Route internet traffic via IPSec VPN

Unanswered Question
May 18th, 2010
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-fareast-language:EN-US;}

Hi,

I have just configured an IPSEC VPN between our head office and one of our remote offices. The main purpose of this VPN is to route ALL traffic from the remote office via our head office and then on to the internet. This way we can control all traffic originating from the remote office from our firewall in the main office. However, this is only a temporary solution and we will eventually be installing a separate firewall in the remote office.


The problem I’m facing is that I cannot seem to find any information related to our setup. From what I understand IPSEC is mainly used to connect two offices, not used to route all traffic over it. The second problem I’m facing is that at the moment my two offices are using different subnets. At the remote office I have one subnet of 10.166.73.0/27 and at my main office I use 192.168.0.0/24. I was hoping to be able to use the same subnet at the remote office as I do in my main office. The reason I want to do this is because I have a “Captive portal” located at my main office. This “Captive portal” will only work in NAT-mode so I would like to use my router at the main office as a DHCP server for both offices.


At the moment my access-lists looks like this;
Main office: permit ip 192.168.0.0 0.0.0.255 10.166.73.0 0.0.0.31

Remote office: permit ip 10.166.73.0 0.0.0.31 192.168.0.0 0.0.0.255


I was hoping to change the access-list on the remote office router to;

permit ip 10.166.73.0 0.0.0.31 0.0.0.0 0.0.0.0

in order to force all traffic over the VPN. Will this work or do I need to match that access-list on router in the main office?


Hopefully this makes sense!


Thanks

Marcus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 05/18/2010 - 23:40
User Badges:
  • Cisco Employee,

You can definitely change the crypto ACL to between subnet specific, to any. However you would need to change the ACL on both end as follows:


Main office: permit  ip any 10.166.73.0 0.0.0.31

Remote office: permit ip  10.166.73.0 0.0.0.31 any


However, you can not have the same local subnet on your main office LAN and your remote office LAN. Each subnet needs to be unique as VPN is L3.


Hope that helps.

Marcus.Jansson Tue, 05/18/2010 - 23:51
User Badges:

Thanks for that!

However it doesn't really solve my issues. I suspected that I would have to change my access-lists on both sides and that's fine but how do I specify that traffic originating from 192.168.0.0/24 destined for the "internet" does not go towards 10.166.73.0/27?

Can I use static routes in my main office to tell the router where the packets coming from the VPN should go?

Jennifer Halim Tue, 05/18/2010 - 23:58
User Badges:
  • Cisco Employee,

Traffic towards the internet from 192.168.0.0/24 will not be affected because the crypto ACL is only going towards the 10.166.73.0/27 subnet. The 192.168.0.0/24 will be included in the "any" in your crypto ACL. So traffic from 192.168.0.0/24 towards 10.166.73.0/27 will be encrypted, and towards the Internet will go out as per normal routing.

Actions

This Discussion

Related Content