Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
962
Views
0
Helpful
3
Replies

IPSec VPN on Internal Interfaces and across MPLS

Michael Marzol
Level 1
Level 1

‎03-29-2017 06:43 AM - edited ‎02-21-2020 09:13 PM

We have a number of tunnels needing to be configured for encryption of traffic destined for an internet range of addresses. These tunnels are "internal" in the sense that they traverse our MPLS network. Do we have any issue with terminating the tunnels on internal interfaces as opposed to external public MPLS facing interfaces? To add to it, the far end terminating IPsec device is an ASA which actually sits behind one of the MPLS routers.

For example: Router A internal network 192.168.1.0 needs to access internet address 3.2.2.2. IPsec configuration tells the router to run it through the tunnel which terminates on a remote head end ASA with an external facing interface to network 3.2.2.0 and an internal interface of 192.168.2.1. This ASA is behind Router B. Am I able to terminate tunnels on the internal interfaces of Router A and the ASA? Would NAT be an issue?

Internal 192.168.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 192.168.2.1<--ASA--> 3.2.2.0

Hope this makes some sense and I appreciate any help,

-Mike

Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎03-30-2017 11:07 PM

Yes you can.  The NAT configuration would be the same as if their was no IPSec.

0 Helpful

Michael Marzol
Level 1
Level 1
In response to Philip D'Ath

‎03-31-2017 06:58 AM

Thank you again, Philip. I'm in the process of testing this now and will report back once complete.

0 Helpful

Michael Marzol
Level 1
Level 1
In response to Philip D'Ath

‎04-03-2017 02:03 PM

Ok, so now I have a completely separate issue. My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use.

ASA:

object network ANNEX_10.1.1.0
 subnet 10.1.1.0 255.255.255.0
!
object network XXXX_network_162.143.0.0
  subnet 162.143.0.0 255.255.0.0
!

access-list TEST_ENCRYPTION_TO_ANNEX extended permit ip object XXXX_network_162.143.0.0 object ANNEX_10.1.1.0

Router:

ip access-list extended XXXX_VPN
 permit ip 10.1.1.0 0.0.0.255 162.143.0.0 0.0.255.255 log
!
crypto map XXXX_CMAP 10 ipsec-isakmp
 set peer [headend peer ip]
 set transform-set XXXX_TSET
 match address XXXX_VPN
!
interface GigabitEthernet0/0.60
 description XXXX_VPN_TEST
 encapsulation dot1Q 60
 ip address 10.1.1.1 255.255.255.0
 crypto map FDLE_CMAP

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents