Passing IPSec traffic through VLAN trunks
Posted on 2004-11-21
I have a Cisco 3750 and 2950 switch in my network. Trunking is enabled on the link that connects the 2950 to the 3750 switch with encap as dot1q.
One VLAN, viz. VLAN4, is configured in the 3750 with IP address as 172.17.170.1/26. The IP address of the default VLAN (VLAN 1) is 172.17.168.30/24 and a DHCP server resides in this VLAN which has a scope created (172.17.170.3 - 172.17.170.62; Mask 255.255.255.192; Router: 172.17.170.1) for VLAN4. IP address of DHCP server is 172.17.168.240/24.
Interface VLAN4 has been configured with the command "ip helper-address 172.17.168.240" and the members of the VLAN4, which are connected to 3750 as well as in 2950, gets an address from the range 172.17.170.3 - 172.17.170.62 without any problem.
I have a Cisco PIX 515E firewall whose "inside" interface ( IP address: 172.17.170.2/26 ) is connected to a port in the 3750 which is member of VLAN4. One IPSec VPN tunnel is created
with one of my clients, though the PIX firewall. The target IP address in client location is 192.168.5.6. Following route is added in the 3750:
ip route 192.168.5.0 255.255.255.0 172.17.170.2
I have connected one PC in 3750 and one in 2950 and they are member of VLAN4. The PC in 3750 gets an address of 172.17.170.3 and the one in 2950 gets 172.17.170.4. The default gateway they get, as defined in the scope, is 172.17.170.1.
The PC connected to 3750 can ping the address 192.168.5.6 over the VPN but the PC in 2950 cannot.
What could be the problem ?