01-31-2012 03:12 PM - edited 02-21-2020 05:50 PM
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
Any suggestions would be greatly appreciated.
02-01-2012 04:18 PM
Hello Jonathan,
Okay so now all traffic from the remote office is going trough the VPN tunnel.
So on the HQ you have over the ACL for the nat:
permit ip 192.168.24.0 0.0.0.255 any
Is that true?
Regards,
Julio
02-01-2012 05:06 PM
Correct.
*Copy/Paste from router*
ip nat inside source list 100 interface FastEthernet0/0 overload
access-list 100 permit ip 192.168.24.0 0.0.0.255 any
I do not have any crypto maps on the head end router. Could we solve this by utilizing a crypto map and creating an ACL for that?
02-01-2012 05:19 PM
Hello Jonathan
If you do not have a crypto map on both routers you do not have a VPN tunnel up and running.
Can you share the show crypto isakamp sa and sh run crypto ipsec sa from both Routers, this to check if the VPN is already established.
Regards,
02-01-2012 07:04 PM
Here is the results. I'm guessing this works without the maps due to eigrp automatically routing the local network on each site.
sh cry ipse sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr xx.xx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.255/47/0)
current_peer xx.xx.xx.xx port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5588, #pkts encrypt: 5588, #pkts digest: 5588
#pkts decaps: 9750, #pkts decrypt: 9750, #pkts verify: 9750
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 6, #recv errors 0
local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF8C3C17B(4173578619)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x645BF58B(1683748235)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4464378/1390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF8C3C17B(4173578619)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000006, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4464439/1390)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: FastEthernet0/0
Crypto map tag: REM_RTR, local addr xx.xx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 64.184.36.79 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
02-01-2012 08:31 PM
Hello Jonathan,
Ok so the VPN is up and running, can you provide the VPN configuration on the HQ site?
02-01-2012 09:46 PM
Sure thing.
crypto keyring ccp-dmvpn-keyring
pre-shared-key address 0.0.0.0 0.0.0.0 key password
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto isakmp profile ccp-dmvpn-isakmprofile
keyring ccp-dmvpn-keyring
match identity address 0.0.0.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile VPN_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ccp-dmvpn-isakmprofile
!
interface Tunnel0
bandwidth 10000
ip address 10.129.1.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip tcp adjust-mss 1360
no ip split-horizon eigrp 1
delay 1000
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile VPN_Profile1
02-02-2012 02:03 PM
I tried adding a crypto map to the hub router and when an ACL of access-list 120 permit ip any any. This locked up the router.
Any idea what type of access list I would need to acomplish this?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide