09-13-2013 05:31 AM
Hi.
We have a Main Site and two Branch Sites, Site B and Site C. We want to run IPSec Site-to-site VPN tunnels between Site B -> Main Site and Site C –> Main Site.
What we also want to achieve is connection between Site B to Site C without having an extra tunnel between them directly. When Site B wants to reach Site C, it has to go through the tunnel to Main Site and then trough the other tunnel to Site C, out on the same WAN interface. Is this possible whit Cisco 1921 routers and K9 license?
Two another questions:
See attached picture for network topology.
Kind regards,
Tommy
Solved! Go to Solution.
09-13-2013 09:46 AM
Hi Tommy,
It is possible.
Unfortunatley there is no sample configuration but i will try and give you an example:
Main site 1.1.1.0/24
Site A : 2.2.2.0/24
Site B: 3.3.3.0/24
Currently you might have the following crypto access-list on all the 3 devices for VPN.
On the Main Site For VPN to Site A: On the Main Site For VPN to Site B:
1.1.1.0/24 to 2.2.2.0/24 1.1.1.0/24 to 3.3.3.0/24
On the Site A for the VPN to Main Site:
2.2.2.0/24 to 1.1.1.0/24
On the Site B for the VPN to Main Site:
3.3.3.0/24 to 1.1.1.0/24
Now you need to add the following in the existing access-list:
On the Main Site For VPN to Site A: On the Main Site For VPN to Site B:
1.1.1.0/24 to 2.2.2.0/24 1.1.1.0/24 to 3.3.3.0/24
3.3.3.0/24 to 2.2.2.0/24 2.2.2.0/24 to 3.3.3.0/24
On the Site A for the VPN to Main Site:
2.2.2.0/24 to 1.1.1.0/24
2.2.2.0/24 to 3.3.3.0/24
On the Site B for the VPN to Main Site:
3.3.3.0/24 to 1.1.1.0/24
3.3.3.0/24 to 2.2.2.0/24
Make the above changes and it shouls work without any issue, you might need to restart your VPN tunnel.
And the above is just an example and you have to use the subnet you are using for the VPN.
In case if you have any further question please let me know.
Thanks
Jeet Kumar
09-13-2013 09:46 AM
Hi Tommy,
It is possible.
Unfortunatley there is no sample configuration but i will try and give you an example:
Main site 1.1.1.0/24
Site A : 2.2.2.0/24
Site B: 3.3.3.0/24
Currently you might have the following crypto access-list on all the 3 devices for VPN.
On the Main Site For VPN to Site A: On the Main Site For VPN to Site B:
1.1.1.0/24 to 2.2.2.0/24 1.1.1.0/24 to 3.3.3.0/24
On the Site A for the VPN to Main Site:
2.2.2.0/24 to 1.1.1.0/24
On the Site B for the VPN to Main Site:
3.3.3.0/24 to 1.1.1.0/24
Now you need to add the following in the existing access-list:
On the Main Site For VPN to Site A: On the Main Site For VPN to Site B:
1.1.1.0/24 to 2.2.2.0/24 1.1.1.0/24 to 3.3.3.0/24
3.3.3.0/24 to 2.2.2.0/24 2.2.2.0/24 to 3.3.3.0/24
On the Site A for the VPN to Main Site:
2.2.2.0/24 to 1.1.1.0/24
2.2.2.0/24 to 3.3.3.0/24
On the Site B for the VPN to Main Site:
3.3.3.0/24 to 1.1.1.0/24
3.3.3.0/24 to 2.2.2.0/24
Make the above changes and it shouls work without any issue, you might need to restart your VPN tunnel.
And the above is just an example and you have to use the subnet you are using for the VPN.
In case if you have any further question please let me know.
Thanks
Jeet Kumar
09-15-2013 08:28 PM
I have this exact scenario as well.
I think I have it configured as you've laid out, but it's still not working on my end. I'll double check my config tomorrow. Would this be any different if Site A and Site B have dynamic IPs? Also, does any explicit routing need to configured?
Thanks.
09-16-2013 08:56 AM
I can ping the Vlan 1 interface of Site A from Site B (source interface Vlan 1) and vice versa, but cannot ping hosts connected to those subnets.
09-16-2013 09:09 AM
This is what we did and it's working like a charm. See if you can get it working with this configuration.
---------- SiteB ----------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key XXXXXXXX address 1.1.1.1
ip access-list extended VPN-TRAFFIC-MainSite
permit ip 10.46.16.0 0.0.0.255 10.46.0.0 0.0.255.255
crypto ipsec transform-set BOR_TS esp-3des esp-md5-hmac
crypto map BOR 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set BOR_TS
match address VPN-TRAFFIC-MainSite
interface fa0/0
crypto map BOR
---------- Main Site----------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key XXXXXXXX address 1.1.1.2
crypto isakmp key XXXXXXXX address 1.1.1.3
ip access-list extended VPN-TRAFFIC-SITES
permit ip 10.46.0.0 0.0.255.255 10.46.16.0 0.0.0.255
permit ip 10.46.0.0 0.0.255.255 10.46.12.0 0.0.0.255
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map ToSites 10 ipsec-isakmp
set peer 1.1.1.2
set peer 1.1.1.3
set transform-set TS
match address VPN-TRAFFIC-SITES
interface fa0/0
crypto map ToSites
---------- SiteC ----------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86400
crypto isakmp key XXXXXXXX address 1.1.1.1
ip access-list extended VPN-TRAFFIC-MainSite
permit ip 10.46.12.0 0.0.0.255 10.46.0.0 0.0.255.255
crypto ipsec transform-set Kvills_TS esp-3des esp-md5-hmac
crypto map Kvills 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set Kvills_TS
match address VPN-TRAFFIC-MainSite
interface fa0/0
crypto map Kvills
09-16-2013 09:20 AM
Did you have to do any routing commands for the traffic to pass?
Also, I see that your sites all have static IPs. I wonder if that has something to do with it. In my case, the two remote sites have dynamic IPs.
09-16-2013 09:24 AM
Not any static routes or anything, just using the routers as default gateway for the clients. I don't know about the dynamic IPs and dyndns wich I guess you're using but I have had experience with tunnels on those setups and I encountered a problem with ping aswell.
The problem was that the tunnel had to be initiated from site A to site B, if you did it the other way around it wouldn't work for some reason. Once initiated it went fine.
09-16-2013 10:09 AM
The issue with the dynamic IPs is that the remote sites have to initiate the tunnel connection, because the main site doesn't know their IP ahead of time. Once the tunnel is up, traffic passes both ways with no problem.
Because the remote sites are dynamic, my key statement looks like this:
crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0
I can get traffic from the remote sites to the main site, or even traffic from the Site A (vlan 1) router to the Site B router (vlan 1), but not from a host on Site A's LAN to a host on Site B's LAN.
09-16-2013 10:12 AM
Hmm, shouldn't you use a dyndns to be able to point at a hostname instead of that address? A hostname that updates when your IP address does. It's how I've used it anyways so I'm not sure about your configuration there.
09-16-2013 12:40 PM
I used this site as a guide for my configuration.
Remote sites to HQ is working fine. Just currently stuck on getting the remote sites to talk to each other.
In reality I only need one of the remote sites to be able to talk to all of the others (not every site to every site).
12-04-2015 01:28 AM
Hi,
is it possible to reach site b from site c through Main site without configuring anything on site b and site c routers?
For example doing nat the lan network of site b on main site and reach site c like you are from main site?
I assume that all three site have Cisco routers for the site to site VPN.
If yes can you provide a sample config or guide?
Thanks in advance.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: