08-13-2008 05:28 PM
Hi,
I have an 1841 router in site-A that is connected to site-B (Fortinet FW) via L2L VPN over the internet. If a remote-access user would connect to site-A, via RA VPN over the internet, would he be able to connect to site-B as well? Is this also possible if I have an ASA FW instead of an 1841 router?
Thanks! :)
Solved! Go to Solution.
08-21-2008 12:23 PM
If its supported then it would be the same like the ASA (Under the crypto map configuration).
Regards
Farrukh
08-13-2008 06:59 PM
Yup should work. This is an ASA example:
Regards
Farrukh
08-13-2008 07:44 PM
Neat! Thanks for this. And would really appreciate if you could send a link for a sample config of Cisco1841 for this setup.
Thanks very much! :)
08-14-2008 12:50 AM
For IOS this is the only link I know of, you will have to modify it based on the ASA Link:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080093dc8.shtml
Regards
Farrukh
08-14-2008 06:33 PM
Hi,
Thanks for this. I'll just have to test it first. Btw, there won't be any issues if the other FW is Fortinet, right?
Thanks again,
Patricia
08-15-2008 03:39 AM
If you can form a regular L2L VPN with the fortinet (which can be sometimes tricky) then the spoke 2 spoke should be OK as well. The real intelligence lies in the HUB device in such a setup.
Regards
Farrukh
08-20-2008 02:11 PM
Hi,
I have tried to test this setup, unfortunately, to no success. :(
The connection of L2L and remote access are ok. But if the VPN client tries to connect to the spoke network, it doesn't work. When I check crytpo ipsec sa, there's no spi for this connection. Would you know the possible reasons for this?
Thanks!
08-20-2008 06:39 PM
I would have to look at your configuration to comment on that. Make sure that the spoke to client traffic is included in your crypto ACL, nat exemption etc.
Regards
Farrukh
08-20-2008 07:06 PM
08-20-2008 08:52 PM
Hi Farrukh,
I'm also attaching the debug on my L2L vpn connection. From the ASA, it has an error of "Removing peer from correlator table failed, no match!". I've checked all the attributes and acls, still I can't find any differences in the config.
Thanks!
08-20-2008 08:53 PM
08-21-2008 12:35 AM
Why have you enabled PFS on one side and not the other?
Regards
Farrukh
08-21-2008 12:16 PM
How would I enable pfs in 1841?
Thanks!
08-21-2008 12:23 PM
If its supported then it would be the same like the ASA (Under the crypto map configuration).
Regards
Farrukh
08-21-2008 01:11 PM
Ok, have configured it now and will test the connection later as I can't plug the test router into the network yet. Hmm, just wondering if this will solve the issue of VPN client getting into the spoke network? :)
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide