Can tunnel traffic arrive on public interface?

grnelson · ‎04-21-2005

We have set up an IPSEC tunnel with another organization using a pair of Cisco 3005 VPN concentrators. At my site the concentrator is on a stub network with a single Web server attached to its private interface.

Users at my site wish to access the other site's web server using the IPSEC tunnel between concentrators and vice-versa.

Does traffic destined for the other site's web server have to come into the concentrator on its private interface?

Or can I route this traffic to the concentrator's public interface and have it turn the traffic around and sent back out the tunnel to the other site's server?

grnelson · ‎04-21-2005

Title should have said:

Can interesting tunnel traffic arrive on public interface?

I know the IPSEC tunnel traffic occurs between the concentrators' public interfaces.

What I want to know is whether traffic which needs to be encrypted and sent through the tunnel can arrive on the concentrator's public interface.

johan.strandloof · ‎04-27-2005

Sure, no problem.

Edit your LAN-to-LAN tunnels for source and destination network.

For instance: spoke A(Lan A) spoke B(LAN B) and Concentrator (Lan C). The tunnel from spoke probably has LAN A to LAN C as allowed traffic - add LAN B - and vice virce form spoke B.

The concentrator will now route traffic from spoke A to spoke B.

grnelson · ‎04-28-2005

OK,, I can see how that would work when you have more than one IPSEC Lan-to-Lan tunnel. But we don't have multiple spokes, just a single tunnel.

In our case the traffic I want sent inside the tunnel does not arrive in another tunnel. It is ordinary, unencrypted traffic destined for a server at the far end of the only tunnel maintained by the concentrator.

Can the concentrator recognize as "interesting", traffic routed to its public interface, encrypt it, and send it out the tunnel?