Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Site to Site VPN Up and Working....Problem with Router communication

Hi All,

I would appreciate any advice for the following issue. I have 2 sites, A (10.1.0.0) and B(10.2.0.0). I have created an ipsec tunnel between the two sites and end devices at both ends can communicate with each other. However, the routers cannot communicate with the other subnet. For example, at Router A, if I were to try to ping 10.2.1.1, it fails. If I try the command ping 10.2.1.1 source 10.1.1.1, it works. How do I instruct the router to use the VPN tunnel for the traffic to the other subnet. As stated, end devices such as computers are able to use the tunnel fine. I need the routers to also be able to use the tunnel for interesting traffic.

Thanks!

3 REPLIES
Hall of Fame Super Gold

Re: Site to Site VPN Up and Working....Problem with Router commu

Ger

First lets clarify what the problem is and then we can talk about how to solve it.

The issue is that the access list that defines what traffic to protect with IPSec is including traffic sourced from the 10.1.0.0 network but is not including traffic sourced from the router's outbound interface. If you just ping 10.2.1.1 the router will default to using the outbound interface address as the source address and it will not pass through IPSec. When you specify the source address in the ping then it does pass through IPSec.

So how do you solve this? One alternative is that for some protocols you can configure the router to specify the source address (ip telnet source-interface, ip ssh source-interface, ip ftp source-interface, ip tftp source-interface, ip tacacs source-interface, ip radius source-interface, logging source-interface, snmp-server trap-source, ntp source, ip flow-export source) and so you can have these protocols specify the source address to be included in IPSec. But probably the best solution is to revise the access list so that it not only looks for traffic sourced from 10.1.0.0 and to include traffic sourced from the router other interfaces and going to destinations on the remote router.

HTH

Rick

New Member

Re: Site to Site VPN Up and Working....Problem with Router commu

Thank you for the reply Rick. Your explanation makes perfect sense.

Currently, my access list for the crypto statement looks like this:

access-list 100 permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

If my T1 Serial interface is my outbound interface with IP address 12.1.1.1 255.255.255.248, then I would have to add an access list statement such as:

access-list 100 permit ip 12.1.1.1 255.255.255.248 10.2.0.0 0.0.255.255

Would that be adequate, or would I also have to add a different access list or static route?

Thank you again for your help.

Hall of Fame Super Gold

Re: Site to Site VPN Up and Working....Problem with Router commu

Ger

I would think that this addition to the access list would be adequate (mostly). Remember that the access lists on each end need to mirror each other, so the remote router needs to add a similar statement. And if the remote router wants to add a statement like this so that it will include traffic sourced from its interface then you would need to add a similar statement.

HTH

Rick

89
Views
0
Helpful
3
Replies
CreatePlease to create content