Route all traffic over IPsec tunnel. - Page 2

Jpadams23 · ‎01-31-2012

We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.

Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.

Any suggestions would be greatly appreciated.

Julio Carvajal · ‎02-01-2012

Hello Jonathan,

Okay so now all traffic from the remote office is going trough the VPN tunnel.

So on the HQ you have over the ACL for the nat:

permit ip 192.168.24.0 0.0.0.255 any

Is that true?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jpadams23 · ‎02-01-2012

Correct.

*Copy/Paste from router*

ip nat inside source list 100 interface FastEthernet0/0 overload

access-list 100 permit ip 192.168.24.0 0.0.0.255 any

I do not have any crypto maps on the head end router. Could we solve this by utilizing a crypto map and creating an ACL for that?

Julio Carvajal · ‎02-01-2012

Hello Jonathan

If you do not have a crypto map on both routers you do not have a VPN tunnel up and running.

Can you share the show crypto isakamp sa and sh run crypto ipsec sa from both Routers, this to check if the VPN is already established.

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jpadams23 · ‎02-01-2012

Here is the results. I'm guessing this works without the maps due to eigrp automatically routing the local network on each site.

sh cry ipse sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr xx.xx.xx.xx

   protected vrf: (none)
   local ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
   current_peer xx.xx.xx.xx port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5588, #pkts encrypt: 5588, #pkts digest: 5588
    #pkts decaps: 9750, #pkts decrypt: 9750, #pkts verify: 9750
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 6, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xF8C3C17B(4173578619)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x645BF58B(1683748235)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000006, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4464378/1390)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0xF8C3C17B(4173578619)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport UDP-Encaps, }
        conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000006, crypto map: Tunnel0-head-0
        sa timing: remaining key lifetime (k/sec): (4464439/1390)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: FastEthernet0/0
Crypto map tag: REM_RTR, local addr xx.xx.xx.xx

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.255/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 64.184.36.79 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Julio Carvajal · ‎02-01-2012

Hello Jonathan,

Ok so the VPN is up and running, can you provide the VPN configuration on the HQ site?

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jpadams23 · ‎02-01-2012

Sure thing.

crypto keyring ccp-dmvpn-keyring

pre-shared-key address 0.0.0.0 0.0.0.0 key password

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 10

!

crypto isakmp profile ccp-dmvpn-isakmprofile

keyring ccp-dmvpn-keyring

match identity address 0.0.0.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile VPN_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ccp-dmvpn-isakmprofile

!

interface Tunnel0

bandwidth 10000

ip address 10.129.1.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication DMVPN_NW

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip tcp adjust-mss 1360

no ip split-horizon eigrp 1

delay 1000

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile VPN_Profile1

Jpadams23 · ‎02-02-2012

I tried adding a crypto map to the hub router and when an ACL of access-list 120 permit ip any any. This locked up the router.

Any idea what type of access list I would need to acomplish this?