Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
802
Views
0
Helpful
2
Replies

Native IPsec with overlapping Networks

Go to solution
Tracer Germany
Level 1
Level 1

ā€Ž01-19-2017 06:46 AM - edited ā€Ž02-21-2020 09:07 PM

Hello,

I Got a existing Crypto map that includes a Class-B network to one Customer 1 ---172.16.0.0/16.

The Second map includes a Class-C network to Customer 2 ---172.16.88.0/24.

The Class-C network of Customer 2 is  within the range of the Class-B network of Customer 1

the Range 172.16.88.0/24 is not in  use on the Site of customer 1.

Both routes 172.16.0.0 /16 and 172.16.88.0/24 point to the External Interface where the Crypro map is applied.

I Do not see any machtes on the  Access List "VPN_2_CUSTOMER2"

Can someone tell me where is the Problem?

If if is only a matter of routing then "shortest path match" should work .... but is seems for IPsec and Crypto Map its not working....

Thanks for Your Help

crypto map VPN2World 1 ipsec-isakmp 
 description *** Tunnel IF 2 Customer1 ***
 set peer 1.1.1.1 (Changed)
 set transform-set aes256+shahmac 
 match address VPN_2_CUSTOMER1

ip access-list extended VPN_2_CUSTOMER1
 remark ---- CRYPTO MAP IPSec Rule ------------------------------
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

-------------------------------------

crypto map VPN2World 2 ipsec-isakmp 
 description *** Tunnel IF 2 Customer2 ***
 set peer 2.2.2.2 (Changed)
 set transform-set aes256+shahmac 
 match address VPN_2_CUSTOMER2

ip access-list extended VPN_2_CUSTOMER2
 remark ---- CRYPTO MAP IPSec Rule ------------------------------
 permit ip 192.168.1.0 0.0.0.255 172.16.88.0 0.0.0.255


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

ā€Ž01-19-2017 07:39 AM

IPsec does not use a shortest path first match, the ACL's are evaluated sequentially in order of the crypto map entries. So in your case, traffic to 172.16.88.0/24 will always match the first crypto map entry (172.16.0.0/16).

One way to get around this is to switch the order of the crypto map. This way, traffic to 172.16.88.0/24 will match the right crypto map, and rest of the traffic in 172.16.0.0/16 will match the second entry. Obviously if the 172.16.0.0/16 network has a 172.16.88.0/24 network, this wont work.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

ā€Ž01-19-2017 07:39 AM

IPsec does not use a shortest path first match, the ACL's are evaluated sequentially in order of the crypto map entries. So in your case, traffic to 172.16.88.0/24 will always match the first crypto map entry (172.16.0.0/16).

One way to get around this is to switch the order of the crypto map. This way, traffic to 172.16.88.0/24 will match the right crypto map, and rest of the traffic in 172.16.0.0/16 will match the second entry. Obviously if the 172.16.0.0/16 network has a 172.16.88.0/24 network, this wont work.

0 Helpful

Go to solution
Tracer Germany
Level 1
Level 1

ā€Ž01-20-2017 01:43 AM

Hi Rahul,

i made the change and now it is working!

Thank u! U saved my Day!

* I changed it to:

crypto map VPN2World 2 ipsec-isakmp 
 description *** Tunnel IF 2 Customer1 ***
 set peer 1.1.1.1 (Changed)
 set transform-set aes256+shahmac 
 match address VPN_2_CUSTOMER1

ip access-list extended VPN_2_CUSTOMER1
 remark ---- CRYPTO MAP IPSec Rule ------------------------------
 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.255.255

-------------------------------------

crypto map VPN2World 1 ipsec-isakmp 
 description *** Tunnel IF 2 Customer2 ***
 set peer 2.2.2.2 (Changed)
 set transform-set aes256+shahmac 
 match address VPN_2_CUSTOMER2

ip access-list extended VPN_2_CUSTOMER2
 remark ---- CRYPTO MAP IPSec Rule ------------------------------
 permit ip 192.168.1.0 0.0.0.255 172.16.88.0 0.0.0.255
0 Helpful
Customers Also Viewed These Support Documents