I have a working VPN tunnel between a Digi Transport router (Site A) and Cisco ASA. On the other side of the ASA there is another VPN tunnel (Site B) which also needs access to Site A.
Currently, on the ASA, I’m seeing no encrypted traffic and it seems as though the Digi doesn’t know what to do with incoming traffic from that tunnel.
Would it be possible to have one tunnel on the Digi, but containing two separate peers (ASA and Site B) and two LAN subnets (Site A and Site B)
Thanks in advance.
Hi its not something i have done but you i would think need to ikev2 to support mulitple subnets.
are you passing the second site inside the first tunnel as you could pass the second tunnel there is a option for ipsec in ipsec. but you sould use 2 ipsec eroutes.
Thanks for the reply James, I will experiment with ikev2 and see how that goes. Just one question, what would the Remote subnet be in the VPN configuration page?
My setup is as follows:
Site A 10.20.4.0 /24 has a VPN tunnel to HQ
Site B 192.168.142.0 /24 has a VPN tunnel to HQ
HQ is a Cisco ASA - inside interface 10.99.6.141
So, I have the local subnet on the Digi (at Site A) set as 10.20.4.0 /24. The remote subnet is currently blank - is this right?
the setting for the remote network would have to cover the 2 networks in this case you would be better off using 0.0.0.0 but this might only work it the transport is working as the responder.
else i would normaly use 2 eroutes as they are 2 destinations.
Thank James, I will see how it goes adding the eroutes. Would I be right in thinking these are static routes?
Sorry. Ignore my previous comment about static routes. As you can tell I am new to Digi Transport configurations
Hi James, hope you’re well. One final question about this. I’ve been looking at the Digi Transport Event Log and see an Invalid ID error:
10:19:51, 05 Mar 2019,(13431) IKE Notification: Invalid ID Information,RX
10:19:42, 05 Mar 2019,IKE Request Received From Eroute 1
10:19:41, 05 Mar 2019,(13430) IKE Notification: Invalid ID Information,RX
10:19:32, 05 Mar 2019,IKE Request Received From Eroute 1
10:19:31, 05 Mar 2019,(13429) IKE Notification: Invalid ID Information,RX
10:19:31, 05 Mar 2019,(13428) IKE Notification: Responder Lifetime,RX
10:19:31, 05 Mar 2019,(13427) New Phase 2 IKE Session 220.127.116.11,Initiator
Does this mean that the Cisco ASA is routing traffic to the Digi Transport that it does not know about?
The request received from eroute 1 is normaly the router is trying to raise the eroute the next is saying that the ID is either the wrong type or incorect
you should switch on the ike/ipsec traceing and see what is in there.
Did you ever figure this out?
I’m trying to configure below but only get traffic through eroute 0 even though both SA:s initiate correctly.
Digi Transport has 192.168.0.254 on ETH 0 and 172.16.0.0/24 is on a remote device
Traffic passes out on ETH0 from 172… but nothing coming back.
eroute 0 192.168.0.1/32 - 172.16.0.0/24
eroute 1 192.168.0.5/32 - 172.16.0.0/24