2 VPN tunnels on 1 cisco router interconnect (proxy VPN)

Unanswered Question

Hello,

I am trying to interconnect 2 site-to-site ipsec vpn tunnels on 1 router. I can reach both networks from the testing PC. But I cant imagine how to connect local lans from the 2 vpn tunnels together. On locations there are low-end routers, in which you cannot set acls.

Thank you for your help

Help.jpg

??? CISCO help

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key XXX address central

crypto isakmp key address location1 no-xauth

crypto isakmp keepalive 10 5 periodic

!

crypto isakmp client configuration group xxx

key xxx

pool vpnclientpool

acl 180

include-local-lan

!

crypto isakmp peer address central

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac

crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 300

set transform-set 1cisco

!

crypto map WAN client authentication list userauthen

crypto map WAN isakmp authorization list groupauthor

crypto map WAN client configuration address respond

!

crypto map WAN 100 ipsec-isakmp

set peer central

set transform-set vpn-transform

set pfs group2

match address 111

crypto map WAN 200 ipsec-isakmp

set peer location1

set transform-set 1cisco

set pfs group2

match address 175

crypto map WAN 300 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

description LAN

ip address 172.30.0.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

description WAN

ip address XXX

ip nat outside

crypto map WAN

!

ip local pool vpnclientpool 172.30.1.100 172.30.1.120

ip nat inside source list LOCAL interface FastEthernet0/1 overload

!

ip access-list extended LOCAL

deny   ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255

deny   ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255

deny   ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255

permit ip 172.30.0.0 0.0.255.255 any

!

logging trap debugging

access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255

access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255

access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255

access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 09/09/2010 - 04:18

You would need to add the following ACL accordingly:

access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255

You would also need to configure the mirror image ACL on each site too:

Central: permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255

Location 1: permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255

Hope that helps.

Hello,

thank you for your help. Now the acls on look:

ip access-list extended LOCAL
deny   ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
deny   ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
deny   ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
!
l
access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255

access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255

on central: there is permit 192.168.100.0 0.0.0.255 172.30.0.0 0.0.255.255

but the problem is on location1 - this is low end router without ACLS. in GUI i can set only 1 local subnet/netmask and 1 remote local subnet/netmask

there can be static routing configured on the dlink.

John Gelten Sat, 09/11/2010 - 08:53

It might be possible to use the supernet 172.30.0.0/16 in your ACL's. Normally I would prefer not to do that, because

  • in the Cisco 1841 it creates overlap that could lead to unexpected behaviour
  • the DLink might not accept that the local subnet (172.30.x.0/24) is part of the remote subnet (172.30.0.0/16)

And even if this approach does not create problems, and actually solves your problem; another problem is that the central site that hosts your server is not within the 172.30.0.0/16 range; you should re-number this site.

The ACL 175 and 180 would like like this :

access-list 175 permit ip 172.30.0.0 0.0.255.255 172.30.2.0 0.0.0.255

access-list 180 permit ip 172.30.0.0 0.0.255.255 172.30.1.0 0.0.0.255

When you have altered the above two ACL's, there should be communication between those two 'remote location' sites. Your next step is to get connectivity to the central site.

Not a perfect solution at all; but I think it is your only chance to get it working if the remote routers only support one 'remote subnet' on the VPN-configuration.

Actions

This Discussion