VPN/IPSec L2L - Question?!

Answered Question
Jan 28th, 2008

Hi!

I was recently doing some troubleshooting on a VPN/IPSec Lan-to-Lan connection between a Cisco PIX515E and a Linux firewall. My question is regarding the configuration and not the problem itself.

The interesting traffic (traffic to be encrypted) defined and configured is the local PIX LAN (inside) and the remote public IP?! Wich means that the IKE Peer and the remote interesting IP/LAN are the same... and it works!!!

Any ideas?

Thanks,

JP

I have this problem too.
0 votes
Correct Answer by ajagadee about 8 years 12 months ago

As far as you source the packet from the Pix LAN to the remote Public IP, the tunnel will work fine and is working :-)

So, if you really look at the flow of traffic, you are sourcing the traffic from Pix LAN Destined to Remote Public IP which matches the access-list defined. So, the pix knows that it has to encrypt the traffic and now looks for the crypto endpoints (pix outside IP to remote public IP) and sends the encrypted packets. So, this set up will work fine.

In fact, Pix will not allow telnet to the outside interface of the pix unless the traffic is through an IPSEC Tunnel and this was one of the set up that gave telnet access to the outside interface of Pix, that is LAN to Public IP of Pix across an IPSEC Tunnel.

Regards,

Arul

** Please rate all helpful posts **

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
ajagadee Mon, 01/28/2008 - 13:38

As far as you source the packet from the Pix LAN to the remote Public IP, the tunnel will work fine and is working :-)

So, if you really look at the flow of traffic, you are sourcing the traffic from Pix LAN Destined to Remote Public IP which matches the access-list defined. So, the pix knows that it has to encrypt the traffic and now looks for the crypto endpoints (pix outside IP to remote public IP) and sends the encrypted packets. So, this set up will work fine.

In fact, Pix will not allow telnet to the outside interface of the pix unless the traffic is through an IPSEC Tunnel and this was one of the set up that gave telnet access to the outside interface of Pix, that is LAN to Public IP of Pix across an IPSEC Tunnel.

Regards,

Arul

** Please rate all helpful posts **

Actions

This Discussion