Michael
asked on
Tunneling internet traffic accross site to site VPN
Hi all,
I see a lot of people asking the same question on google however not a lot of solutions other than a proxy at the internet facing end of the tunnel. I'm looking to understand why it doesn't work rather than alternative solutions
My Objective: I'm an expat living in Malaysia trying to access Aussie TV. I have decent internet, so does my father in Australia.
Planned Solution: As I have two internet connections in my condo, on one of them set up site to site vpn to fathers home, tunnel all traffic through to dads place. configure gateway on all my tv devices to point to my second internet link.
Looking at the configs, I was thinking I can see that perhaps the internet traffic from routerB can get out through nat on routerA however struggles to get back to the source as the tunnel ACL doesn't allow anything other than traffic with a source ip matching 192.168.10.x. However I have set up on a friends router (also cisco) to debug icmp and when I ping it from router A I see the packets however from router b I don't. suggesting that my traffic from router B is not even being ingested by the Nat overload statement. Of course I have the acl configured to do that. Again looking for the reason why not alternative solutions, tying to learn here.
Devices both ends cisco 871 (upgrading soon to something with GBE)
Dads Place RouterA
My Place RouterB
Configs (I've removed anything I believe is unnecessary to see)
Version 12.2
!
hostname routerA
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key myvpn address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address VPN-TRAFFIC
!
!
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
!
interface FastEthernet4
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname lllllll@timebb
ppp chap password 0 llllll
ppp pap sent-username n111111@timebb password 0 lllll
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map CMAP
!
ip forward-protocol nd
!
ip nat inside source list 190 interface Dialer1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 190 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.30.0 0.0.0.255 any
access-list 190 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!
!
end
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routerB
!
!
!
no aaa new-model
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key myvpn address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
match address VPN-TRAFFIC
!
!
!
interface FastEthernet4
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx@timebb
ppp chap password 0 xxxx
ppp pap sent-username xxxx@timebb password 0 xxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map CMAP
!
ip forward-protocol nd
!
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.30.0 0.0.0.255 any
!
access-list 23 permit 192.168.30.0 0.0.0.255
!
!
!
!
control-plane
!
end
I see a lot of people asking the same question on google however not a lot of solutions other than a proxy at the internet facing end of the tunnel. I'm looking to understand why it doesn't work rather than alternative solutions
My Objective: I'm an expat living in Malaysia trying to access Aussie TV. I have decent internet, so does my father in Australia.
Planned Solution: As I have two internet connections in my condo, on one of them set up site to site vpn to fathers home, tunnel all traffic through to dads place. configure gateway on all my tv devices to point to my second internet link.
Looking at the configs, I was thinking I can see that perhaps the internet traffic from routerB can get out through nat on routerA however struggles to get back to the source as the tunnel ACL doesn't allow anything other than traffic with a source ip matching 192.168.10.x. However I have set up on a friends router (also cisco) to debug icmp and when I ping it from router A I see the packets however from router b I don't. suggesting that my traffic from router B is not even being ingested by the Nat overload statement. Of course I have the acl configured to do that. Again looking for the reason why not alternative solutions, tying to learn here.
Devices both ends cisco 871 (upgrading soon to something with GBE)
Dads Place RouterA
My Place RouterB
Configs (I've removed anything I believe is unnecessary to see)
Version 12.2
!
hostname routerA
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key myvpn address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
!
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
match address VPN-TRAFFIC
!
!
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
!
interface FastEthernet4
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname lllllll@timebb
ppp chap password 0 llllll
ppp pap sent-username n111111@timebb password 0 lllll
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map CMAP
!
ip forward-protocol nd
!
ip nat inside source list 190 interface Dialer1 overload
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 190 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.30.0 0.0.0.255 any
access-list 190 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!
!
end
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routerB
!
!
!
no aaa new-model
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key myvpn address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
!
!
crypto map CMAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set TS
match address VPN-TRAFFIC
!
!
!
interface FastEthernet4
no ip address
no ip redirects
no ip unreachables
ip flow ingress
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx@timebb
ppp chap password 0 xxxx
ppp pap sent-username xxxx@timebb password 0 xxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map CMAP
!
ip forward-protocol nd
!
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.30.0 0.0.0.255 any
!
access-list 23 permit 192.168.30.0 0.0.0.255
!
!
!
!
control-plane
!
end
Last Comment
ASKER
Hi Pete,
Thanks for your reply. I could do what you suggested however the issue is I can't establish a von from my Apple TV devices as far as I know this is why I prefer to just be able to point my device to the gateway of my second router which will tunnel to Aus.
Rgards
Thanks for your reply. I could do what you suggested however the issue is I can't establish a von from my Apple TV devices as far as I know this is why I prefer to just be able to point my device to the gateway of my second router which will tunnel to Aus.
Rgards
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for you reply Arnold. I tried this on my routers but it seems this command is only available on asa devices. Google doesn't seem to mention its use Nywhere on iOS. I tried it on another router with a later iOS also 15.4
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
You could also add an established rule to allow traffic initiated from the other side to have the response come bak if you're concerned not to open your side if the other side compromised...
VPN-TRAFFIC
Permit any 192.168.30.0 0.0.0.255 established
Or
Permit ip any any estblished
VPN-TRAFFIC
Permit any 192.168.30.0 0.0.0.255 established
Or
Permit ip any any estblished
ASKER
I really don't believe that it is the tunnel acl's causing the issue. With the configuration I have provided,i agree that the return packet would be dropped. However I expect the outbound packet to be natted out of the Internet interface of my router a. I'm not seeing any evidence of this. To prove this I set debug icmp on another router connected to the Internet. If I ping it from router a I see the packets hitting it. If I ping from router b with source vlan1 I don't see the pings reaching the third router.
I have added the following rule to the all on router a
Permit ip any 192.168.30.0 0.0.0.255
But still no joy
I have added the following rule to the all on router a
Permit ip any 192.168.30.0 0.0.0.255
But still no joy
look at the show crypto commands
Looking at the interesting traffic rules defined on the tunnel to see whether externally destined packets will be allowed through the tunnel.
YouR VPN-TRAFFIC ON ROUTERB you have 192.168.30.0
Looking at the interesting traffic rules defined on the tunnel to see whether externally destined packets will be allowed through the tunnel.
YouR VPN-TRAFFIC ON ROUTERB you have 192.168.30.0
ASKER
solved
Routers
A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.
49K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
If you father had a firewall (you can pick up a 5505 of eBay cheap as chips), then if he setup EZ-Vpn, you configure your 800 series as an EZ-VPN dial in client, then you can set tunnel-all on the VPN group policy that would give you what you wanted.
pete