VPN to specfic host

alkabeer80 · ‎05-21-2012

hi, i want to create vpn tunnel for specfic host not full range

ex) network range 10.1.1.0/24

Host 1 : 10.1.1.1

Host 2: 10.1.1.2

Host 3 : 10.1.1.3

Host 4: 10.1.1.4

so i created ACL with each host as source and destination x.y.z.w

now when i type show crypto ipsec sa

it shows the full subnet 10.1.1.0 and not the host ??????

Did i config correcttly ????

thankssss

Jennifer Halim · ‎05-21-2012

Are you trying to create lan-to-lan vpn tunnel or vpn client?

Also can you please share your current configuration.

alkabeer80 · ‎05-21-2012

Hi Jennifer,

It is site to site vpn, where specfic host are allowed to to access vpn tunnel.

for config. it is same for any vpn site to site, except

from R1

access-list xyz permit ip host 10.1.1.1 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.2 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.3 172.16.0.0 0.0.255.255
access-list xyz permit ip host 10.1.1.4 172.16.0.0 0.0.255.255

from R2

access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.1
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.2
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.3
access-list xyz permit 172.16.0.0 0.0.255.255 host 10.1.1.4

thankssssssssss

Jennifer Halim · ‎05-22-2012

If your crypto access-list "xyz" is host, the output of "show cryp ipsec sa" should also show host instead of subnet.

Did you use to have subnet and you have just recently change it to host? If you did, can you please clear the ipsec tunnel so it re-established a new SA.