01-03-2013 04:28 AM
Hi All,
I was wondering if someone could help explain access lists when configuring site-to-site VPN tunnels. Basically I used this guide to roughly create a GNS3 lab for me getting to understand IPSec tunnels etc.
http://commonerrors.blogspot.co.uk/2011/09/site-to-site-vpn-cli-configuration-on.html
Thing is this config works and my confusion is about the ACLs they use. There is no mention of the subnet internal 10.1.1.1 subnet on US router but the Pakistan has it's internal 172.16.x.x range in the ACLs (but not it's external ISP IPs)
Why does this work? Is this setup incorrect?
With these site-to-site VPN tunnels, what source/destination IP ranges should be in them?
Any help or information would be great.
Thanks,
Paul
Solved! Go to Solution.
01-03-2013 05:05 AM
With the crypto ACL, the source should be the local LAN subnet and the destination should be the remote LAN subnet. Crypto ACL defines the interesting traffic that you would like to encrypt between local and remote peer.
The external interface of the router (typically the one with the public IP assigned by ISP) will be used to encrypt the crypto ACL and is defined by the "set peer" command.
Hope that helps.
01-03-2013 05:05 AM
With the crypto ACL, the source should be the local LAN subnet and the destination should be the remote LAN subnet. Crypto ACL defines the interesting traffic that you would like to encrypt between local and remote peer.
The external interface of the router (typically the one with the public IP assigned by ISP) will be used to encrypt the crypto ACL and is defined by the "set peer" command.
Hope that helps.
01-03-2013 05:13 AM
Just the information I needed.
I thought that was meant to be the case but after seeing that configuration I was confused. Working on it a little more, it seems that configuration doesn't actually work and I needed to put internal IPs in the ACL.
next I'm on to understanding/setting up GRE tunnels so I can get some dynamic routing going
Thanks for your help and quick response.
01-03-2013 05:15 AM
Great to hear that it makes more sense now.
All the best with GRE and feel free to post more questions on the forum if you have any.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide