I have been trying to establish a Site to Site VPN connection within two offices and have been having some complications. I was wondering if anyone could look at my configurations and let me know what is wrong. Currently the VPN status is up but no traffic is going through. From a PC on site A able to ping the LAN interface on site B router but no further than that. From site B nothing goes through, the only thing i can do is pinging the site A's WAN IP.
I have attached the configuration for both routers with the result of some vpn tests.
Based off this order of operations it would appear that your nat translation is occuring before your crypto policy is checked and therefore the traffic doesnt match your encryption domain and it isn't sent through the tunnel.
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 188.8.131.52 name DefaultRouteToTDS-Router
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.58.1.0 0.0.0.255 10.31.0.0 0.0.7.255
In this table, when NAT performs the global to local, or local to global, translation is different in each flow.
Well you can disregard my first statement as you are calling a route-map that doesn't exist. So it shouldn't be doing any nating. I wonder if you removed that statement if you would have any more luck.
no ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
Or if you can't remove that statement maybe you could create a router map SDM-RMAP_1 for your nats that excludes the traffic you want to encrypt using source and destination IPs and permit everything else.
Sorry for the multiple edits to the posts. I'm done.
Maybe you could try to add the following to see if it would help:
route-map SDM_RMAP_1 permit 10
match ip address DENY-VPN-TRAFFIC
ip access-list extended DENY-VPN-TRAFFIC
deny ip 10.58.1.0 0.0.0.255 10.31.0.0 0.0.7.255
permit ip any any
Thank you so very much for your effort to help me,
I have added the lines that you recommended and nothing seems to be changed. I have attached the updated sh running-config for both sites
Site A router:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.58.1.10, timeout is 2 seconds:
Success rate is 0 percent (0/5) <---Intersting on Site A router I CAN NOT ping the Site B LAN interface but from a client on Site A I can !!!
Site A: from my desktop
Pinging 10.58.1.10 with 32 bytes of data:
Reply from 10.58.1.10: bytes=32 time=27ms TTL=254
Reply from 10.58.1.10: bytes=32 time=26ms TTL=254
Reply from 10.58.1.10: bytes=32 time=26ms TTL=254
Reply from 10.58.1.10: bytes=32 time=65ms TTL=254
Ping statistics for 10.58.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 26ms, Maximum = 65ms, Average = 36ms
Tracing route to 10.58.1.10 over a maximum of 30 hops
1 1 ms 1 ms 1 ms 10.31.1.1 <---- Main router on Site A
2 1 ms 1 ms 1 ms 10.31.1.4 <--- Internal Face of the VPN router on Site A
3 61 ms 60 ms 68 ms 10.58.1.10 <--- Internal Face of the VPN router on Site B
I can not do any of this on site B
You'll need to mirror your config on Router A like you have for Router B. You don't have natting set up on Router A correctly.You have "ip nat inside" and "ip nat outside" set up on the appropriate interfaces, but you don't have a nat statement to tell the router what to translate.
ip nat inside source route-map SDM_RMAP_1 interface fa0/1 overload
The reason why you can't ping from router A is that you are not sourcing any traffic that matches your encryption domain. Try pinging and sourcing fa0/0.
Now with regard to pinging from Site B to Site A can you do a traceroute from your PC in site Site B to site A. Also can you make sure that you don't have a windows firewall denying ICMP traffic.
Also when you are pinging from router Ply-to-Main you may want to check your nat translations to see what if anything is getting translated. Your config looks ok to me, so I'm leaning more to the nat being the issue or something on the hosts. There wouldnt be a firewall or anything between the routers and hosts would there?
Looking for a reliable VPN service provider?
Let me give you a brief description of choosing a VPN service provider.
Qualities of a good VPn service provider:
How can you assure of having [url=https://www.legendvpn.com/]a good french VPN provider[/url]?
Things you must consider are
VPN service provider that offers Security and Exclusive Anonymity Alternate at a very low cost of 5€/month.
-On the other hand an idea of being the [url=https://www.legendvpn.com/]"Best"[/url] is practically differs and depends on your own needs.
-Several questions you might consider is that does the provider offers reasonable and stability of connection worldwide?
Answer: This [url=https://www.legendvpn.com/]LegendVPN[/url] don't store any logs and lets you assure that its a trustworthy and established VPN service provider.