Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

IPSec Tunnel

Dear all

I have set up the center router for hub (R1) and want to connect a few shops using the ipsec tunnel. All the shop are different segment. Are they communicating with each others.

Shop1-------> Center R1 <---------Shop2

10.2.1.x 10.2.0.x 10.2.2.x

Can Shop1 communicate with Shop2?

Please advice. Thanks

Regards

Godwin

17 REPLIES
Bronze

Re: IPSec Tunnel

It depends on your particual setup.

Suppose your R-S1 tunnel is set up to encrypt only traffic from 10.2.0.x to 10.2.1.x.

Then traffic coming in from S2 with a destination in S1 will not be encrypted. It may still get routed unencrypted (if the network inbetween routes it), so you might need to implement access-lists.

A special case is when S2 would send packets with a spoofed (central-site) source address to S1, since these would get encrypted and pass the tunnel. Again you could prevent this by implementing (anti-spoofing) accesslists.

BTW I supposed you _don't_ want the shops to communicate with each other. If you _do_, forget about the access-lists and configure your R-S1 tunnel to encrypt the packets from S2 to S1 as well.

hth

Herbert

Community Member

Re: IPSec Tunnel

Herbert

Yes, I would like the S1 communicating to S2 because there is a business issue. Can I config the remote secure site to 10.2.x.x in S1. Then the central router will pass through to S2. Thanks

Regards

Godwin

Bronze

Re: IPSec Tunnel

Just make sure that the traffic you want to pass is sent through the tunnel, so basically adjust the accesslists used in the crypto map, and make sure the routing is ok. Are you using static routing?

e.g. on the S1 router:

crypto map MAP 10 ipsec-isakmp

match address 110

...

access-list 110 permit ip 10.2.1.0 0.0.0.255 10.2.0.0 0.0.0.255

access-list 110 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255

interface xxx

crypto map MAP

ip route 10.2.0.0 255.255.255.0 xxx

ip route 10.2.2.0 255.255.255.0 xxx

On the central router this would be

crypto map MAP 10 ipsec-isakmp

match address 120

...

crypto map MAP 20 ipsec-isakmp

match address 121

...

access-list 120 permit ip 10.2.0.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 120 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255

access-list 121 permit ip 10.2.0.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 121 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255

interface xxx

crypto map MAP

interface yyy

crypto map MAP

ip route 10.2.0.0 255.255.255.0 xxx

ip route 10.2.2.0 255.255.255.0 yyy

And of course on S2 a config similar to S1, just mirror the accesslists and change the static route.

hth

Herbert

Bronze

Re: IPSec Tunnel

Maybe I misinterpreted your last question. If you want ALL the shops (supposing there are more than 2) to communicate with each other, you could try to change the accesslists like this:

access-list 110 permit ip 10.2.1.0 0.0.0.255 10.2.0.0 0.0.255.255

access-list 120 permit ip 10.2.0.0 0.0.255.255 10.2.1.0 0.0.0.255

access-list 121 permit ip 10.2.0.0 0.0.255.255 10.2.2.0 0.0.0.255

Then on S1 route the /16 towards the central site

ip route 10.2.0.0 255.255.0.0 xxx

Or, if not all shops need to communicate, only route those that do:

ip route 10.2.0.0 255.255.0.0 Null0

ip route 10.2.0.0 255.255.255.0 xxx

ip route 10.2.2.0 255.255.255.0 xxx

I'm not sure if this will work, since you'll have an overlap of the encryption domains (your local domain is part of the /16 remote domain) but it's worth a try?

hth

Herbert

Community Member

Re: IPSec Tunnel

Herbert

Thanks for your help. I forget talking with you that there is using the dynamic map for the shops on ethernet interface . The router is 1710 which only 1 fast-E and 1 E. So I only put the access-list on the shop like.

access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.0.0 0.0.255.255

Means that all the 10.2.0.0/16 will go out to encrypt. Because the 10.2.1.0/24 is local LAN. I suppose they will not go out.

On the central, I put the access-list like

access-list 100 permit ip 10.2.0.0 0.0.255.255 10.2.0.0 0.0.0.255

Only permit 10.2.0.0/16 reach to 10.2.0.0/24 network.

Create the static routing

ip route 10.2.0.0 0.0.255.255 e0

I have not tested yet. I only create the ipsec tunnel to the new shop which is not production yet. It works fine. I need to make sure that if I change another shops going to ipsec tunnel which can communicate with each others. Now, we are using the PPTP tunnel to connect to central. Please advice.

Regards

Godwin

Bronze

Re: IPSec Tunnel

If you're using a dynamic map at the central site, the central site cannot establish the tunnels, so the 2 shops will only be able to communicate with each other if both tunnels are already established by the remote routers.

E.g. if the tunnel between S1 and R is down (for whatever reason), S2 will not be able to communicate with S1 until S1 brings up the tunnel.

Apart from that, it looks ok to me, but to be sure you would need to test it in a lab setup.

regards

Herbert

Community Member

Re: IPSec Tunnel

Herbert

It is ok for me if the S1 down then S2 will not communicate with S1. That means if S1 and S2 are connected then the S1 and communicate to S2 and R can communicate with S1,S2 also. Is it right?

Regards

Bronze

Re: IPSec Tunnel

Well, not only if router S1 is down. If the router is working but there has not been traffic from S1 to R, then there will be not tunnel and S2 will not be able to reach S1.

You could work around this problem by implementing e.g. ntp over the tunnel so it stays up.

hth

Herbert

Community Member

Re: IPSec Tunnel

There is good idea. Let me setup the NTP from S1 to R. Thanks

Community Member

Re: IPSec Tunnel

I have setup another router on the side. Like

S1-------R1--------S2

I try to ping from S1 to S2 but it is fail. I can ping R1 to S1 and R1 to S2. Please advice.

Regards

Godwin

Bronze

Re: IPSec Tunnel

Are you doing an extended ping with a source IP address in the range used for the VPN?

If no, please try that.

If yes, start troubleshooting:

does "show ip route" on S1 show a route to S2?

does "show ip route" on R1 show a route to S2?

does "show ip route" on S2 show a route to S1?

does "show ip route" on R1 show a route to S1?

does "show crypto sa" on S1 show a SA for the S1/S2 pair?

does "show crypto sa" on R1 show a SA for the S1/S2 pair?

does "show crypto sa" on S2 show a SA for the S2/S1 pair?

does "show crypto sa" on R1 show a SA for the S2/S1 pair?

Community Member

Re: IPSec Tunnel

I just do the route on S1,S2 and R1

ip route 10.2.x.x 255.255.0.0

S1 is on network 10.2.1.0/24

S2 is 10.2.3.0/24

R1 is 10.2.0.0/24

Please advice. Thanks

Community Member

Re: IPSec Tunnel

It seems to be the problem on routing in R1. The traffic cannot route from S1 to S2 or S2 to S1 because I can ping S1 to R1 and S2 to R1. Please advice. Thanks

Regards

Godwin

Community Member

Re: IPSec Tunnel

Do they have any comments?

117
Views
5
Helpful
17
Replies
CreatePlease to create content