Re: One armed VPN router - possible?

jroyster · ‎04-25-2003

This might sound a little strange, but trust me...there are a whole slew of reasons why I have to attempt this. :-)

Is there any way to create a VPN tunnel on a IOS router with only one interface? The other end would be a 3030 concentrator.

Basically the router would receive packets, encrypt them and send them to the concentrator. I'm a little confused if I can do this or how the configuration would look.

Thanks for any help,

John

gfullage · ‎04-27-2003

Should work OK, I think I did this a year or so ago for a customer. The main thing is routing, so make sure the route for the remote 3030 network points out the same interface as where the hosts are. The router theoretically should be able to figure it out OK.

Trouble is the return traffic from the local hosts needs to go to this VPN router, not out to the Internet (assuming this is a different router or these hosts are already on the Internet, the hosts may have their default gateway set to a different device than this router). You may need to add a static route on each device telling it how to get to the remote 3030 network via this router. Even after doing that, this router will receive the packet from the host, see that it has to send it back out the same interface (albeit encrypted), and will probably send an ICMP redirect to the originating host to tell it to send all its packet straight to the other gateway from now on. This will obviously break your IPSec tunnel. Putting "no ip redirects" on the crypto interface should stop that.

In short, it should work but you need to make sure routing is working, pay particular attention to the local hosts.