Allowing a VPN tunnel through iuntermediate routers?

Good day,

I’m working with the following topology to learn L2L VPNs. I am attempting to define two tunnels. The first is between R1 and R3 via FW1 and FW3, and then between R2 and R4 via FW2 and FW4. I configured the tunnel between FW1 and FW3 via this guide: The VPN between R1 and R3 is good. No issues there.

My problem is the VPN traffic from FW2 crossing FW1 and FW3 to get to FW4. I configured FW2 qnd FW4 in the same way as FW1 to FW3. On FW1 and FW3 I added ACLs on both inside and outside interfaces to permit any any for both IP and ICMP.

I’m still troubleshooting and will post any debug messages, if useful. For now, I’m just looking for general feedback on what I might be doing wrong. Any input is greatly appreciated.

Hello Mark

There are several reasons for this to fail. Some that come off the top of my head include an MTU issue. When creating site-to-site VPNs, additional headers are prepended and may cause the MTU size of the frame to increase, in turn causing some interfaces to drop frames that are larger than their allowed MTUs. Take a look at this lesson for more info:

Another issue may arise if you are running NAT on FW1 and/or FW3. NAT translations will often “break” a site-to-site VPN. In such cases you need to employ a feature such as NAT traversal (NAT-T).

Another possibility is simply that the access lists you employed are not employed correctly or in the correct direction. Take a look at the following lesson for information about ACLs on ASAs for permitting traffic from lower security level to higher security level interfaces.

An excellent tool to use for troubleshooting on the ASA is the Packet Tracer feature. It can be used to see detailed actions that an ASA takes on particular packets and why. For more info on this feature, take a look at the Packet Tracer section of this lesson:

Let us know how your troubleshooting is coming along!

I hope this has been helpful!