Re: Multi-Site VPN Config - Correct?

seanwaite · ‎11-15-2010

I am in the process of setting up a multi site VPN, the first tunnel (VPN1) is up and running fine. It was when I went to do the second tunnel that I encountered issues. I believe I resolved them, and that the problem was I had an ACL that was reversed. With our local network being 10.10.6.0/24 I had "....extended permit ip 10.150.0.0 255.255.128.0 10.10.6.0 255.255.255.0". 10.150.0.0/17 was the remote network, that I had reversed in the ACL, which is a network that does not exist locally. So, then this explained why there was no outbound traffic coming from our network. Before I schedule the next time we set these up I would like to insure I have this down right. Below is the current config. I don't believe there is anything else I need to do to differentiate the seperate VPNs. Each tunnel should have a unique ACL that matches the crypto map, then that network should be included in the same "no nat ACL".

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

1.) Local LAN: 10.10.6.0/23

2.) Remote LAN #1: 192.168.100.0/24

3.) Remote LAN#2: 10.150.0.0/17

4.) Remote LAN#3: 10.1.1.0/24

VPN #1
access-list REMOTE_SITE extended permit ip 10.10.6.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list Outside_VPN1 extended permit ip 10.10.6.0 255.255.255.0 192.168.100.0 255.255.255.0

crypto map OUTSIDE_MAP 1 match address Outside_VPN1

crypto map OUTSIDE_MAP 1 set pfs group1

crypto map OUTSIDE_MAP 1 set peer 70.***.***.***

crypto map OUTSIDE_MAP 1 set transform-set ESP-AES-128-SHA

tunnel-group 70.***.***.*** type ipsec-l2l

tunnel-group 70.***.***.*** ipsec-attributes

pre-shared-key *****

VPN #2

access-list REMOTE_SITE extended permit ip 10.10.6.0 255.255.255.0 10.150.0.0 255.255.128.0

access-list Outside_VPN2 extended permit ip 10.10.6.0 255.255.255.0 10.150.0.0 255.255.128.0

crypto map OUTSIDE_MAP 2 match address Outside_VPN2

crypto map OUTSIDE_MAP 2 set peer 212.***.***.***

crypto map OUTSIDE_MAP 2 set transform-set ESP-3DES-MD5

tunnel-group 212.***.***.*** type ipsec-l2l

tunnel-group 212.***.***.*** ipsec-attributes

pre-shared-key *****

VPN #3

access-list REMOTE_SITE extended permit ip 10.10.6.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Outside_VPN3 extended permit ip 10.10.6.0 255.255.255.0 10.1.1.0 255.255.255.0

crypto map OUTSIDE_MAP 3 match address Outside_VPN3

crypto map OUTSIDE_MAP 3 set peer 201.***.***.***

crypto map OUTSIDE_MAP 3 set transform-set ESP-3DES-MD5

tunnel-group 201.***.***.*** type ipsec-l2l

tunnel-group 201.***.***.*** ipsec-attributes

pre-shared-key *****

access-list REMOTE_SITE extended permit ip 10.10.6.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list REMOTE_RA extended permit ip any 192.168.0.0 255.255.0.0

crypto map OUTSIDE_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

ip local pool L2TP 192.168.205.1-192.168.205.20 mask 255.255.0.0

global (Outside) 1 215.**.**.***

nat (Inside) 0 access-list REMOTE_SITE

nat (Inside) 1 10.10.6.0 255.255.255.0

static (Inside,Outside) 215.**.**.*** 10.10.6.2 netmask 255.255.255.255

static (Inside,Outside) 215.**.**.*** 10.10.6.3 netmask 255.255.255.255

static (Inside,Outside) 215.**.**.*** 10.10.6.4 netmask 255.255.255.255

static (Inside,Outside) 215.**.**.*** 10.10.6.5 netmask 255.255.255.255

access-group ACL_IN in interface Outside

route Outside 0.0.0.0 0.0.0.0 215.**.**.*** 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 mode transport
crypto ipsec transform-set TRANS_ESP_AES128_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES128_SHA mode transport
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set TRANS_ESP_3DES_SHA TRANS_ESP_3DES_MD5 TRANS_ESP_AES128_SHA ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map OUTSIDE_MAP interface Outside

crypto isakmp enable Outside
crypto isakmp enable Inside
crypto isakmp enable management
crypto isakmp policy 10

authentication pre-share
encryption aes
hash sha
group 1
lifetime 28800
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400

apothula · ‎11-15-2010

Hi Sean,

Bull's eye.

Everything looks perfect.

1 question though,

Do you want to provide access to all these remote sites via for your L2TP clients ??

Cheers,

Avinash.

seanwaite · ‎11-15-2010

Avinas, thanks for the reply.

The L2TP line is not final, I had that in for testing purposes, so the final will be adjusted to 192.168.205.0/24 to reflect the L2TP IP pool.

Good to know that the config looks good, gives me more confidence to go with through with this.

Thanks, Sean

apothula · ‎11-15-2010

Hi Sean,

I guess we can work on the L2TP issue another day

Please mark this discussion as resolved, if there is nothing else we need to look into

Cheers,

Avinash.