Solved: Error tunneling traffic to 2 networks over same link?

Charlie Mayes · ‎05-02-2010

Hello All,

Here is my current access list to bring up my VPN tunnel. Everything works fine with it but, I have several networks originating from the source router. How do I encrypt traffic from the same source router going to the same peer router. Do have to create a different ACL or can I just add another permit statement to the current ACL?

ip access-list extended INT_Traffic
permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

Can I change the above ACL to this? When ever I add the second permit statements the below I get the error below.

ip access-list extended INT_Traffic
permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255

permit ip 172.30.3.0 0.0.0.255 172.30.3.0 0.0..255 or permit ip 172.16.0.0 0.0.255.255 172.30.4.0 0.0.0.255

source peer networks Destination peer networks.

Mar 1 04:18:29.842: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.0.1, remote= 192.168.0.2,
    local_proxy= 172.16.0.0/255.255.0.0/0/0 (type=4),
    remote_proxy= 172.30.4.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Mar 1 04:18:29.850: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 04:18:29.850: SA has outstanding requests (local 102.72.38.92 port 500, remote 102.72.38.64 port 500)
*Mar 1 04:18:29.854: ISAKMP:(1001): sitting IDLE. Starting QM immediately (QM_IDLE      )
R2(config-ext-nacl)#
*Mar 1 04:18:29.854: ISAKMP:(1001):beginning Quick Mode exchange, M-ID of -623193098
*Mar 1 04:18:29.858: ISAKMP:(1001):QM Initiator gets spi
*Mar 1 04:18:29.862: ISAKMP:(1001): sending packet to 192.168.0.2 my_port 500 peer_port 500 (I) QM_IDLE
*Mar 1 04:18:29.862: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Mar 1 04:18:29.866: ISAKMP:(1001):Node -623193098, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar 1 04:18:29.866: ISAKMP:(1001):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Mar 1 04:18:30.422: ISAKMP (0:1001): received packet from 192.168.0.2 dport 500 sport 500 Global (I) QM_IDLE
*Mar 1 04:18:30.426: ISAKMP: set new node -1733728027 to QM_IDLE
*Mar 1 04:18:30.430: ISAKMP:(1001): processing HASH payload. message ID = -1733728027
*Mar 1 04:18:30.430: ISAKMP:(1001): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 2018370628, message ID = -1733728027, sa = 664824F8
*Mar 1 04:18:30.434: ISAKMP:(1001): deleting spi 2018370628 message
R2(config-ext-nacl)#ID = -623193098
*Mar 1 04:18:30.434: ISAKMP:(1001):deleting node -623193098 error TRUE reason "Delete Larval"
*Mar 1 04:18:30.434: ISAKMP:(1001):deleting node -1733728027 error FALSE reason "Informational (in) state 1"
*Mar 1 04:18:30.438: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Mar 1 04:18:30.438: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
!
!
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 50
encr aes 256
authentication pre-share
group 5
crypto isakmp key cisco address 192.168.0.2 no-xauth
!
!
crypto ipsec transform-set Cisco esp-aes 256 esp-sha-hmac
!
crypto map VPN_MAP 10 ipsec-isakmp
set peer 192.168.0.2
set transform-set Cisco
match address INT_Traffic
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 172.16.0.2 255.255.255.252
duplex auto
speed auto
!
interface Serial0/0
ip address 192.168.0.1 255.255.255.252
clock rate 128000
crypto map VPN_MAP
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
clock rate 2000000
!
router rip
version 2
network 172.16.0.0
network 192.168.0.0
no auto-summary
!
ip forward-protocol nd
!
!
ip http server
no ip http secure-server
!
ip access-list extended INT_Traffic
permit ip 172.16.0.0 0.0.255.255 172.17.0.0 0.0.255.255
permit ip 172.16.0.0 0.0.255.255 172.30.4.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
login
!
!
end

R2#

Jennifer Halim · ‎05-02-2010

1) You can't configure the same subnet for source and destination subnet. Each end of the VPN needs to be unique. Therefore, you can't add "permit ip 172.30.3.0 0.0.0.255 172.30.3.0 0.0..255" to the INT_Traffic ACL.

2) If you add another line of ACL under INT_Traffic, you would also need to add the same mirror image ACL on the peer VPN device. You can't just add the ACL on this router, because the other router would not know about the newly created ACL, hence it will not work.

You can add the following line under INT_Traffic ACL:

permit ip 172.16.0.0 0.0.255.255 172.30.4.0 0.0.0.255

But you also need to add the mirror image ACL on the peer VPN device as follows:

permit ip 172.30.4.0 0.0.0.255 172.16.0.0 0.0.255.255

But, yes, you can add more ACL lines under INT_Traffic if you like to encrypt it through the VPN tunnel. Just have to make sure of the above 2 points.

Hope that helps.

View solution in original post

Jennifer Halim · ‎05-02-2010