Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
675
Views
0
Helpful
3
Replies

multiple VPN's and overlapping policy

wgaal1
Level 1
Level 1

‎03-29-2005 04:28 AM - edited ‎02-21-2020 12:02 AM

Hello,

We currently have a complex VPN network with watchguard firewalls that we want to migrate to cisco routers but cant get it to work.

Site A has a connection with site B using the ipsec policy 10.50.0.0/16 - 10.0.0.0/8.

site C also has a VPN with site B using the ipsec policy 10.60.0.0/16 - 10.0.0.0/8.

Site A can reach site C via site B.

We want to also connect site A directly to site C using ipsec policy 10.50.0.0/16 - 10.60.0.0/16.

How can i get this to work ? cause the overlapping policy seems to be preventing the creation of the direct tunnel between A and C.

0 Helpful
3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

‎03-29-2005 12:42 PM

Is your question how to do this with watchguard firewalls or to do this with Cisco routers? Not sure about the watchguard but with Cisco it should be fairly straightforward.

If you are having problems doing this with Cisco, can you be more specific about what you are doing and about what is not working? Then perhaps we can help you figure this out.

HTH

Rick

HTH

Rick
0 Helpful

wgaal1
Level 1
Level 1
In response to Richard Burts

‎03-29-2005 10:59 PM

We currently have this running on watchguard firewalls and want to get it running on cisco routers.

The problem we are having now is that if there is an overlapping tunnel present on the cisco routers that the direct tunnel wil not work.

Ill try and explain the situation.

site A 10.50.0.0/16

site B 10.100.0.0/16

site C 10.60.0.0/16

site D 10.70.0.0/16

Site A has a VPN to site B using policy 10.50.0.0/16 - 10.0.0.0/8 same goes for site C and D only using policies 10.60.0.0/16 - 10.0.0.0/8 for C and 10.70.0.0/16 - 10.0.0.0/8 for D.

This will allow all sites to communicate with all sites via site B.

Site A and C exchange a higher volume of traffic with each other so its preferable that they also get a VPN with each other using policy 10.50.0.0/16 - 10.60.0.0/16.

The problem is that this VPN wont come online unless I change the other policies to 10.50.0.0/16 - 10.100.0.0/16 and 10.60.0.0/16 - 10.100.0.0/16.

This is however not an option. Both A and C also need to be able to communicate with site D and we dont want to create extra VPN's

Thank you in advance

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to wgaal1

‎03-30-2005 06:45 AM

Maybe it is a terminology thing but I still do not understand what you mean about overlapping policies or about what policy 10.50.0.0/16-10.0.0.0/8 means. Can you explain this to help me understand?

To do VPN on Cisco routers you define crypto maps. In site A one crypto map instance you say I want to talk to peer 10.100.0.x and in another crypto map instance you can say I want to talk to peer 10.60.0.x. This should define two tunnels. You also need to create access lists which will identify traffic to be protected by IPSec. For the A to C connection the access list should be fairly simple and permit traffic with source address 10.50.0.0/16 and destination 10.60.0.0/16. The access list for A to B is slightly more complex since it needs to exclude the A to C traffic and include everything else. So it would be something like deny traffic with source 10.50.0.0/16 and destination 10.60.0.0/16 and then permit traffic with source 10.50.0.0/16 and destination 10.0.0.0/8. I do not see why this would not work.

I have implemented VPN at a customer site and we have multiple tunnels operating with no problem.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card