1 2 Previous Next 11 Replies Latest reply on Jul 18, 2011 4:40 PM by rcamm

    sg310 ipsec question

      I have a tunnel (ipsec) built bewteen locations A and B. Location B also has a Cisco router (factory router no access) that all factory comms run thru. Normally I place route statements in B (sg310 .250) like 123.123.0.0 /16 to gateway of .1 (cisco .1) and 12.0.0.0 /8 to .1 for all factory comms to run thru. This time I need to route factory comms from A thru ipsec to .1 behind B.

       

      I can't make it thru. I ping from A to address on B no problem but when I traceroute 123.123.0.1 from A it goes out A's Wan instead of thru the tunnel.

        • 1. Re: sg310 ipsec question

          Rather than configure static routes to go over the IPSec tunnel, you need to specify additional network pairs under the IPSec Phase 2 settings.

           

          This will setup a Security Association ( SA ) between the two networks.

           

          Only once a IPSec SA is established will IPSec route the traffic and traffic will flow.

           

          So you need a IPSec SA between

           

          1. location A's network and 123.123.0.0 /16

          2. location A's network and 12.0.0.0 /8

           

          for example.

           

          Hope this helps

          1 of 1 people found this helpful
          • 2. Re: sg310 ipsec question

            Do I need to do that on both A and B or just A?

            • 3. Re: sg310 ipsec question

              Yes

               

              For a successful IPSec SA to be established, both endpoints of the IPSec tunnel must be configured.

              1 of 1 people found this helpful
              • 4. Re: sg310 ipsec question

                K put the SA in. Now a tracert sees A but nothing after that. It isn't trying to go out the Wan anymore so thats good. Also I can ping machines on the B side but I get no reply from Cisco. If someone on B side (where Cisco is) pings .1 they get a reply.

                • 5. Re: sg310 ipsec question

                  For the wole thing to hang together you will need to ensure hosts on network A & B know how to route to the Cisco network ( via a default gateway is fine ), and the hosts beyond the cisco need to know how to route back via the cisco

                   

                  to ping the cisco successfully you may need to consider access control lists on the cisco as well

                  • 6. Re: sg310 ipsec question

                    sorry just got confused. Still need a static route put in A then? Normally we would use B as the Gateway with the route statements to send to the cisco.

                    • 7. Re: sg310 ipsec question

                      no static routes needed on the UTM devices where IPSec is operating.

                       

                      static routes may be needed elsewhere depending on your topology.....the cisco comes to mind in that it may need to know to get to network A, go via UTM lan interface on B....depending on its existing routing configuration

                      • 8. Re: sg310 ipsec question

                        rcamm I can now ping the cisco thru the tunnel from A. If i put the SA in the 2nd key on both A and B  B machines no longer route thru to the cisco.  remove the SA on B side they route thru the cisco np. I still cannot get thru the tunnel (SA address) from A side. Any ideas?

                        • 9. Re: sg310 ipsec question

                          how did you configure network A to ping the cisco without using IPSec ?

                           

                          no doubt this causes a conflict with IPSec which should be performing this routing between A and B.

                           

                          Are you able to engage technical support ?

                          1 2 Previous Next