×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPsec VPN: multiple LANs on one side - is it possible?

Answered Question
Oct 17th, 2014
User Badges:

Hi folks!

 

I've an IPsec Site-to-Site VPN to a branch office (R2). There was one LAN (LAN1) at HQ and another (LAN2) at Branch office.

Tunnel termination points:

  • R1 - Microsoft ISA Server
  • R2 - Cisco 2921 ISR

LAN3 has been created recently, behind R2 (see the picture below):

current network configuration

 

 

 

 

 

 

 

So I need to gain an access to LAN3 from LAN1. How could I solve this problem? I see two options for now.

OPTION 1: Create a separate tunnel from R1 to R2

separate tunnel for each remote subnet

 

 

 

 

 

 

 

 

 

I see an issue here:

  1. How could I define a separate key for this tunnel?
    If I execute something like this:
    crypto isakmp key LAN1_to_LAN2_key address 1.1.1.1
    then LAN1 to LAN2 tunnel will be dropped because of the changed key
  2. Everything else seems good - policy maps, route-maps, etc.
    Traffic could be distinguished between them

 

OPTION 2: Create a summary route in VPN config

summary route

Issues:

  1. R1 does not seem to support such kind of configuration (source, section "Quick policy mode negotiation fails with a "No policy configured" error")

 

How could I solve this problem?

Running-config (security part) is attached

Attachment: 
Correct Answer by Richard Burts about 2 years 10 months ago

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

 

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

 

HTH

 

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
michael o'nan Fri, 10/17/2014 - 07:50
User Badges:
  • Silver, 250 points or more

I don't believe this would be adding a tunnel you are just adding access to that subnet on your tunnel. Sorry I can't help with exact config but I know it can be done rather easily.

Correct Answer
Richard Burts Fri, 10/17/2014 - 09:07
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

 

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

 

HTH

 

Rick

Aliaksandr Trat... Mon, 10/20/2014 - 04:32
User Badges:

Thanks, Richard!

That worked. Actually from ISA Server I had to bring up another tunnel with the same parameters as the previous one (192.168.2.0/24) but for a new network (192.168.3.0/24).

Richard Burts Mon, 10/20/2014 - 09:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is interesting that from the ISA Server side you had to bring up another tunnel. I am glad that my suggestions helped you to solve it from the Cisco side. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to know that there is helpful information in this thread.

 

HTH

 

Rick

Aliaksandr Trat... Mon, 10/20/2014 - 22:58
User Badges:

Rick,

 

actually i've found a way to just add another address range to the existing tunnel (it seems that i was blind hadn't noticed it before). That also worked. So i decided to move to that right solution.

Although, I've discovered a new possibility to add another address range through creating another tunnel :)

 

Thanks

Richard Burts Tue, 10/21/2014 - 07:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Thank you for posting back to the forum and updating us that you were able to just add another address range to the existing tunnel on the ISA Server. That makes sense and I agree that this is better than achieving the result by adding a new tunnel.

 

HTH

 

Rick

Actions

This Discussion

Related Content