Re: VPN 3000: How to Config Network List for Def Rte?

4mellis · ‎10-16-2004

Any recommendations on how to config a network list

for a LAN-to-LAN tunnel for ALL traffic?

I can make it work for specific routes with the

reverse mask but I cannot get it to take

0.0.0.0/0.0.0.0 or 0.0.0.0/255.255.255.255

Customer wants ALL destination traffic from the

remote to be encrypted to the head end.

thanks!

Mike

gfullage · ‎10-17-2004

0.0.0.0/255.255.255.255 should work, this came in way back in 3.1 version. Before that it would always complain.

I just did this on a concentrator running v4.1.5 and it took fine. What error are you seeing?

4mellis · ‎10-18-2004

I upgraded from v4.1.5 to v4.1.7 today and still same

problem.

On a new network list, when I try to enter:

0.0.0.0/255.255.255.255 or 0.0.0.0/0.0.0.0

I get the following popup message:

0.0.0.0/255.255.255.255 may not have a valid Wildcard Mask

Wildcard Masks have 1's in bit positions to ignore

Wildcard Masks have 0's in bit positions to match

When I click "OK" the changes are not saved.

There is a default network list "VPN Client Local LAN"

with 0.0.0.0/0.0.0.0 and I am able to select it

for Source list in my LAN-to-LAN configuration,

but it doesn't seem to work, even if I match

it to Destination "any" on the remote site.

The remote site is a Pix 501, on it I am able to configure the interesting traffic access list with destination "any" but the SA does not come up with these settings.

If I put in specific routes

source 10.1.1.0/0.0.0.255

dest 10.1.2.0/0.0.0.255

and make the VPN 3015 and the Pix 501 match, it

works great, I just can't seem to get it to work

for all traffic to the destination, and it seems

to be on the VPN 3015 side.

There is no need to NAT across the tunnel,

it is hub and spoke with the VPN3015 at the head end. The reason I used Lan-to-Lan is so

the tunnel can be initiated from either side.

thanks