0

I want to setup a VPN IPSec tunnel between two sites, let's say PARIS and Toulouse. The tunnel rose well and statues on VPN Gateway routers at both sides shows it's up and OK. The problem is that I have an inter box V4 in the middle, and the traffic passes by the VPN on one side and is forced to pass by Internet on the other side.

You'd have found attached a draft of my architecture shcema (I don't have enough reputation here to post images), explained bellow.

  • On Paris side We have a Cisco ASA5512 router, with a public interface connected to the ISP of Paris

  • A Switch L3 is connected to the cisco router, on which is connected the LAN of Paris, and the cisco router has a private interface connected to the switch and associated to one VLAN.

  • On Toulouse side We have a Ubiquiti UniFi Security Gateway router

  • This Ubiquiti router has a private interface connected to an internet box (belonging to the Toulouse's ISP), and another private interface connected to the LAN of Toulouse.

Thus the public ip address of the tunnel on Toulouse side is the public ip address of the internet box.

  • The router of Toulouse uses the private ip of the internet box as its default gateway
  • The router of Paris uses directly ti public ip address of the Paris's ISP as its default Gateway, as it's connecte public to the ISP

The problem is:

  • From a host at Toulouse, I can ping and rpc a host at Paris, the traceroute command shows that packets pass through the vpn tunnel
  • From a host in Paris LAN when I try to reach a host of the other end of the tunnel at Toulouse, The packet are forced by the Paris's router to pass by internet, thus it is sends packets to the ISP through its public interface, which doesn't know how to reach the destination, as it's private network address (192.168.11.0/24), so the packet transmission ended in an time exceeded
  • If I specify a static route on the Paris router telling him to send packets going to the network 192.168.11.0/24 to the public ip of the Toulouse internet box it doesn't know how to reach there and blocks

Then how in this configuration I can make packets from Paris router to the network 192.168.11.0/24 pass through the vpn tunnel?

nixmind
  • 111
  • 1
  • 5
  • Can you post your configuration from the Cisco ASA and also Ubiquiti UniFi Security Gateway? The Description you have provided should work, and I have deployed it with Cisco on both sides. There is an option of Nat Traversal (Nat-T), which needs to be enabled on Cisco devices. If something similar is available, make sure it is enabled on Ubiquiti. Also, the Internet Box in Toulouse should support IPSec Passthrough, and you should forward the necessary ports to the Ubiquiti Security Gateway. – Abu Zaid Nov 17 '18 at 12:38
  • @AbuZaid What I don't understand is why the Cisco router doesn't make difference between packets going to internet and the ones going through the VPN peer side.... People in the Toulouse Network behind the Ubiquiti Security Gateway can go to internet, and also reach the Paris LAN. All trafic is allowed on the Internet Box in Toulouse. Do we really need to specify Cisco router to use the Internet Box public ip address as route for packet destined to Toulouse LAN. If yes what could be preventing packet to reach? – nixmind Nov 17 '18 at 20:23
  • As I mentioned before, will need configurations before I can assist further. – Abu Zaid Nov 18 '18 at 11:32
  • Sorry @AbuZaid, Is it possible to attach the router configuration sippet here? The whole config makes 800 lines, so I'd like to avoid to paste it in the question directly... – nixmind Dec 12 '18 at 16:12
  • I am not sure how to attach the configuration. I am only interested in the parts that have the VPN tunnel configuration. – Abu Zaid Dec 12 '18 at 19:21
  • In fact I was trying also to git in a configuration made by another team, and It's a little bit hard to dive into all mixed configurations from everywhere. So I thing I will try to do it from scratch myself and let you know if the issue is still there. – nixmind Dec 14 '18 at 17:21

0 Answers0