2 VPN tunnels on 1 cisco router interconnect (proxy VPN)

Unanswered Question
Sep 9th, 2010
User Badges:

Hello,


I am trying to interconnect 2 site-to-site ipsec vpn tunnels on 1 router. I can reach both networks from the testing PC. But I cant imagine how to connect local lans from the 2 vpn tunnels together. On locations there are low-end routers, in which you cannot set acls.


Thank you for your help


Help.jpg




??? CISCO help




crypto isakmp policy 1


encr 3des


authentication pre-share


group 2


crypto isakmp key XXX address central


crypto isakmp key address location1 no-xauth


crypto isakmp keepalive 10 5 periodic


!


crypto isakmp client configuration group xxx


key xxx


pool vpnclientpool


acl 180


include-local-lan


!


crypto isakmp peer address central


!


crypto ipsec security-association lifetime seconds 86400


!


crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac


crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac


!


crypto dynamic-map dynmap 300


set transform-set 1cisco


!


crypto map WAN client authentication list userauthen


crypto map WAN isakmp authorization list groupauthor


crypto map WAN client configuration address respond


!


crypto map WAN 100 ipsec-isakmp


set peer central


set transform-set vpn-transform


set pfs group2


match address 111


crypto map WAN 200 ipsec-isakmp


set peer location1


set transform-set 1cisco


set pfs group2


match address 175


crypto map WAN 300 ipsec-isakmp dynamic dynmap


!


interface FastEthernet0/0


description LAN


ip address 172.30.0.1 255.255.255.0


ip nat inside


!


interface FastEthernet0/1


description WAN


ip address XXX


ip nat outside


crypto map WAN


!


ip local pool vpnclientpool 172.30.1.100 172.30.1.120


ip nat inside source list LOCAL interface FastEthernet0/1 overload


!


ip access-list extended LOCAL


deny   ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255


deny   ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255


deny   ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255


permit ip 172.30.0.0 0.0.255.255 any


!


logging trap debugging


access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255


access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255


access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255


access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 09/09/2010 - 04:18
User Badges:
  • Cisco Employee,

You would need to add the following ACL accordingly:


access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255


You would also need to configure the mirror image ACL on each site too:


Central: permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255

Location 1: permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255


Hope that helps.

petr.hofmann@gm... Fri, 09/10/2010 - 00:49
User Badges:

Hello,


thank you for your help. Now the acls on look:


ip access-list extended LOCAL
deny   ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
deny   ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
deny   ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
!
l
access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255


access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255


access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255



on central: there is permit 192.168.100.0 0.0.0.255 172.30.0.0 0.0.255.255


but the problem is on location1 - this is low end router without ACLS. in GUI i can set only 1 local subnet/netmask and 1 remote local subnet/netmask


there can be static routing configured on the dlink.

John Gelten Sat, 09/11/2010 - 08:53
User Badges:

It might be possible to use the supernet 172.30.0.0/16 in your ACL's. Normally I would prefer not to do that, because

  • in the Cisco 1841 it creates overlap that could lead to unexpected behaviour
  • the DLink might not accept that the local subnet (172.30.x.0/24) is part of the remote subnet (172.30.0.0/16)


And even if this approach does not create problems, and actually solves your problem; another problem is that the central site that hosts your server is not within the 172.30.0.0/16 range; you should re-number this site.


The ACL 175 and 180 would like like this :

access-list 175 permit ip 172.30.0.0 0.0.255.255 172.30.2.0 0.0.0.255

access-list 180 permit ip 172.30.0.0 0.0.255.255 172.30.1.0 0.0.0.255


When you have altered the above two ACL's, there should be communication between those two 'remote location' sites. Your next step is to get connectivity to the central site.


Not a perfect solution at all; but I think it is your only chance to get it working if the remote routers only support one 'remote subnet' on the VPN-configuration.

Actions

This Discussion