Re: VPN3002`s protected network

engel · ‎08-12-2002

Here is the network scenario:

10.10.10.0/24--VPN3060--Internet--VPN3002--10.1.1.0/24--Router--10.1.2.0/24

VPN3060`s protected network is 10.10.10.0/24

VPN3002`s protected networks are 10.1.1.0/24 AND 10.1.2.0/24

Tested result:

1. Got a ping reply from 10.10.10.0/24 to 10.1.1.0/24 , means the two networks are encrypted

2. Reply time out when ping from 10.10.10.0/24 to 10.1.2.0/24 .

Questions:

1. Does VPN3002 (hardware client) be able to protect two networks as the scenario above? It does protect its own network (which is 10.1.1.0/24) but seems like it couldn`t encrypt a packet that is not from its own network range.

2. Any pointer on Cisco document regarding Q1 ?

Appreciate for any reply.

paqiu · ‎08-12-2002

Hi,

There is only one subnet allowed behind VPN 3002. You can not put multiple networks behind VPN 3002. Because it is still a hardware client not a router.

Best Regards,

engel · ‎08-12-2002

Hi,

Thank you for your prompt reply.

Regarding the multiple networks behind a VPN 3002, we are able to advertise those networks to the Concentrator through "Network Extension Reverse Route Injection" . The Concentrator sees those networks. I am thinking that there would be a way so that the Concentrator be able to encrypt packets to those networks behind the VPN3002.

If RRI (Reverse Route Injection) is not for advertising multiple protected networks behind a VPN3002, I am still confuse on what is the purpose of "Network Extension Reverse Route Injection" setting.

Best Regards,

paqiu · ‎08-12-2002

Hi,

"Network Extension Reverse Route Injection" is for following situation:

If you have 50 sub-branches all runing 3002 hardware clients, you want backbond router behind the VPN 3000 (central site) to send the traffic to those sites need some routing mechanism.

With OSPF or RIP enabled in the VPN 3000 and also "Network Extension Reverse Route Injection" enabled as well, VPN 3000 can easily advertised those routs into the backbon router.

VPN 3002 at this moment does not support multiple networks behind it, does not matter you use "Network Extension Reverse Route Injection" or not.

The 3002 might no be powerful enough to pass multiple networks behind it through the IPSEC tunnel. This will bring more trouble than advantage.

Because 1700 routers or PIX can easily pass multiple networks through IPSEC tunnels with good performance.

I think this might be the reason why 3002 does not support this feature.

Best Regards,

Paul Qiu

cscherb · ‎12-31-2002

Hi Paul,

is there really no other solution for this problem. I'm facing a simmilar situation but have to establish a VPN connection using X.509 certificates to authenticate and dynamic IPs at the remote location connection back to an 3030 concentrator at the central side. In my unerstanding the 3002 hardware client is the only device which can provide the neccesary functionality for my situation. EzVPN on 1700 routers is lacking X.509 support currently.

Any idea is welcome ...

Best regards

Carsten

ajagadee · ‎12-31-2002

Hi,

Like Paul stated, you can have only one subnet behind the VPN3002.

As a workaround if PAT is an option for you, then you can PAT the 10.1.2.0/24 ip addresses to an ip address in 10.1.1.0/24 range and send it across the tunnel.

In this case the traffic has to be initiated from the 10.1.2.0/24, so that the PAT can take place.

Regards,

Arul

cscherb · ‎01-04-2003

Hi Arul,

thanks a lot or your answer. I was also thinking in this direction - nice to know that I'm not alone with my idea.

Regards,

Carsten