05-04-2018 08:20 PM - edited 03-12-2019 05:15 AM
Hi , I have question over ipsec VPN access list to match traffic.I read that the access-list need to be in mirror condition to create Ipsec tunnel.I have point to multipoint scenario and I am using site to site VPN for every location.So my point is can I configure extended access. List on hub to match all sites traffic and call in transform set.
Eh
I access list IPSEC
10 access list IPSEC host 10.88.01 host 192.168.0.1 (first site)
20 access list IPSEC host 10.88.0.1 host 192.168.0.2 (second site)
IP address in this access list are actually great tunnel end points.
So, if I call this is transform set will the respective site match itself to its own access list and encrypt the traffic.
Thanks in advance
05-04-2018 08:21 PM
05-06-2018 06:15 AM
What exactly are you trying to achieve? if it is just hub to hub communication, then DMVPN is a better solution than having site to site between all locations.
05-06-2018 07:40 AM - edited 05-06-2018 07:41 AM
Hi , I need Spoke to spoke communication even if HUB fails that why I created site to site tunnels.
So my question was for site to site tunnels with hub , can I use extend access list inside one single Transform set to match traffic for multiple site .
05-07-2018 01:44 AM
I am not entirely sure what you mean my inside a single transform-set. You can setup dynamic crypto map so you don't need to configure a seperate cryptomap entry for each branch site. The issue here is that it is the branch site that would need to initiate traffic. That is to say, if the vpn tunnel is down because no interesting traffic is crossing it, the hub site would not be able to bring the tunnel up. Only the branch will be able to bring up the tunnel
05-07-2018 04:39 AM
Hi , thank you for reply .
Actually I meant was in Dynamic map where we need to match access-list for traffic needed to encrypt.So, what i did I created one extended access list and created multiple entries in it matching multiple site and call it in one dynamic map.
Will there be any issue in that ? Or should I create one dynamic map per location and match single access-list in that.
I hope I explain properly now
05-07-2018 11:31 AM
What device do you have as your Hub (vpn head-end)?
05-07-2018 12:40 PM
Hi , I have cisco 4331 as hub but Digi WR 44 on spoke sites.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide