Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN LAN-to-LAN ipsec tunnels

We have two 3060 VPN concentrators and we are going to employ a Lan-to-Lan ipsec tunnel between the two, but we have a few questions. What will the source address of the packets be when they reach the private address of the other side? Do I have to adjust acls on both sides of the tunnel to recognize packets from the other side or do the packets appear to be coming from the public or private interface of the VPN concentrator.

Reil Brennan

12 group

2 REPLIES
New Member

Re: VPN LAN-to-LAN ipsec tunnels

Here are some answers to your questions:

Question 1:

"What will the source address of the packets be when they reach the private address of the other side?"

Answer:

Assuming you employ ESP in tunnel mode, the source IP address will be the original IP address as generated by the source device. Thus, if a device sends an IP packet with private network source address "A" to a device with private network destination address "B", the packet will be encrypted and encapsulated using the IP address on the public interface on the source VPN concentrator. The encapsulation destination address will be the public interface IP address of the remote VPN concentrator. When the encapsulated IP packet reaches the remote VPN concentrator, it will be decrypted to recover the original IP packet bearing source address "A" and destination address "B". Here's a quick schematic of the IP packet as encapsulated in ESP tunnel-mode by the VPN concentrator (assuming the source concentrator has a public interface address of "X" and the remote concentrator a public address of "Y"):

||IP Header(S=X,D=Y)||ESP Header||IP Header(S=A,D=B)||DATA||ESP Trailer||ESP Auth||

Question 2:

"...do the packets appear to be coming from the public or private interface of the VPN concentrator?"

Answer:

No ACL adjustments are necessary if you permit internal, private addresses from the source network to traverse the remote network.

Hope this helps. Good luck!

New Member

Re: VPN LAN-to-LAN ipsec tunnels

Lan to Lan IPSEC tunnels do not alter the ip address. The source and destination address of the packet as it goes into the tunnel are the same as when it comes out.

Dan Laden

207
Views
0
Helpful
2
Replies