Tunneling internet traffic accross site to site VPN

Hi all,

I see a lot of people asking the same question on google however not a lot of solutions other than a proxy at the internet facing end of the tunnel. I'm looking to understand why it doesn't work rather than alternative solutions

My Objective: I'm an expat living in Malaysia trying to access Aussie TV. I have decent internet, so does my father in Australia.
Planned Solution: As I have two internet connections in my condo, on one of them set up site to site vpn to fathers home, tunnel all traffic through to dads place. configure gateway on all my tv devices to point to my second internet link.

Looking at the configs, I was thinking I can see that perhaps the internet traffic from routerB can get out through nat on routerA however struggles to get back to the source as the tunnel ACL doesn't allow anything other than traffic with a source ip matching 192.168.10.x. However I have set up on a friends router (also cisco) to debug icmp and when I ping it from router A I see the packets however from router b I don't. suggesting that my traffic from router B is not even being ingested by the Nat overload statement. Of course I have the acl configured to do that. Again looking for the reason why not alternative solutions, tying to learn here.

Devices both ends cisco 871 (upgrading soon to something with GBE)
Dads Place RouterA
My Place RouterB


Configs (I've removed anything I believe is unnecessary to see)

Version 12.2

!
hostname routerA
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 2.2.2.2
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile VTI
!
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set TS
 match address VPN-TRAFFIC
!
!

!
interface Vlan1
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname lllllll@timebb
 ppp chap password 0 llllll
 ppp pap sent-username n111111@timebb password 0 lllll
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 no cdp enable
 crypto map CMAP
!
ip forward-protocol nd
!
ip nat inside source list 190 interface Dialer1 overload

!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
!
!
access-list 23 permit 192.168.10.0 0.0.0.255
access-list 190 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 190 permit ip 192.168.30.0 0.0.0.255 any
access-list 190 permit ip 192.168.10.0 0.0.0.255 any
!
!
!
control-plane
!

!
end


!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname routerB
!
!
!
no aaa new-model
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key myvpn address 1.1.1.1
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto ipsec profile VTI
!
!
crypto map CMAP 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set TS
 match address VPN-TRAFFIC
!
!
!
interface FastEthernet4
 no ip address
 no ip redirects
 no ip unreachables
 ip flow ingress
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.30.1 255.255.255.0
 no ip redirects
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxx@timebb
 ppp chap password 0 xxxx
 ppp pap sent-username xxxx@timebb password 0 xxxx
 ppp ipcp dns request accept
 ppp ipcp route default
 ppp ipcp address accept
 crypto map CMAP
!
ip forward-protocol nd
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.30.0 0.0.0.255 any
!
access-list 23 permit 192.168.30.0 0.0.0.255
!
!
!
!
control-plane
!

end
LVL 1
MichaelAsked:
Who is Participating?
 
arnoldCommented:
Your VPN-TRAFFIC access-list only on the 871 only allows traffic to enter the VPN tunnel that originates from the LAN of the remote site while.
This means only LAN to LAN traffic will match the interesting traffic and will be allowed in through the VPN tunnel.

This I what I preventing the response to your requests from returning to your side.

Show crypto isakmp sa
Show crypto IPSec sa

If  you change the VPN-TRAFFIC I each end only he permit remote LAN..... I.e. As long as the packet is destined to the other side, it will enter the tunnel....
0
 
Pete LongTechnical ConsultantCommented:
If you don't want to use a 'proxy' then you need to 'tunnel-all' traffic so the point of egress is in in Australia not at your location. This is usually a feature of a client VPN not a site to site VPN.

If you father had a firewall (you can pick up a 5505 of eBay cheap as chips), then if he setup EZ-Vpn, you configure your 800 series as an EZ-VPN dial in client, then you can set tunnel-all on the VPN group policy that would give you what you wanted.

pete
1
 
MichaelAuthor Commented:
Hi Pete,
Thanks for your reply. I could do what you suggested however the issue is I can't establish a von from my Apple TV devices as far as I know this is why I prefer to just be able to point my device to the gateway of my second router which will tunnel to Aus.

Rgards
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
arnoldCommented:
The issue is that usually your remote originating traffic hitting the VPN/Lan in AU is then not allowed to exit the remote router.

You need to enable your AU based router to allow non-local traffic to leave .
same-security-traffic permit intra-interface

See if it is acceptable on the 871, see if

The other, to your VPN-TRAFFIC ACCESS LIST You need to add an allow for established traffic to enter the tunnel on the way back on your AU firewall/router.
0
 
MichaelAuthor Commented:
Thanks for you reply Arnold. I tried this on my routers but it seems this command is only available on asa devices. Google doesn't seem to mention its use Nywhere on iOS. I tried it on another router with a later iOS also 15.4
0
 
arnoldCommented:
You could also add an established rule to allow traffic initiated from the other side to have the response come bak if you're concerned not to open your side if the other side compromised...

VPN-TRAFFIC
Permit any 192.168.30.0 0.0.0.255 established
Or
Permit ip any any estblished
0
 
MichaelAuthor Commented:
I really don't believe that it is the tunnel acl's causing the issue. With the configuration I have provided,i agree that the return packet would be dropped. However I expect the outbound packet to be natted out of the Internet interface of my router a. I'm not seeing any evidence of this. To prove this I set debug icmp on another router connected to the Internet. If I ping it from router a I see the packets hitting it. If I ping from router b with source vlan1 I don't see the pings reaching the third router.

I have added the following rule to the all on router a

Permit ip any 192.168.30.0 0.0.0.255

But still no joy
0
 
arnoldCommented:
look at the show crypto commands

Looking at the interesting traffic rules defined on the tunnel to see whether externally destined packets will be allowed through the tunnel.
YouR VPN-TRAFFIC ON ROUTERB you have 192.168.30.0
0
 
MichaelAuthor Commented:
solved
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.