topic Re: Routing Between IPSec Tunnels - Please Help in Network Security

Routing Between IPSec Tunnels - Please Help

ryandibble — Mon, 11 Mar 2019 11:35:27 GMT

Okay guys, here's the situation:

I have three sites (sites A, B, and C). There is a site-to-site IPsec tunnel between PIXs from an internal LAN on site A (172.30.10.0 /24) to an internal LAN on site B (192.168.20.0 /24), and another tunnel from site B to site C (172.30.20.0). How can I route traffic from site A to C across the existing tunnels without creating another tunnel between sites A and C? Many thanks in advance.

-Ryan

Re: Routing Between IPSec Tunnels - Please Help

elparis — Mon, 26 Nov 2007 22:02:51 GMT

Hi Ryan,

What you want to do is called hairpinning or u-turn VPN.

Here's a technical tip on cisco.com that goes over the configuration details:

PIX/ASA 7.x Enhanced Spoke-to-Spoke VPN Configuration Example

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00804675ac.shtml

The key command is "same-security-traffic permit intra-interface" on the PIX on site B.

Hope this helps.

Eloy.-

Re: Routing Between IPSec Tunnels - Please Help

srue — Mon, 26 Nov 2007 23:35:48 GMT

I don't think hairpinning will solve the problem. Perhaps some simple static routes to get from A->C, and C->A. Also, update your crypto acl's at each point to allow the traffic to get from A->C, and C->A, as well as normal acl's.

Re: Routing Between IPSec Tunnels - Please Help

timkaye — Tue, 27 Nov 2007 01:37:23 GMT

Agreed with srue.

Re: Routing Between IPSec Tunnels - Please Help

ryandibble — Tue, 27 Nov 2007 22:36:35 GMT

Eloy,

The hairpinning worked like a charm! Many, many thanks for your help.

-Ryan

Re: Routing Between IPSec Tunnels - Please Help

elparis — Tue, 27 Nov 2007 22:46:02 GMT

Awesome! Glad it worked Ryan. Very cool.

Cheers,

Eloy.-

Re: Routing Between IPSec Tunnels - Please Help

elparis — Tue, 27 Nov 2007 22:53:34 GMT

Actually the setup requires hairpinning/u-turn VPN. I didn't make this up.

You are right in that routing needs to be taken care of, i.e. the PIX in site A needs to know that to get to site C it needs to send traffic out the outside interface, and the crypto ACLs need to be taken care of as you describe.

What I meant by "the same-security-traffic permit intra-interface command is key" is that this command is necessary so the PIX in site B can send traffic out on the same interface it was originally received (traffic from site A arrives on the outside interface and needs to be sent out the same interface so it can reach site C). Without this command in the PIX on site B u-turn VPN won't work, even if routing and the crypto ACLs are taken care of.

I didn't go into details when I first replied to Ryan because I thought that all the details, including routing, crypto ACLs, and the same-security-traffic command, are well presented in the tech. tip I mentioned in that original reply yesterday.

Ryan got it to work so everything is good, though 🙂

Cheers,

Eloy.-