Tunnel everything from Site B to Site A

lgurley · ‎11-28-2005

We have a local MAN that is semi public but no access to the Internet. We want to have everything from Site B to go to Site A.

Richard Burts · ‎11-28-2005

Larry

If you would tell us a bit more about your environment and your requirements we could probably give better advice. But based on what you have said here I believe that there are several alternatives that you might consider which could possibly accomplish what you want.

Assuming that SiteA and SiteB have IP connectivity over this MAN you might consider one of these:

- a simple default route on SiteB pointing to SiteA as the next hop will send everything from B to A. And a static route on A for the address space at B should take care of the return traffic.

- if you want something more elaborate you might consider configuring a GRE tunnel from SiteB to SiteA. With GRE you reincapsulate all the traffic so on the MAN the real source and destination addresses are not visible and the addresses that are visible are the addresses on B and A that are on the MAN. With GRE you could do static routing but also have the capability of running a dynamic protocol between B and A.

- if you want to provide more security for the traffic between B and A you might consider setting up IPSec tunnel between B and A and sending traffic over the IPSec tunnel. This would carry IP unicast traffic over the MAN in an encrypted form so that it would not be observable to anyone on the MAN.

- if you want the security of IPSec but want to run a routing protocol you could consider running IPSec with GRE tunnels. This way you get the best of both: GRE allows you to run routing protocol and IPSec provides protection to the traffic.

HTH

Rick

HTH

Rick

lgurley · ‎11-29-2005

Okay a bit more info what I meant to say was we need to Tunnel everything from Site B to Site A using IPSEC. Site B does not have a connection to the Internet. Site B's outside interface can see the outside interface of Site A. All of the traffic from Site B to Site A needs to be secure. How do I configure the interesting traffic for the IPSEC

tunnel to be 0.0.0.0 mask 0.0.0.0.

Site B's internal network 192.168.15.0

Site B's and A's external network 192.168.100.0

Site A's internal network 192.168.15.10.0

Site A's network has a Router that connects to the Internet.

Thanks

lgurley · ‎11-29-2005

Is this command a valid command for Site B's network of 192.168.15.0

access-list 120 permit ip 192.168.15.0 255.255.255.0 0.0.0.0 0.0.0.0

Richard Burts · ‎11-29-2005

Larry

The additional information that you supplied certainly does clarify what your requirements are. If you need security and protection for traffic from SiteB to SiteA then you do need IPSec.

You have a slight misunderstanding in your access list mask. If you want the equivalent of "any" it is 0.0.0.0 255.255.255.255 rather than 0.0.0.0 0.0.0.0 and in coding your access list it would be easier to use the keyword "any".

I do not remember the details right now but I remember some caution I read about using the "any" keyword in access lists for IPSec.

I have done something very close to what you describe at a customer site where we wanted to tunnel everything from remote sites to the central site. We chose to use IPSec with GRE tunnels. Our main purpose was to be able to support routing protocols, but it turns out that it makes the IPSec a bit easier. Assuming that your sites addresses might be 192.168.100.1 at A and 192.168.100.2 at B then you would configure GRE tunnels on both routers using these addresses as source and destination.

interface tunnel 0

ip address

tunnel source 192.168.100.1

tunnel destination 192.168.100.2

and then the access list for IPSec becomes very simple:

access-list 101 permit gre host 192.168.100.1 host 192.168.100.2

and then a static route (or on siteB a default route) points through the GRE tunnel. It works well.

HTH

Rick

HTH

Rick