Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How does the routing work within a VPN?

I've got 2 locations with their own internet connections and there is a router at both ends that serves as the VPN endpoints.  Both locations are using 192.168.x.0 /24 IP's on their LAN.  

When I ping from a machine on my LAN to a machine on the other LAN, how is that routing happening?  I don't see any entries in the routing table.  And the setup on both devices is very simple and doesn't include any IP's except each others external static IP's.  So how does my router know that when I ping 192.168.100.3 from 192.168.40.15 that it's time to use the VPN to that other network?  When I run a tracert to that same IP, it just shows 3 entries, my internal gateway, the other networks external IP, and 192.168.100.3.  When I run a tracert to their external IP, I get the full list of hops.

So how is that working?  Obviously, both cases involve the same hops, but how does my router know that the other router is the endpoint for traffic directed to the 192.168.100.0 /24 subnet?

 

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

The way the routers identify

The way the routers identify interesting traffic (traffic to be incrypted) is through the crypto ACL which you configure and apply to the crypto map.  When that traffic enters the router, the router checks the routing table and sees that it has no route to the 192.168.100.0 network so it sends the traffic out using the default route.  When the traffic enters, or perhaps traverses is a better term, the outside interface the crypto ACL is matched and the router begins to take actions to encrypt the traffic and send it over the VPN tunnel.

The crypto ACLs need to be configured at both ends of the tunnel and need to be mirror images of eachother.  So if one side has the ACL:

access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.100.0 0.0.0.255

then the other side will need to be:

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

So to summerize, routing does take place, but it is in the form of the default route.  Then as the traffic is about to leave the outside interface it is matched against the crypto ACL and if a match is found the traffic is encrypted and sent over the VPN.

I hope the explenation is understandable.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
2 REPLIES
VIP Green

The way the routers identify

The way the routers identify interesting traffic (traffic to be incrypted) is through the crypto ACL which you configure and apply to the crypto map.  When that traffic enters the router, the router checks the routing table and sees that it has no route to the 192.168.100.0 network so it sends the traffic out using the default route.  When the traffic enters, or perhaps traverses is a better term, the outside interface the crypto ACL is matched and the router begins to take actions to encrypt the traffic and send it over the VPN tunnel.

The crypto ACLs need to be configured at both ends of the tunnel and need to be mirror images of eachother.  So if one side has the ACL:

access-list 101 permit ip 192.168.40.0 0.0.0.255 192.168.100.0 0.0.0.255

then the other side will need to be:

access-list 101 permit ip 192.168.100.0 0.0.0.255 192.168.40.0 0.0.0.255

So to summerize, routing does take place, but it is in the form of the default route.  Then as the traffic is about to leave the outside interface it is matched against the crypto ACL and if a match is found the traffic is encrypted and sent over the VPN.

I hope the explenation is understandable.

--

Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
New Member

Excellent, that makes perfect

Excellent, that makes perfect sense.  Thanks.  

67
Views
5
Helpful
2
Replies
CreatePlease login to create content