cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
393
Views
0
Helpful
1
Replies

VPN Basics: how to route?

cluovpemb
Level 1
Level 1

Hi, I am relatively new to Cisco and am wondering the following. 

I have 6 rotuers, all 891W's, one for each site.  RouterA will be the central office to which the othe 5 routes VPN into or rather, maintain a persistent VPN connection with as they are peers, not client/server (I think).  If I use CCP on each to configure Internet, NAT, Firewall, and Site to Site VPN, what more must I do to ensure the LAN systems can reach each other from one site to the next?  After configuring two test routers, I noticed that the routing table had no entries for the other rotuer's LAN network.  So RouterA LAN = 192.168.50.0/24 and RouterB is 192.168.100.0/24.  A laptop plugged into RouterA's LAN can't ping a system on RouterB's LAN. 

I assume I need to add routing entries, perhaps just static?  When configuring this though, would I have a "VPN tunnel" interface of some kind, or would I just tell it that to get to say, 192.168.100.0/24 on the remote router's LAN, I must go through my local gig0 interface (WAN), and somehow the router knows that traffic going to the remote site shoudl be VPN-secured? 

Clearly I'm confused Thank you for any help you can provide. 

1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

Hello Colin,

If there is no Tunnel interface present in your configuration then you have most probably configured an IPsec tunnel using crypto maps placed on your WAN interfaces. This kind of IPsec VPN deployment does not use Tunnel interfaces. Instead, the traffic for other VPN locations must be somehow routed out the WAN interface that is configured with the crypto map. This crypto map inspects all outbound traffic and if the traffic meets specific criteria, it will be appropriately encrypted and sent towards the tunnel endpoint. The criteria are most commonly described by an ACL that matches the source and destination IP addresses of VPN-bound traffic originated at the local site and destined to other site.

Usually, in these cases it is sufficient to properly configure a static default route that points to the appropriate ISP's next hop IP address behind the WAN interface. As the traffic destined for other VPN locations will be matched by the default route and routed out the WAN interface, the crypto map applied to this interface should take care of properly handling this traffic.

Perhaps if you could post the configuration of your two test routers it would be more easy to guide you further. One plea, though: try to use CCP as less as possible, and try to avoid configuring anything beyond what is vitally necessary. Configurations generated by CCP tend to be inordinately complex and large and are generally difficult to be analyzed later.

Best regards,

Peter

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco