4. Second VPN tunnel

Second VPN tunnel

  • D

    Hello…

    Currently i have this situation: each remote VPN site has default route through tunnel interface 0.0.0.0/0 tunnel.1. So all traffic is routed through one point (vpn-center) out to the internet and all traffic between sites is routed through vpn-center (MPLS).

    It possible to create second VPN tunnel between two sites so (vpn r3 & vpn r4) traffic will not go through vpncenter.

    I’ll add secondary IP on trust interface in order to separate network.

    site vpn3
    primary ip 192.168.5.1/24
    secondary ip 10.1.1.1/24
    adding static dst route 192.168.1.0/24 goes through tunnel.1
    adding static dst route 10.1.2.0/24 goes through tunnel.2

    site vpn4
    primary ip 192.168.3.1/24
    secondary ip 10.1.2.1/24
    adding static dst route 192.168.1.0/24 goes through tunnel.1
    adding static dst route 10.1.1.0/24 goes through tunnel.2

    the 192.168.1.0/24 is my vpncenter.

    Will this work? 🙂

    0
  • D

    Hi

    finally i found some time…The VPN goes up, traffic goes only one way.

    Pinging to remote site 20.1.2.2…Traffic goes through.

    ****** 28578.0: <trust trust="">packet received [128]******
     ipid = 1717(06b5), @0366b6d0
     packet passed sanity check.
     trust:20.1.2.2/1024->192.168.3.1/13164,1(0/0) <root>existing session found. sess token 2
     flow got session.
     flow session id 1305
     prepare route
     search route to (20.1.2.2->192.168.3.1) in vr trust-vr for vsd-0/flag-3000/ifp
    -tunnel.2
    no route to (20.1.2.2->192.168.3.1) in vr trust-vr/0
     post addr xlation: 20.1.2.2->192.168.3.1.
     going into tunnel 40000006.
     flow_encrypt: pipeline.
    chip info: PIO. Tunnel id 00000006
    (vn2)  doing ESP encryption and size =136
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    ipsec encrypt engine released
    ipsec encrypt done
           put packet(382d618) into flush queue.
           remove packet(382d618) out from flush queue.
           put packet(382d618) into flush queue.
           remove packet(382d618) out from flush queue.
    –- more —</root></trust>

    Pinging from remote site 20.1.3.2…Traffic does not go through.

    ****** 19678.0: <trust trust="">packet received [128]******
     ipid = 9224(2408), @0363c3f0
     packet passed sanity check.
     trust:20.1.3.2/1024->192.168.5.1/4064,1(0/0) <root>existing session found. sess token 2
     flow got session.
     flow session id 1096
     prepare route
     search route to (20.1.3.2->192.168.5.1) in vr trust-vr for vsd-0/flag-2000/ifp
    -tunnel.2
     route 192.168.5.1->0.0.0.0, to tunnel.1
     dynamic route from tunnel 40000003## 22:27:07 : NHTB entry search no found: vp
    n none tif tunnel.1 nexthop 192.168.5.1
    to 40000001.
     route to 192.168.5.1
     going to into tunnel.
     post addr xlation: 20.1.3.2->192.168.5.1.
     going into tunnel 40000001.
     flow_encrypt: pipeline.
    chip info: PIO. Tunnel id 00000001
    (vn2)  doing ESP encryption and size =136
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    chip info: PIO. Tunnel id 00000001
    (vn2)  doing ESP encryption and size =136
    ipsec encrypt prepare engine done
    ipsec encrypt set engine done
    –- more —
    ipsec encrypt engine released
    ipsec encrypt done
           put packet(3808e38) into flush queue.
           remove packet(3808e38) out from flush queue.</root></trust>

    I think that there is a routing problem. Traffic goes from Site B to Site A through tunnel.1 interface and not through tunnel.2:

    …going to into tunnel.
     post addr xlation: 20.1.3.2->192.168.5.1.
     going into tunnel 40000001…

    I’m using multiple vr’s (untrust-vr/untrust zone, trust-vr/trustz one). The route table looks like this

    site A
    untrust-vr
    1.1.1.253/30 -untrust int
    0.0.0.0/0 - gw 1.1.1.254

    trust-vr
    192.168.3.1/24 - trust int
    0.0.0.0/0 - gw tunnel.1
    20.1.3.1/29 - trust int
    20.1.2.0/29 - tunnel.2

    and site B
    untrust-vr
    1.2.1.1/30 - untrust int
    0.0.0.0/0 - gw 1.2.1.2

    trust-vr
    192.168.5.1/24 - trust int
    0.0.0.0/0 - gw tunnel.1
    20.1.2.1/29 - trust int
    20.1.3.0/29 - tunnel.2

    Tunnel id 00000006 is my vpn_test and tunnel id 00000001 is my primary tunnel to the center.

    0
  • M

    Your VPN should work there does not seem to be any issue in it not working.

    0
  • F

    This might sound like a stupid question.  But can you get give more detail on the links between sites?
    or are the sites only connect at Provider L3 MPLS ?  Because if so the provider should be able to configure LSP between the sites for you .  besides just having one LSP for the VPN Center and another for internet.

    Also besides all that your configuration looks good you want just need to setup the phase 1 and phase 2 .

    0
 

30
Online

38.4k
Users

12.7k
Topics

44.5k
Posts