how to reach customer remote MPLS sites with a single VPN ?

federico_tv · ‎05-06-2015

I need to reach a machine on each remote site of a customer MPLS network for maintenance purpose (192.168.X.Y)

I have succesfully set up a simple ipsec VPN between my company cisco 837 (172.16.1.X LAN) and his Sonicwall firewall so I can reach (ping at least) all machines of his LAN ( ftp://ftp.sonicwall.com/pub/info/vpn/SonicWALL_VPN_CiscoIOSRouter.pdf )

Now, what is the clue to re-route traffic to MPLS ? (all I tried fails)

Should I set a ip route on my 837 pointing to his MPLS gateway ? Is sonicwall responsible for natting traffic from VPN to MPLS ?

Should I set up a range of remote networks in isakmp/ipsec sonicwall VPN rule ? : this works but brings up twenty or more tunnels (crypto sessions) once VPN is estabilished, is it safe?

Any basic principle to work on ?

Thank you

federico_tv · ‎05-06-2015

Just a curiosity :

Despite the fact the two LANs at VPN ends are reachable each other, why do I get this from show crypto sessions ?

Interface: Vlan2
Session status: DOWN
Peer: <Sonicwall-IP> port 500
IPSEC FLOW: permit ip 172.16.1.0/255.255.255.0 192.168.0.0/255.255.0.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: deny ip 172.16.1.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 172.16.1.0/255.255.255.0 192.168.100.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: deny ip 172.16.1.0/255.255.255.0 192.168.192.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: deny ip 172.16.1.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map

Interface: Vlan2
Session status: UP-ACTIVE
Peer: <Sonicwall-WAN-IP> port 4500
IKE SA: local <Cisco-WAN-IP>/4500 remote <Sonicwall-WAN-IP>/4500 Active
IPSEC FLOW: permit ip 172.16.1.0/255.255.255.0 192.168.210.0/255.255.255.0
Active SAs: 2, origin: crypto map

(upper rules come from crypto map access-list)

Why are there two session (port 500 and port 4500) and only the second one active ?