Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
4
Replies

site-2-site tunnel name (peer IP) must match on both sides?

Go to solution
matthew.elliott
Level 1
Level 1

‎12-11-2007 08:57 PM - edited ‎03-09-2019 07:37 PM

Hi there.

I'm trying to set up some site-2-site VPNs between 3 offices using 3 cisco ASA 5505's.

In the manul to these ASAs, it says that when setting up the conenction (I am using ASDM and the easyVPN wizard) it says that when you use a PSK for authentication between the two sites, the tunnel name must be the peer's IP address. Is this correct so far?

Because i always thought that the tunnel names must be indentical on each side. So this means that on site one, the tunnel name will be site 2's IP address whilst on site 2, the tunnel will be site 1's IP address. Is this correct? Like i said i always thought the tunnel names had to match each other.

Also, can anyone tell me if this set up will work.

I have 3 sites which i want to put into a meshed site2site VPN scenario.

so basically i have 3 routers. And on each router there will be 2 site2site tunnels configured (via easyVPN ASDM) for the other 2. This sound workable? And if so, the tunnel names for each connection on each router will be the peer IP address?

Greatly appreciate any insight.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7

‎12-12-2007 01:32 AM

Hi matthew

Tunnel name musnt/cant be same on both sites. Only the peer IP and the tunnel-group must be same in site A.

Lets say that site you will create a VPN as following

A--B--C

Site A interface IP=x.x.x.x

Site B interface IP=y.y.y.y

Site C interface IP=z.z.z.z

So in ASA in site A

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

ASA in site B

tunnel-group x.x.x.x type ipsec-l2l

crypto map xmap 10 set peer x.x.x.x

tunnel-group z.z.z.z type ipsec-l2l

crypto map xmap 20 set peer z.z.z.z

ASA in site C

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

Regards

View solution in original post

0 Helpful

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7
In response to matthew.elliott

‎12-12-2007 12:41 PM

You are welcome.

Lets say that your local network is a.a.a.a and remote network that you have to reach is b.b.b.b

Match ACL makes traffic from a.a.a.a to b.b.b.b flow through this tunnel. So if any host in a.a.a.a tries to reach address b.b.b.b traffic will flow through the tunnel. If you dont set this match ACL, traffic will flow through the default route to outside world and get lost. Since you have nothing to do with the peer IP, you dont want to reach to peer IP of remote site from your local network through tunnel, there is no need to add the peer IP.

Common scenario is adding the source and destination networks.

Regards

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7

‎12-12-2007 01:32 AM

Hi matthew

Tunnel name musnt/cant be same on both sites. Only the peer IP and the tunnel-group must be same in site A.

Lets say that site you will create a VPN as following

A--B--C

Site A interface IP=x.x.x.x

Site B interface IP=y.y.y.y

Site C interface IP=z.z.z.z

So in ASA in site A

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

ASA in site B

tunnel-group x.x.x.x type ipsec-l2l

crypto map xmap 10 set peer x.x.x.x

tunnel-group z.z.z.z type ipsec-l2l

crypto map xmap 20 set peer z.z.z.z

ASA in site C

tunnel-group y.y.y.y type ipsec-l2l

crypto map xmap 10 set peer y.y.y.y

Regards

0 Helpful

Go to solution
matthew.elliott
Level 1
Level 1
In response to Alan Huseyin Kayahan

‎12-12-2007 12:24 PM

Thanks very much. That was a goo explanation and cleared a lot o stuff up.

I forgot to ask soemthing in my previous post.

With using the examples shown. The ACL which is applied to the tunnel. Do you assign that ACL permisison to access the 'other sides' internal network(s) or do you you assign the ACL to access the 'other sides' public IP address (peer ip).

In the ASA manual it says to 'specify which remote hosts/networks you want to be able to be encrypted through the ipsec tunnel, then it shows an example and the ACL is 'permit any 'peer ip'. And thats it. I thought you would want to be adding the remote sites private network opposed to its public interface?

Thanks again for clearing this up.

0 Helpful

Go to solution
Alan Huseyin Kayahan
Level 7
Level 7
In response to matthew.elliott

‎12-12-2007 12:41 PM

You are welcome.

Lets say that your local network is a.a.a.a and remote network that you have to reach is b.b.b.b

Match ACL makes traffic from a.a.a.a to b.b.b.b flow through this tunnel. So if any host in a.a.a.a tries to reach address b.b.b.b traffic will flow through the tunnel. If you dont set this match ACL, traffic will flow through the default route to outside world and get lost. Since you have nothing to do with the peer IP, you dont want to reach to peer IP of remote site from your local network through tunnel, there is no need to add the peer IP.

Common scenario is adding the source and destination networks.

Regards

0 Helpful

Go to solution
matthew.elliott
Level 1
Level 1
In response to Alan Huseyin Kayahan

‎12-12-2007 12:47 PM

I thought this was the case but was being confused by the ASA manual.

Alas, common sense prevails.

Thanks again, greatly appreciated.

0 Helpful
Customers Also Viewed These Support Documents