cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1028
Views
9
Helpful
10
Replies

VPN site-to-site, Going through another site to reach destination?

Tommy Svensson
Level 1
Level 1

Hi.

We have a Main Site and two Branch Sites, Site B and Site C. We want to run IPSec Site-to-site VPN tunnels between Site B -> Main Site and Site C –> Main Site.

What we also want to achieve is connection between Site B to Site C without having an extra tunnel between them directly. When Site B wants to reach Site C, it has to go through the tunnel to Main Site and then trough the other tunnel to Site C, out on the same WAN interface. Is this possible whit Cisco 1921 routers and K9 license?

Two another questions:

  • Will 1921 be able to handle this setup, with traffic reaching up as high as 50 Mbps. Both regarding CPU load and the delay for the packet handling.
  • Can 1921 with K9 license have a IPSec tunnel with bidirectional capacity of 50 Mbps?

See attached picture for network topology.

Kind regards,

Tommy

1 Accepted Solution

Accepted Solutions

Jeet Kumar
Cisco Employee
Cisco Employee

Hi  Tommy,

It is possible.

Unfortunatley there is no sample configuration but i will try and give you an example:

Main site 1.1.1.0/24

Site A : 2.2.2.0/24

Site B: 3.3.3.0/24

Currently you might have the following crypto access-list on all the 3 devices for VPN.

On the Main Site For VPN to Site A:                     On the Main Site For VPN to Site B:

1.1.1.0/24 to 2.2.2.0/24                                          1.1.1.0/24 to 3.3.3.0/24

On the Site A for the VPN to Main Site:

2.2.2.0/24 to 1.1.1.0/24

On the Site B for the VPN to Main Site:

3.3.3.0/24 to 1.1.1.0/24

Now you need to add the following in the existing access-list:

On the Main Site For VPN to Site A:                     On the Main Site For VPN to Site B:

1.1.1.0/24 to 2.2.2.0/24                                          1.1.1.0/24 to 3.3.3.0/24

3.3.3.0/24 to 2.2.2.0/24                                          2.2.2.0/24 to 3.3.3.0/24

On the Site A for the VPN to Main Site:

2.2.2.0/24 to 1.1.1.0/24

2.2.2.0/24 to 3.3.3.0/24

On the Site B for the VPN to Main Site:

3.3.3.0/24 to 1.1.1.0/24

3.3.3.0/24 to 2.2.2.0/24

Make the above changes and it shouls work without any issue, you might need to restart your VPN tunnel.

And the above is just an example and you have to use the subnet you are using for the VPN.

In case if you have any further question please let me know.

Thanks

Jeet Kumar

View solution in original post

10 Replies 10

Jeet Kumar
Cisco Employee
Cisco Employee

Hi  Tommy,

It is possible.

Unfortunatley there is no sample configuration but i will try and give you an example:

Main site 1.1.1.0/24

Site A : 2.2.2.0/24

Site B: 3.3.3.0/24

Currently you might have the following crypto access-list on all the 3 devices for VPN.

On the Main Site For VPN to Site A:                     On the Main Site For VPN to Site B:

1.1.1.0/24 to 2.2.2.0/24                                          1.1.1.0/24 to 3.3.3.0/24

On the Site A for the VPN to Main Site:

2.2.2.0/24 to 1.1.1.0/24

On the Site B for the VPN to Main Site:

3.3.3.0/24 to 1.1.1.0/24

Now you need to add the following in the existing access-list:

On the Main Site For VPN to Site A:                     On the Main Site For VPN to Site B:

1.1.1.0/24 to 2.2.2.0/24                                          1.1.1.0/24 to 3.3.3.0/24

3.3.3.0/24 to 2.2.2.0/24                                          2.2.2.0/24 to 3.3.3.0/24

On the Site A for the VPN to Main Site:

2.2.2.0/24 to 1.1.1.0/24

2.2.2.0/24 to 3.3.3.0/24

On the Site B for the VPN to Main Site:

3.3.3.0/24 to 1.1.1.0/24

3.3.3.0/24 to 2.2.2.0/24

Make the above changes and it shouls work without any issue, you might need to restart your VPN tunnel.

And the above is just an example and you have to use the subnet you are using for the VPN.

In case if you have any further question please let me know.

Thanks

Jeet Kumar

I have this exact scenario as well.

I think I have it configured as you've laid out, but it's still not working on my end.  I'll double check my config tomorrow. Would this be any different if Site A and Site B have dynamic IPs?  Also,  does any explicit routing need to configured?

Thanks.

I can ping the Vlan 1 interface of Site A from Site B (source interface Vlan 1) and vice versa, but cannot ping hosts connected to those subnets.

This is what we did and it's working like a charm. See if you can get it working with this configuration.

---------- SiteB ----------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 86400

crypto isakmp key XXXXXXXX address 1.1.1.1

ip access-list extended VPN-TRAFFIC-MainSite

permit ip 10.46.16.0 0.0.0.255 10.46.0.0 0.0.255.255

crypto ipsec transform-set BOR_TS esp-3des esp-md5-hmac

crypto map BOR 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set BOR_TS

match address VPN-TRAFFIC-MainSite

interface fa0/0

crypto map BOR

---------- Main Site----------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 86400

crypto isakmp key XXXXXXXX address 1.1.1.2

crypto isakmp key XXXXXXXX address 1.1.1.3

ip access-list extended VPN-TRAFFIC-SITES

permit ip 10.46.0.0 0.0.255.255 10.46.16.0 0.0.0.255

permit ip 10.46.0.0 0.0.255.255 10.46.12.0 0.0.0.255

crypto ipsec transform-set TS esp-3des esp-md5-hmac

crypto map ToSites 10 ipsec-isakmp

set peer 1.1.1.2

set peer 1.1.1.3

set transform-set TS

match address VPN-TRAFFIC-SITES

interface fa0/0

crypto map ToSites

---------- SiteC ----------------

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 86400

crypto isakmp key XXXXXXXX address 1.1.1.1

ip access-list extended VPN-TRAFFIC-MainSite

permit ip 10.46.12.0 0.0.0.255 10.46.0.0 0.0.255.255

crypto ipsec transform-set Kvills_TS esp-3des esp-md5-hmac

crypto map Kvills 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set Kvills_TS

match address VPN-TRAFFIC-MainSite

interface fa0/0

crypto map Kvills

Did you have to do any routing commands for the traffic to pass?

Also,  I see that your sites all have static IPs.  I wonder if that has something to do with it.  In my case, the two remote sites have dynamic IPs.

Not any static routes or anything, just using the routers as default gateway for the clients. I don't know about the dynamic IPs and dyndns wich I guess you're using but I have had experience with tunnels on those setups and I encountered a problem with ping aswell.

The problem was that the tunnel had to be initiated from site A to site B, if you did it the other way around it wouldn't work for some reason. Once initiated it went fine.

The issue with the dynamic IPs is that the remote sites have to initiate the tunnel connection, because the main site doesn't know their IP ahead of time. Once the tunnel is up, traffic passes both ways with no problem.

Because the remote sites are dynamic, my key statement looks like this:

crypto isakmp key XXXXXXXXX address 0.0.0.0 0.0.0.0

I can get traffic from the remote sites to the main site, or even traffic from the Site A (vlan 1) router to the Site B router (vlan 1), but not from a host on Site A's LAN to a host on Site B's LAN.

Hmm, shouldn't you use a dyndns to be able to point at a hostname instead of that address? A hostname that updates when your IP address does. It's how I've used it anyways so I'm not sure about your configuration there.

http://en.wikipedia.org/wiki/DynDNS

I used this site as a guide for my configuration.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/936-cisco-router-vpn-dynamic-endpoint.html

Remote sites to HQ is working fine.  Just currently stuck on getting the remote sites to talk to each other.

In reality I only need one of the remote sites to be able to talk to all of the others (not every site to every site).

gtsesmelis
Level 1
Level 1

Hi,

is it possible to reach site b from site c through Main site without configuring anything on site b and site c routers?

For example doing nat the lan network of site b on main site and reach site c like you are from main site?

I assume that all three site have Cisco routers for the site to site VPN.

If yes can you provide a sample config or guide?

Thanks in advance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: