Home/Support/Support Forum/Adding multiple subnets in a VPN tunnel
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Adding multiple subnets in a VPN tunnel

0 votes
Hi there

I have a working VPN tunnel between a Digi Transport router (Site A) and Cisco ASA. On the other side of the ASA there is another VPN tunnel (Site B) which also needs access to Site A.

Currently, on the ASA, I'm seeing no encrypted traffic and it seems as though the Digi doesn't know what to do with incoming traffic from that tunnel.

Would it be possible to have one tunnel on the Digi, but containing two separate peers (ASA and Site B) and two LAN subnets (Site A and Site B)

Thanks in advance.
asked Feb 26 in Digi TransPort Cellular by balchana New to the Community (2 points)

Please log in or register to answer this question.

2 Answers

0 votes
Hi its not something i have done but you i would think need to ikev2 to support mulitple subnets.

are you passing the second site inside the first tunnel as you could pass the second tunnel there is a option for ipsec in ipsec. but you sould use 2 ipsec eroutes.
answered Feb 27 by James.Wilson Veteran of the Digi Community (1,225 points)
Thanks for the reply James, I will experiment with ikev2 and see how that goes. Just one question, what would the Remote subnet be in the VPN configuration page?

My setup is as follows:

Site A 10.20.4.0 /24 has a VPN tunnel to HQ
Site B 192.168.142.0 /24 has a VPN tunnel to HQ
HQ is a Cisco ASA - inside interface 10.99.6.141

So, I have the local subnet on the Digi (at Site A) set as 10.20.4.0 /24. The remote subnet is currently blank - is this right?
the setting for the remote network would have to cover the 2 networks in this case you would be better off using 0.0.0.0 but this might only work it the transport is working as the responder.

else i would normaly use 2 eroutes as they are 2 destinations.
Thank James, I will see how it goes adding the eroutes. Would I be right in thinking these are static routes?
Sorry. Ignore my previous comment about static routes. As you can tell I am new to Digi Transport configurations :(
Hi James, hope you're well. One final question about this. I've been looking at the Digi Transport Event Log and see an Invalid ID error:

10:19:51, 05 Mar 2019,(13431) IKE Notification: Invalid ID Information,RX

10:19:42, 05 Mar 2019,IKE Request Received From Eroute 1

10:19:41, 05 Mar 2019,(13430) IKE Notification: Invalid ID Information,RX

10:19:32, 05 Mar 2019,IKE Request Received From Eroute 1

10:19:31, 05 Mar 2019,(13429) IKE Notification: Invalid ID Information,RX

10:19:31, 05 Mar 2019,(13428) IKE Notification: Responder Lifetime,RX

10:19:31, 05 Mar 2019,(13427) New Phase 2 IKE Session 195.12.22.33,Initiator


Does this mean that the Cisco ASA is routing traffic to the Digi Transport that it does not know about?
Hi

The request received from eroute 1 is normaly the router is trying to raise the eroute the next is saying that the ID is either the wrong type or incorect

you should switch on the ike/ipsec traceing and see what is in there.

regards
0 votes
Hi balchana

Did you ever figure this out?

I'm trying to configure below but only get traffic through eroute 0 even though both SA:s initiate correctly.

Digi Transport has 192.168.0.254 on ETH 0 and 172.16.0.0/24 is on a remote device
Traffic passes out on ETH0 from 172... but nothing coming back.

eroute 0 192.168.0.1/32 - 172.16.0.0/24
eroute 1 192.168.0.5/32 - 172.16.0.0/24

//Johan
answered Apr 3 by JohanF New to the Community (10 points)
...