Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
15
Helpful
4
Replies

IPSec Site to Site VPN Issue

Go to solution
comenyi1
Level 1
Level 1

‎01-07-2022 09:43 AM

Hello, i am writing on behalf of a friend and I as we have been having trouble establishing a site to site vpn between our 2 servers. Hoping if someone can shine a light on something we are missing.

We have the VPN UP but the our server hosts are not communicating with each other.

 

When he sends a ping to me i do see my decap traffic increment, but nothing on my end increments when i try to send a ping his direction.

We are both using 2901 Routers running Version 15.7 for this task and my half of the config is below. Our configs are mirrored exactly.

 

crypto isakmp policy 2
encr aes
authentication pre-share
group 2
lifetime 10800
crypto isakmp key g3tc0nn3ct3d address [his wan ip]

 

crypto ipsec transform-set vpn esp-aes esp-sha-hmac
mode tunnel

 

crypto map vpn 10 ipsec-isakmp
set peer [his wan ip]
set transform-set vpn
match address vpn

 

Extended IP access list vpn
10 permit ip host 192.168.1.252 host 192.168.254.52 log

 

interface GigabitEthernet0/0
description To Comcast
ip address [my wan]
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn

 

ip route 192.168.254.52 255.255.255.255 g0/0

 

Thank you for any tips provided

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-07-2022 09:48 AM

@comenyi1 I can see you've got nat enabled, ensure traffic between the 2 hosts/networks 192.168.1.252 and 192.168.254.52 is not translated. Modify the NAT acl to deny this traffic, ensure this is above the networks you do want to be translated.

 

Why have a specific static route to the /32, surely the default route goes out g0/0 anyway. If so you can remove.

 

Also remove "log" from the crypto ACL "vpn".

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-07-2022 09:48 AM

@comenyi1 I can see you've got nat enabled, ensure traffic between the 2 hosts/networks 192.168.1.252 and 192.168.254.52 is not translated. Modify the NAT acl to deny this traffic, ensure this is above the networks you do want to be translated.

 

Why have a specific static route to the /32, surely the default route goes out g0/0 anyway. If so you can remove.

 

Also remove "log" from the crypto ACL "vpn".

Go to solution
comenyi1
Level 1
Level 1
In response to Rob Ingram

‎01-07-2022 10:55 AM

Hi Rob, so for NAT, i had just a single permit statement for my private network, did you mean for me to specify the two hosts in this NAT ACL like how i have expressed below?

 

5 deny ip host 192.168.1.252 host 192.168.254.52
10 permit ip 192.168.1.0 0.0.0.255 any 

 

Regarding the static route, i threw that in there while troubleshooting along with the log on the acl vpn

 

Thanks

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to comenyi1

‎01-07-2022 10:59 AM

@comenyi1 yes that NAT rule statement should suffice, just mirror the crypto ACL.

Go to solution
comenyi1
Level 1
Level 1
In response to Rob Ingram

‎01-07-2022 12:58 PM

Thank you this worked! We never thought of NAT or saw anything in our debug to point us in that direction. Much appreciated!

0 Helpful
Customers Also Viewed These Support Documents