did not work. The HQ network is 192.168.4.0/24 and this remote office is 192.168.24.0/24

crypto map REM_RTR 10 ipsec-isaksmp

description Tunnel to HQ

set peer xx.xx.36.80

set transform-set myset

match address 120

interface fa0/0

crypto map REM_RTR

access-list 120 permit ip any 192.168.4.0 0.0.0.255

access-list 120 permit ip 192.168.4.0 0.0.0.255 any

I am obviously missing something right in front of my face but can not see it.

Route all traffic over IPsec tunnel.

Hello Jonathan,

So this is the config of the remote site, and you want to send all traffic from .24 on the vpn tunnel.

On the ACL should be.

access-list 120 permit ip 192.168.24.0 255.255.255.0 any

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

I have corrected the access-list and when performing a trace route from a local machine it is still dumped out on to the local internet instead of routing through to HQ.

Any suggestions?

Route all traffic over IPsec tunnel.

Hello Jonathan,

You have a nat 0 rule right?

Can you provide it it should be something similar to this:

nat (inside) 0 access-list vpn

access-list vpn should be:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

please provide the following:

packet-tracer input inside tcp 192.168.24.20 1025 4.2.2.2 80

Regards,

Julio

Rate helpful posts!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

I actually removed the nat outside and inside statements from the remote router I am trying to acomplish this on. I would rather all nat related things go through our corporate link.

I tried to issue the packet-tracer command and it seems my version of ios does not have that command.

Hall of Fame Super Silver

Route all traffic over IPsec tunnel.

What's your local (client) subnet? I ask because the postings above changed your 3rd octet from .4 to .24.

"packet-tracer" is an ASA command and not available on IOS.

New Member

Route all traffic over IPsec tunnel.

.24 is the remote subnet. .4 is the HQ subnet.

Hall of Fame Super Silver

Route all traffic over IPsec tunnel.

OK, I see that now after re-reading the above. So, on the remote site, your access-list vpn is currently one line as follows:

access-list vpn permit ip 192.168.24.0 255.255.255.0 any

You do need the nat 0 rule there as Julio noted above so as to exempt the remote site's traffic from being NATted.

You VPN is up, yes? (show crypto isakmp sa)

If all the above are confirmed, then please try "show access-list vpn", introduce traffic into the tunnel and repeat the "show" command. You should see the "hitcnt" incrementing

Re: Route all traffic over IPsec tunnel.

Hello Jonathan and Marvin,

Thanks for that Marvin I forgot we were on a Router, yeap Packet-tracer is not supported on IOS routers.

The ACL should be like:

access-list vpn permit ip 192.168.24.0 0.0.0.255 any

So you will send all traffic over the VPN tunnel, Just to let you know after you make a change to a VPN configuration ( in this case will be a phase 2 change) you need to turn down the tunnel and then re-build it so the peers can negotiate the VPN tunnel with the new setup.

A clear crypto sa peer x.x.x.x ( remote access ip address) should do it.

Regards,

Julio

Do rate helpful posts!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

Ok I will re add the nat inside, outside, and over load and try the nat ACL rule. Let's hope that it works.

New Member

Route all traffic over IPsec tunnel.

Actually I can not utilize the NAT 0 rule. The HQ is a cisco 2811 router not a PIX.

Marvin,

Yes the tunnels are up. I am able to access all networks fine. The only part that is not working is the forcing of internet data across the tunnel.

Route all traffic over IPsec tunnel.

Hello Jonathan,

So just take out all the nat statements.

You do not need to nat the VPN traffic.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

I have removed nat, added the crypto map, and modified the access list. I can browse the remote network but am unable to browse the web. On the HQ router I added permit ip 192.168.24.0 255.255.255.0 any to the nat access list. Any ideas what else I need to change on that router?

The solution is very close!

Route all traffic over IPsec tunnel.

Hello Jonathan,

Okay so now all traffic from the remote office is going trough the VPN tunnel.

So on the HQ you have over the ACL for the nat:

permit ip 192.168.24.0 0.0.0.255 any

Is that true?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

Correct.

*Copy/Paste from router*

ip nat inside source list 100 interface FastEthernet0/0 overload

access-list 100 permit ip 192.168.24.0 0.0.0.255 any

I do not have any crypto maps on the head end router. Could we solve this by utilizing a crypto map and creating an ACL for that?

Route all traffic over IPsec tunnel.

Hello Jonathan

If you do not have a crypto map on both routers you do not have a VPN tunnel up and running.

Can you share the show crypto isakamp sa  and sh run crypto ipsec sa from both Routers, this to check if the VPN is already established.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

Here is the results. I'm guessing this works without the maps due to eigrp automatically routing the local network on each site.

sh cry ipse sa

interface: Tunnel0
    Crypto map tag: Tunnel0-head-0, local addr xx.xx.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
   current_peer xx.xx.xx.xx port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5588, #pkts encrypt: 5588, #pkts digest: 5588
    #pkts decaps: 9750, #pkts decrypt: 9750, #pkts verify: 9750
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xF8C3C17B(4173578619)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x645BF58B(1683748235)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000006, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4464378/1390)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF8C3C17B(4173578619)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000006, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4464439/1390)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: FastEthernet0/0
    Crypto map tag: REM_RTR, local addr xx.xx.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 64.184.36.79 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Route all traffic over IPsec tunnel.

Hello Jonathan,

Ok so the VPN is up and running, can you provide the VPN configuration on the HQ site?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Route all traffic over IPsec tunnel.

Sure thing.

crypto keyring ccp-dmvpn-keyring

  pre-shared-key address 0.0.0.0 0.0.0.0 key password

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto isakmp profile ccp-dmvpn-isakmprofile

   keyring ccp-dmvpn-keyring

   match identity address 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile VPN_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ccp-dmvpn-isakmprofile

!

interface Tunnel0

bandwidth 10000

ip address 10.129.1.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile VPN_Profile1

New Member

Route all traffic over IPsec tunnel.

I tried adding a crypto map to the hub router and when an ACL of access-list 120 permit ip any any. This locked up the router.

Any idea what type of access list I would need to acomplish this?

5393
Views
30
Helpful
21
Replies
CreatePlease to create content