cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
484
Views
10
Helpful
11
Replies
zaccochet
Beginner

Full-Tunnel Site-to-site VPN

Hi all:

 

I want to configure a site-to-site vpn between two C1100 series routers.  I know how to do a split-tunnel configuration, but I'm wondering what I would do differently for a full-tunnel?  Say I have Site A and Site B.  Both sites have internet, but I want to funnel all traffic from Site A to Site B so that internet traffic comes out of only Site B.

 

Say the local subnets are 192.168.1.0/24 for Site A and 192.168.2.0/24 for Site B.  I am thinking that I would have my ACLs (to identify 'interesting' traffic for the VPNs) would look something like this:

 

Site A:

ip access-list extended Site_A_VPN_ACL

  permit 192.168.1.0 0.0.0.255 any

 

Site B:

ip access-list extended Site_B_VPN_ACL

  permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

 

Would this work?  I'm having a hard time finding a config guide for what I'm trying to do.  I'm finding only guides that result in a split-tunnel configuration.

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Mentor

@zaccochet 

Your crypto ACLs would need to mirror each other, so you'd need "any" on the Site B ACL, otherwise you'll have a mismatch and you'll be unable to tunnel the internet traffic over the VPN.

View solution in original post

11 REPLIES 11
Rob Ingram
VIP Mentor

@zaccochet 

Your crypto ACLs would need to mirror each other, so you'd need "any" on the Site B ACL, otherwise you'll have a mismatch and you'll be unable to tunnel the internet traffic over the VPN.

View solution in original post

So would the ACL at Site B have to look like this:

 

ip access-list extended Site_B_VPN_ACL

  permit ip any 192.168.1.0 0.0.0.255

 

zaccochet
Beginner

I did a bit more reading and I'm starting to wonder if I'm taking the right approach to this.  I saw a note in this document (https://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html) that recommends against using the 'any' keyword.

     "We recommend that you configure "mirror image" crypto access lists for use by IPSec and that you avoid using the any keyword."

 

Also, all the guides I see are creating ACLs to encrypt only  the LAN subnets on each router.  Is split-tunnel the only option when using IPSEC tunnels?

@zaccochet If you want to route internet over a VPN using a policy based VPN (crypto map) you'd have to use "any".

 

Alternatively use a route based VPN, assign the outside/internet facing interface in a dedicted VRF with a default route via the ISP next hop....to establish the VPN tunnel. Then the inside interface and tunnel interfaces can remain in the global or another vrf, from there you can advertise a default route over the VPN tunnel.

Ok, I'll give it a go in my lab.  I'll fix my ACLs so they look like this:

Site A:

ip access-list extended Site_A_VPN_ACL

  permit ip 192.168.1.0 0.0.0.255 any

 

Site B:

ip access-list extended Site_B_VPN_ACL

  permit ip any 192.168.1.0 0.0.0.255

 

But in addition to this, I'm guessing that I'll have to add the 192.168.1.0/24 network to the NAT ACL on the router for Site B.  Is that correct?

@zaccochet 

Yes, you'll need NAT configured on SiteB's router for that Site A network 192.168.1.0/24 to access the internet.

So I added 192.168.1.0/24 to the NAT ACL on Router-B, but I still can't ping google's dns (8.8.8.8).  I'll attach my configs to this email.  The routers in my lab are 2900 series routers running 15.4.  I trimmed out stuff that isn't relevant and replaced Router-A and Router-B's public ip with 1.1.1.1 and 2.2.2.2 respectively.

 

From Router-A, I can ping 192.168.4.1 when sourced with 192.168.1.1 (interface loopback0), and 192.168.4.1 can ping back.

 

When I run 'ping 8.8.8.8 source lo0' from Router-A I can see the #pkts decaps, decrypt, and verify counters increment on the ipsec security association on Route-B.  That makes me think that the packets are going through the IPsec tunnel and leads me to think that something on Router-B isn't correct.  No NAT sessions are created, but I added the 192.168.1.0/24 subnet to the NAT ACL.  There is no NAT config on Router-A.

policy ACL 

permit x.x.x.x any ?

any meaning if you send packet to 8.8.8.8 DNS it also will encrypt and pass through IPSec, 

you need 

permit x.x.x.x y.y.y.y

try this.

But I want that traffic to pass through the IPSec tunnel and go out the other router.  I realize that part the problem is a lack of understanding on my part.  From what I understand, the ACL identifies traffic to be passed through the IPSec tunnel.  I want all traffic from the 192.168.1.0/24 subnet to pass through the tunnel and that's why there's an 'any' in that ACL.  If my reasoning isn't right please let me know.

OK, you are right ALL traffic will pass  if you config policy ACL any.

but instead of ping 8.8.8.8 please config loopback Router-B and try again. 

NOTE:- be sure that loopback is reachable from Router-A

MHM Cisco World
Collaborator

Split-tunnel 
if match policy ACL then encrypt, BUT here the new packet have two IP header, One is the original which is encrypt via ESP and outer IP header is the IP address of the interface "under which the crypto map is config" and the destination is IPSec IP peer.
if not then not encrypt.

if not match policy ACL then will not encrypt, here there is only one IP header, So you must be sure the IP destination is reachable otherwise you need NAT.