cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1637
Views
0
Helpful
3
Replies

IPSec VPN on Internal Interfaces and across MPLS

Michael Marzol
Level 1
Level 1

We have a number of tunnels needing to be configured for encryption of traffic destined for an internet range of addresses. These tunnels are "internal" in the sense that they traverse our MPLS network. Do we have any issue with terminating the tunnels on internal interfaces as opposed to external public MPLS facing interfaces? To add to it, the far end terminating IPsec device is an ASA which actually sits behind one of the MPLS routers.

For example: Router A internal network 192.168.1.0 needs to access internet address 3.2.2.2. IPsec configuration tells the router to run it through the tunnel which terminates on a remote head end ASA with an external facing interface to network 3.2.2.0 and an internal interface of 192.168.2.1. This ASA is behind Router B. Am I able to terminate tunnels on the internal interfaces of Router A and the ASA? Would NAT be an issue?

Internal 192.168.1.1<--RouterA-->MPLS Cloud<--Router B-->Internal 192.168.2.1<--ASA--> 3.2.2.0

Hope this makes some sense and I appreciate any help,

-Mike

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

Yes you can.  The NAT configuration would be the same as if their was no IPSec.

Thank you again, Philip. I'm in the process of testing this now and will report back once complete.

Ok, so now I have a completely separate issue. My crypto map ACL's are not matching interesting traffic that I'm generating. I tested using a "permit ip any any" ACL and the tunnel comes up. But it's not matching the specific subnets I want to use.

ASA:

object network ANNEX_10.1.1.0
 subnet 10.1.1.0 255.255.255.0
!
object network XXXX_network_162.143.0.0
  subnet 162.143.0.0 255.255.0.0
!

access-list TEST_ENCRYPTION_TO_ANNEX extended permit ip object XXXX_network_162.143.0.0 object ANNEX_10.1.1.0

Router:

ip access-list extended XXXX_VPN
 permit ip 10.1.1.0 0.0.0.255 162.143.0.0 0.0.255.255 log
!
crypto map XXXX_CMAP 10 ipsec-isakmp
 set peer [headend peer ip]
 set transform-set XXXX_TSET
 match address XXXX_VPN
!
interface GigabitEthernet0/0.60
 description XXXX_VPN_TEST
 encapsulation dot1Q 60
 ip address 10.1.1.1 255.255.255.0
 crypto map FDLE_CMAP