Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3383
Views
0
Helpful
3
Replies

Route internet traffic via IPSec VPN

Marcus.Jansson
Level 1
Level 1

‎05-18-2010 09:18 PM - edited ‎02-21-2020 04:39 PM

Hi,

I have just configured an IPSEC VPN between our head office and one of our remote offices. The main purpose of this VPN is to route ALL traffic from the remote office via our head office and then on to the internet. This way we can control all traffic originating from the remote office from our firewall in the main office. However, this is only a temporary solution and we will eventually be installing a separate firewall in the remote office.


The problem I’m facing is that I cannot seem to find any information related to our setup. From what I understand IPSEC is mainly used to connect two offices, not used to route all traffic over it. The second problem I’m facing is that at the moment my two offices are using different subnets. At the remote office I have one subnet of 10.166.73.0/27 and at my main office I use 192.168.0.0/24. I was hoping to be able to use the same subnet at the remote office as I do in my main office. The reason I want to do this is because I have a “Captive portal” located at my main office. This “Captive portal” will only work in NAT-mode so I would like to use my router at the main office as a DHCP server for both offices.


At the moment my access-lists looks like this;
Main office: permit ip 192.168.0.0 0.0.0.255 10.166.73.0 0.0.0.31

Remote office: permit ip 10.166.73.0 0.0.0.31 192.168.0.0 0.0.0.255


I was hoping to change the access-list on the remote office router to;

permit ip 10.166.73.0 0.0.0.31 0.0.0.0 0.0.0.0

in order to force all traffic over the VPN. Will this work or do I need to match that access-list on router in the main office?


Hopefully this makes sense!


Thanks

Marcus

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎05-18-2010 11:40 PM

You can definitely change the crypto ACL to between subnet specific, to any. However you would need to change the ACL on both end as follows:

Main office: permit  ip any 10.166.73.0 0.0.0.31

Remote office: permit ip  10.166.73.0 0.0.0.31 any

However, you can not have the same local subnet on your main office LAN and your remote office LAN. Each subnet needs to be unique as VPN is L3.

Hope that helps.

0 Helpful

Marcus.Jansson
Level 1
Level 1
In response to Jennifer Halim

‎05-18-2010 11:51 PM

Thanks for that!

However it doesn't really solve my issues. I suspected that I would have to change my access-lists on both sides and that's fine but how do I specify that traffic originating from 192.168.0.0/24 destined for the "internet" does not go towards 10.166.73.0/27?

Can I use static routes in my main office to tell the router where the packets coming from the VPN should go?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Marcus.Jansson

‎05-18-2010 11:58 PM

Traffic towards the internet from 192.168.0.0/24 will not be affected because the crypto ACL is only going towards the 10.166.73.0/27 subnet. The 192.168.0.0/24 will be included in the "any" in your crypto ACL. So traffic from 192.168.0.0/24 towards 10.166.73.0/27 will be encrypted, and towards the Internet will go out as per normal routing.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents