Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN Problem

Hi sir,

My company has been using a site2site VPN connecting the branch office and the HQ. Originally, the HQ only allow the branch network (172.29.4.64/27) to access the HQ network (192.168.10.0/24), and it works fine. Now the branch needs to access another network (192.168.31.0/24) in the HQ. So we both sides added the ACL for the NO NAT and the interesting VPN traffic. But it doesn't work - The 172.29.4.64/27 network still can NOT access the 192.168.31.0/24 network in the HQ. You don't need to think about the problem of the routing and configuration, as the configuraton for 192.168.31.0/24 is same as the configuraton for 192.168.10.0/24. I did some tests and found that the ACL for the interesting VPN traffic does NOT work. It still only allow the 172.29.4.65/27 network to access 192.168.10.0/24. To me it is really weird, I am wondering if it is caused by the protocol.[I am using the esp-des esp-sha-hmac for the transform set.] As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol.

Could you please help me to figure it out? Thanks in advance!!

1 REPLY

Re: VPN Problem

Hi there,

You are saying "As the problem doesn't happen on the VPN that uses esp-des esp-md5-hmac protocol". Basically this is the same VPN. It is between the same endpoints, and you should have only one esp-des esp-md5-hmac protocol.

Start from the existing VPN that works and add the crypto ACL and NAT 0 statements required for the new traffic on both ends.

Can you attach a sanitized config?

Please rate if this helped.

Regards,

Daniel

111
Views
0
Helpful
1
Replies
CreatePlease to create content