Hello all,
I just setup a tunnel between 2 877 routers using IPSEC VTI and its working fine
CORP-PIX RTR-A RTR-B Corporate Site A Site B
10.1.0.0/16 10.2.0.0/22 10.2.4.0/22On RTR-A I use a classical crypto map to connect to the corporate lans
I have the following configurations to manage routing RTR-A ACL for tunnel to corporate PIX permit 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255 (and the ACL matches on the pix too)
====================== Config RTR-A tunnel to RTR-B
crypto ipsec profile VtunnelIP set transform-set ESP-3DES-SHA ! interface Tunnel0 ip address 172.31.35.1 255.255.255.248 ip policy route-map ROUTING-POLICY tunnel source tunnel destination tunnel mode ipsec ipv4 tunnel protection ipsec profile VtunnelIP ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.2.4.0 255.255.252.0 172.31.35.2 ====================== Config RTR-B tunnel to RTR-A
crypto ipsec profile VtunnelIP set transform-set ESP-3DES-SHA ! interface Tunnel0 ip address 172.31.35.2 255.255.255.248 tunnel source 80.172.25.116 tunnel destination 80.172.48.127 tunnel mode ipsec ipv4 tunnel protection ipsec profile VtunnelIP ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.1.0.0 255.255.0.0 172.31.35.1 ip route 10.2.0.0 255.255.252.0 172.31.35.1
On RTR-A the route to 10.1.0.0/16 is given by the crypto map
====================== A traceroute yields : Received on RTR-B trace to 10.1.0.83 1 * 172.31.35.1 32 msec * 2
*Mar 5 02:20:17.046: ICMP: time exceeded rcvd from 172.31.35.1 * * *Sent by RTR-A Mar 22 20:05:54.078: ICMP: time exceeded (time to live) sent to 10.2.4.1 (dest was 10.1.0.83)
I made such a config with a 877 but for VPN client passing through a virtual interface and the VPN client can go everywhere there is a tunnel openned to the corporate domain
Does anybody have an idea of what I'm missing ?
Thanks in advance
Daniel