09-09-2010 12:46 AM
Hello,
I am trying to interconnect 2 site-to-site ipsec vpn tunnels on 1 router. I can reach both networks from the testing PC. But I cant imagine how to connect local lans from the 2 vpn tunnels together. On locations there are low-end routers, in which you cannot set acls.
Thank you for your help
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXX address central
crypto isakmp key address location1 no-xauth
crypto isakmp keepalive 10 5 periodic
!
crypto isakmp client configuration group xxx
key xxx
pool vpnclientpool
acl 180
include-local-lan
!
crypto isakmp peer address central
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn-transform esp-3des esp-sha-hmac
crypto ipsec transform-set 1cisco esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 300
set transform-set 1cisco
!
crypto map WAN client authentication list userauthen
crypto map WAN isakmp authorization list groupauthor
crypto map WAN client configuration address respond
!
crypto map WAN 100 ipsec-isakmp
set peer central
set transform-set vpn-transform
set pfs group2
match address 111
crypto map WAN 200 ipsec-isakmp
set peer location1
set transform-set 1cisco
set pfs group2
match address 175
crypto map WAN 300 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
description LAN
ip address 172.30.0.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1
description WAN
ip address XXX
ip nat outside
crypto map WAN
!
ip local pool vpnclientpool 172.30.1.100 172.30.1.120
ip nat inside source list LOCAL interface FastEthernet0/1 overload
!
ip access-list extended LOCAL
deny ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
deny ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
deny ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
!
logging trap debugging
access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255
09-09-2010 04:18 AM
You would need to add the following ACL accordingly:
access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255
You would also need to configure the mirror image ACL on each site too:
Central: permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255
Location 1: permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255
Hope that helps.
09-10-2010 12:49 AM
Hello,
thank you for your help. Now the acls on look:
ip access-list extended LOCAL
deny ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
deny ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
deny ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
permit ip 172.30.0.0 0.0.255.255 any
!
l
access-list 111 permit ip 172.30.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 111 permit ip 172.30.2.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 175 permit ip 172.30.0.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 175 permit ip 192.168.100.0 0.0.0.255 172.30.2.0 0.0.0.255
access-list 180 permit ip 172.30.0.0 0.0.0.255 172.30.1.0 0.0.0.255
access-list 180 permit ip 172.30.2.0 0.0.0.255 172.30.1.0 0.0.0.255
on central: there is permit 192.168.100.0 0.0.0.255 172.30.0.0 0.0.255.255
but the problem is on location1 - this is low end router without ACLS. in GUI i can set only 1 local subnet/netmask and 1 remote local subnet/netmask
there can be static routing configured on the dlink.
09-11-2010 08:53 AM
It might be possible to use the supernet 172.30.0.0/16 in your ACL's. Normally I would prefer not to do that, because
And even if this approach does not create problems, and actually solves your problem; another problem is that the central site that hosts your server is not within the 172.30.0.0/16 range; you should re-number this site.
The ACL 175 and 180 would like like this :
access-list 175 permit ip 172.30.0.0 0.0.255.255 172.30.2.0 0.0.0.255
access-list 180 permit ip 172.30.0.0 0.0.255.255 172.30.1.0 0.0.0.255
When you have altered the above two ACL's, there should be communication between those two 'remote location' sites. Your next step is to get connectivity to the central site.
Not a perfect solution at all; but I think it is your only chance to get it working if the remote routers only support one 'remote subnet' on the VPN-configuration.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: