site-2-site tunnel name (peer IP) must match on both sides?

Answered Question
Dec 11th, 2007

Hi there.

I'm trying to set up some site-2-site VPNs between 3 offices using 3 cisco ASA 5505's.

In the manul to these ASAs, it says that when setting up the conenction (I am using ASDM and the easyVPN wizard) it says that when you use a PSK for authentication between the two sites, the tunnel name must be the peer's IP address. Is this correct so far?

Because i always thought that the tunnel names must be indentical on each side. So this means that on site one, the tunnel name will be site 2's IP address whilst on site 2, the tunnel will be site 1's IP address. Is this correct? Like i said i always thought the tunnel names had to match each other.

Also, can anyone tell me if this set up will work.

I have 3 sites which i want to put into a meshed site2site VPN scenario.

so basically i have 3 routers. And on each router there will be 2 site2site tunnels configured (via easyVPN ASDM) for the other 2. This sound workable? And if so, the tunnel names for each connection on each router will be the peer IP address?

Greatly appreciate any insight.

I have this problem too.
0 votes
Correct Answer by husycisco about 8 years 11 months ago

You are welcome.

Lets say that your local network is a.a.a.a and remote network that you have to reach is b.b.b.b

Match ACL makes traffic from a.a.a.a to b.b.b.b flow through this tunnel. So if any host in a.a.a.a tries to reach address b.b.b.b traffic will flow through the tunnel. If you dont set this match ACL, traffic will flow through the default route to outside world and get lost. Since you have nothing to do with the peer IP, you dont want to reach to peer IP of remote site from your local network through tunnel, there is no need to add the peer IP.

Common scenario is adding the source and destination networks.

Regards

Correct Answer by husycisco about 8 years 12 months ago

Hi matthew

Tunnel name musnt/cant be same on both sites. Only the peer IP and the tunnel-group must be same in site A.

Lets say that site you will create a VPN as following

A--B--C

Site A interface IP=x.x.x.x

Site B interface IP=y.y.y.y

Site C interface IP=z.z.z.z

So in ASA in site A

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

ASA in site B

tunnel-group x.x.x.x type ipsec-l2l

crypto map xmap 10 set peer x.x.x.x

tunnel-group z.z.z.z type ipsec-l2l

crypto map xmap 20 set peer z.z.z.z

ASA in site C

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
husycisco Wed, 12/12/2007 - 01:32

Hi matthew

Tunnel name musnt/cant be same on both sites. Only the peer IP and the tunnel-group must be same in site A.

Lets say that site you will create a VPN as following

A--B--C

Site A interface IP=x.x.x.x

Site B interface IP=y.y.y.y

Site C interface IP=z.z.z.z

So in ASA in site A

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

ASA in site B

tunnel-group x.x.x.x type ipsec-l2l

crypto map xmap 10 set peer x.x.x.x

tunnel-group z.z.z.z type ipsec-l2l

crypto map xmap 20 set peer z.z.z.z

ASA in site C

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

Regards

matthew.elliott Wed, 12/12/2007 - 12:24

Thanks very much. That was a goo explanation and cleared a lot o stuff up.

I forgot to ask soemthing in my previous post.

With using the examples shown. The ACL which is applied to the tunnel. Do you assign that ACL permisison to access the 'other sides' internal network(s) or do you you assign the ACL to access the 'other sides' public IP address (peer ip).

In the ASA manual it says to 'specify which remote hosts/networks you want to be able to be encrypted through the ipsec tunnel, then it shows an example and the ACL is 'permit any 'peer ip'. And thats it. I thought you would want to be adding the remote sites private network opposed to its public interface?

Thanks again for clearing this up.

Correct Answer
husycisco Wed, 12/12/2007 - 12:41

You are welcome.

Lets say that your local network is a.a.a.a and remote network that you have to reach is b.b.b.b

Match ACL makes traffic from a.a.a.a to b.b.b.b flow through this tunnel. So if any host in a.a.a.a tries to reach address b.b.b.b traffic will flow through the tunnel. If you dont set this match ACL, traffic will flow through the default route to outside world and get lost. Since you have nothing to do with the peer IP, you dont want to reach to peer IP of remote site from your local network through tunnel, there is no need to add the peer IP.

Common scenario is adding the source and destination networks.

Regards

matthew.elliott Wed, 12/12/2007 - 12:47

I thought this was the case but was being confused by the ASA manual.

Alas, common sense prevails.

Thanks again, greatly appreciated.

Actions

This Discussion