Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPsec VPN: multiple LANs on one side - is it possible?

Hi folks!

 

I've an IPsec Site-to-Site VPN to a branch office (R2). There was one LAN (LAN1) at HQ and another (LAN2) at Branch office.

Tunnel termination points:

  • R1 - Microsoft ISA Server
  • R2 - Cisco 2921 ISR

LAN3 has been created recently, behind R2 (see the picture below):

current network configuration

 

 

 

 

 

 

 

So I need to gain an access to LAN3 from LAN1. How could I solve this problem? I see two options for now.

OPTION 1: Create a separate tunnel from R1 to R2

separate tunnel for each remote subnet

 

 

 

 

 

 

 

 

 

I see an issue here:

  1. How could I define a separate key for this tunnel?
    If I execute something like this:
    crypto isakmp key LAN1_to_LAN2_key address 1.1.1.1
    then LAN1 to LAN2 tunnel will be dropped because of the changed key
  2. Everything else seems good - policy maps, route-maps, etc.
    Traffic could be distinguished between them

 

OPTION 2: Create a summary route in VPN config

summary route

Issues:

  1. R1 does not seem to support such kind of configuration (source, section "Quick policy mode negotiation fails with a "No policy configured" error")

 

How could I solve this problem?

Running-config (security part) is attached

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

From the Cisco side this is

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

 

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

 

HTH

 

Rick

6 REPLIES

I don't believe this would be

I don't believe this would be adding a tunnel you are just adding access to that subnet on your tunnel. Sorry I can't help with exact config but I know it can be done rather easily.

Hall of Fame Super Gold

From the Cisco side this is

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

 

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

 

HTH

 

Rick

Community Member

Thanks, Richard!That worked.

Thanks, Richard!

That worked. Actually from ISA Server I had to bring up another tunnel with the same parameters as the previous one (192.168.2.0/24) but for a new network (192.168.3.0/24).

Hall of Fame Super Gold

It is interesting that from

It is interesting that from the ISA Server side you had to bring up another tunnel. I am glad that my suggestions helped you to solve it from the Cisco side. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to know that there is helpful information in this thread.

 

HTH

 

Rick

Community Member

Rick, actually i've found a

Rick,

 

actually i've found a way to just add another address range to the existing tunnel (it seems that i was blind hadn't noticed it before). That also worked. So i decided to move to that right solution.

Although, I've discovered a new possibility to add another address range through creating another tunnel :)

 

Thanks

Hall of Fame Super Gold

Thank you for posting back to

Thank you for posting back to the forum and updating us that you were able to just add another address range to the existing tunnel on the ISA Server. That makes sense and I agree that this is better than achieving the result by adding a new tunnel.

 

HTH

 

Rick

227
Views
4
Helpful
6
Replies
CreatePlease to create content