Solved

Configure 2 Cisco routers to pass VLAN traffic over VPN

Posted on 2009-05-07
20
845 Views
Last Modified: 2012-05-06
Hello,

We're trying to set up a point to point VPN between a remote location and the main building.

Remote location: 2801 & 3750 switch
Main building: 2811 plugged into a 2950. The 2950 is connected to our edge 2811. 2950 also connected to our 3750 switch stack

So far we've configured the 2801, put a laptop behind it w a public IP and have gotten out to the Internet.
The 2811 is connected to a 2950, which is connected to a 2811 (our border router)

We've created site to site VPN tunnel w/preshare key using the SDM wizard but haven't tested yet. Hope to do that today.

Two questions. One, do we have the necessary components to make this work? Two, how can we pass VLAN traffic over the link? The idea is to have all remote office traffic come back to the main building and then either go on our network or out to the Internet.

Apologies if this is confusing. I'm a VERY rusty CCNA.

Thanks!
0
Comment
Question by:lucado01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 12
  • 8
20 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24327769
Yes, you have all the components.  This is quite simple if the remote and main PC's have the 28xx as their default gateway.  If you want to tunnel all traffic from the remote site, you'll use "any" as the destination on the remote 2801 and "any" as the source on the main 2811 router in the crypto/interesting traffic access-list.  NAT will need to be setup appropriately on the 2811 to hairpin remote Internet bound traffic.
0
 

Author Comment

by:lucado01
ID: 24327898
Great, we're going to test the tunnel today and then work on the getting the switches ready. If everything goes well, I should have an answer for you by late tomorrow/Monday.
0
 

Author Comment

by:lucado01
ID: 24328781
Running into a snag. I've got the 2801 set up but I can still get out to the Internet. When I run show crypto ipsec sa I see 110 send errors so I know the problem is with the config.

I've read that the LAN network needs to be mentioned in the access list for the tunnel. I notice in the config that isn't there, it shows the serial IP. The ip route of the 2801 is set to 0.0.0.0 0.0.0.0 Serial0/2/0:0. If I change the the ip route I lose connectivity.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 24328885
The default ip route should be via Serial0/2/0:0.

The LAN subnets should be in the tunnel access-list (not the serial).
0
 

Author Comment

by:lucado01
ID: 24330711
Yes, that got it. Tunnel is now up, on to the switches.
0
 

Author Comment

by:lucado01
ID: 24358459
Stuck again.

From the remote site, I can assign a private IP to a laptop and have it ping the private interface of the main building 2811, on the other side of the tunnel. However, I can't ping the interface for the main switch stack and can't get DNS, etc.

So the tunnel looks good but we can't get to the core switch stack at the main building.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24360474
Are those subnets part of the crypto access-list?  Is there routing to the remote network? i.e. is the 2811 at the main office the default gateway to the Internet?
0
 

Author Comment

by:lucado01
ID: 24398090
Sorry for the late reply.

We have the tunnel set up between the serial interface at the remote office and fe 0/1 at the main office (what we'd call a public IP). The crypto access list is one entry on each side with any being the destination from the remote office and any being the source from the main office.

So the tunnel is up but we can't communicate to any of the internal networks. When we try to add the subnet routes (through SDM), it doesn't do anything. We've listed three subnets on each device with their own subinterface. We set up the VLAN ID's and encapsulation.

The 2811 at the main office is not listed as the default gateway to the Internet. We've put in a call to cisco and sent them the configs but will take any assistance we can get.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398108
If the 2811 at the main office isn't the default gateway or path to the Internet, your internal router needs a route to the remote office subnets via the 2811.
0
 

Author Comment

by:lucado01
ID: 24398260
OK, so just to clarify:

At the main office we have our border router, a 2811 which is the default gateway and path to the Internet.
Connected to the 2811 is a 2950. Connected to it is the 2811 we have just implemented and are trying to get working to the remote 2801.
So add a route for the 2801 subnet to the new 2811?  
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24398358
On the 2811 which is the default gateway for the network, add a static route to the 2801 LAN subnets via the new 2811's "LAN" interface.
0
 

Author Comment

by:lucado01
ID: 24486910
We have everything working now, except one thing...

Internet traffic from the remote office cannot get out. I know you said that Internet traffic needed to hairpin at the main router but we have a proxy server in our DMZ that serves all Internet traffic. We have that DMZ network listed in the ACL but nothing is going out.

The DMZ network is currently not a VLAN. Do we need to make it a VLAN and then create a subinterface on the main router with one of those IP's so the remote office can route to it?

Thanks for all of your help, we're just about done!
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24493359
The VLAN doesn't matter, as long as routing is in place, i.e. as long as the remote access 2811 has a route to the proxy server (DMZ subnet). and the proxy server has a route back to the remote office subnet.  Verify routing is there in both directions.
0
 

Author Comment

by:lucado01
ID: 24494933
OK. When we try and ping the proxy from the remote office, we don't see anything in our firewall attempting to get to the DMZ. We can ping the interface on the HQ router for that network.  Might this be a Checkpoint issue?
0
 

Author Comment

by:lucado01
ID: 24495119
The firewall has the route (where the DMZ subnet lives) back to the remote office subnet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24495299
Could be your Firewall policy.  Is it allowing the remote office subnet access to the Proxy server?
0
 

Author Comment

by:lucado01
ID: 24495645
No. We can't even ssh to the proxy server from the remote subnet.
0
 

Author Comment

by:lucado01
ID: 24495682
It looks like the firewall is allowing the traffic. To put it another way, we don't see anything obvious from the firewall denying the remote subnet.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 24496454
Is the proxy server ISA by chance?  If so, there may be subnet definitions necessary for the remote subnet in ISA.
0
 

Author Comment

by:lucado01
ID: 24498831
Proxy server is squid
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question