Solved: Thank you for posting back to

Aliaksandr Tratseuski · ‎10-17-2014

Hi folks!

I've an IPsec Site-to-Site VPN to a branch office (R2). There was one LAN (LAN1) at HQ and another (LAN2) at Branch office.

Tunnel termination points:

R1 - Microsoft ISA Server
R2 - Cisco 2921 ISR

LAN3 has been created recently, behind R2 (see the picture below):

So I need to gain an access to LAN3 from LAN1. How could I solve this problem? I see two options for now.

OPTION 1: Create a separate tunnel from R1 to R2

I see an issue here:

How could I define a separate key for this tunnel?
If I execute something like this:
crypto isakmp key LAN1_to_LAN2_key address 1.1.1.1
then LAN1 to LAN2 tunnel will be dropped because of the changed key
Everything else seems good - policy maps, route-maps, etc.
Traffic could be distinguished between them

OPTION 2: Create a summary route in VPN config

Issues:

R1 does not seem to support such kind of configuration (source, section "Quick policy mode negotiation fails with a "No policy configured" error")

How could I solve this problem?

Running-config (security part) is attached

Richard Burts · ‎10-17-2014

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

HTH

Rick

HTH

Rick

View solution in original post

michael o'nan · ‎10-17-2014

I don't believe this would be adding a tunnel you are just adding access to that subnet on your tunnel. Sorry I can't help with exact config but I know it can be done rather easily.

Richard Burts · ‎10-17-2014

From the Cisco side this is easy to solve. I can not address how to solve it from the R1 Microsoft side but suspect that it is not difficult.

You do NOT want a second tunnel to solve this. You want to change the access list that identifies traffic to be encrypted. If it were me I would add this line to your existing access list

 permit ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255

or alternatively you could replace this line

 permit ip 192.168.2.0 0.0.0.255 192.168.101.0 0.0.0.255

with this line

 permit ip 192.168.2.0 0.0.1.255 192.168.101.0 0.0.0.255

HTH

Rick

HTH

Rick

Aliaksandr Tratseuski · ‎10-20-2014

Thanks, Richard!

That worked. Actually from ISA Server I had to bring up another tunnel with the same parameters as the previous one (192.168.2.0/24) but for a new network (192.168.3.0/24).

Richard Burts · ‎10-20-2014

It is interesting that from the ISA Server side you had to bring up another tunnel. I am glad that my suggestions helped you to solve it from the Cisco side. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to know that there is helpful information in this thread.

HTH

Rick

HTH

Rick

Aliaksandr Tratseuski · ‎10-20-2014

Rick,

actually i've found a way to just add another address range to the existing tunnel (it seems that i was blind hadn't noticed it before). That also worked. So i decided to move to that right solution.

Although, I've discovered a new possibility to add another address range through creating another tunnel :)

Thanks

Richard Burts · ‎10-21-2014

Thank you for posting back to the forum and updating us that you were able to just add another address range to the existing tunnel on the ISA Server. That makes sense and I agree that this is better than achieving the result by adding a new tunnel.

HTH

Rick

HTH

Rick

IPsec VPN: multiple LANs on one side - is it possible?