I've an IPsec Site-to-Site VPN to a branch office (R2). There was one LAN (LAN1) at HQ and another (LAN2) at Branch office.
Tunnel termination points:
- R1 - Microsoft ISA Server
- R2 - Cisco 2921 ISR
LAN3 has been created recently, behind R2 (see the picture below):
So I need to gain an access to LAN3 from LAN1. How could I solve this problem? I see two options for now.
OPTION 1: Create a separate tunnel from R1 to R2
I see an issue here:
- How could I define a separate key for this tunnel?
If I execute something like this:
crypto isakmp key LAN1_to_LAN2_key address 220.127.116.11
then LAN1 to LAN2 tunnel will be dropped because of the changed key
- Everything else seems good - policy maps, route-maps, etc.
Traffic could be distinguished between them
OPTION 2: Create a summary route in VPN config
- R1 does not seem to support such kind of configuration (source, section "Quick policy mode negotiation fails with a "No policy configured" error")
How could I solve this problem?
Running-config (security part) is attached
From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.
You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list
permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255
or alternatively you could replace this line
permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255
with this line
permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255