site-to-site ip route

Hello all. I have recently configured a site-to-site vpn tunnel
between two Cisco 2801 routers. What I am trying to do now is setup a
static route to go over this tunnel.
Network A: Network B:
111.198.5.0 111.198.3.0
255.255.255.0 255.255.255.0
I don't know the correct syntax, but I want to say:
On Router A:
ip route 111.198.3.0 255.255.255.0 over VPN Tunnel
On Router B:
ip route 111.198.5.0 255.255.255.0 over VPN Tunnel
I have tried just specifying the next hop router it will go through,
but it doesn't travel over the tunnel. How do I specify I want all
network traffic (listed above) to go through the VPN tunnel to reach
destination address?
Reply to
Robert Jacobs
Loading thread data ...
IMO this is a little bit strange in IOS and PIX. You don't have to set a route, it's implicitly there by means of the ACLs for the tunnel. Confusingly, the route is not visible in "show ip route" or "show route", respectively - but packets are actually routed.
Regards
fw
Reply to
Frank Winkler
So it's already there? Currently we have a static route that sends all data over our frame relay. When I removed this route, no traffic went over the site-to-site vpn (that was destined for our second network). Also, how can you tell the router which traffic to send over the vpn tunnel, and which traffic to send over the frame if it is implicitly there? Man, now I'm confused.
Thanks for the quick reply. Any more information would be very appreciated!
Reply to
Robert Jacobs
The router sends traffic over the tunnel based on the ACL created and is matched in your crypto statement.
For example:
access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0 10.0.0.0 255.255.255.0
crypto map outside_map 20 match address outside_cryptomap_20
The 2 above statements are from a PIX not a router but I think the concept is the same.
The crypto map specifies what ACL will specify traffic that needs encrypting the ACL defines the network nodes.
So in the example above any traffic from 10.0.2.0/24 with a destination of 10.0.0.0/24 will be encrypted and sent over the VPN tunnel all other traffic will use the routers default gateway.
HTH
Reply to
Smokey
Are you sure the tunnel is working? If so, you should have ACLs telling the router what traffic is to be encrypted and sent through the tunnel.
IIRC other vendors create tunnel interfaces and you have to point a route into it. This seems to be more legible.
Regards
fw
Reply to
Frank Winkler
I have the following site-to-site vpns setup. We setup the site-to- site vpn using the wizard, so I can only assume it setup the correct access lists. Only the second one listed is Up according to the SDM (which is the one that we are trying to get up and running) which is fine. I did not find any access lists pointing to SDM_CMAP_1 2. Is this what I should be looking for? do you see any problems with the listed output?
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to63.162.x.x set peer 63.162.x.x set transform-set xyzxyz match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to216.195.x.x set peer 216.195.x.x set transform-set ESP-3DES-SHA8 match address 111
interface Serial0/2/0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ ip address 216.62.x.x 255.255.255.224 secondary ip address 151.164.x.x 255.255.255.252 ip access-group 102 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip virtual-reassembly frame-relay interface-dlci 16 IETF crypto map SDM_CMAP_1
Reply to
Robert Jacobs
And here's the other router. Notice the numbers at the end of ESP-3DES-SHA don't match?!? Problem?
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to63.162.x.x set peer 63.162.x.x set transform-set xyzxyz match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to151.164.x.x set peer 151.164.x.x set transform-set ESP-3DES-SHA4 match address 107
interface FastEthernet0/1 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address 216.195.x.x 255.255.255.240 ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip ips sdm_ips_rule in ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1
Reply to
Robert Jacobs
I found the ACL I think:
Router A: access-list 111 remark SDM_ACL Category=4 access-list 111 remark IPSec Rule access-list 111 permit ip 151.164.27.72 0.0.0.3 216.195.117.160 0.0.0.15 access-list 111 remark IPSec Rule
Router B: access-list 107 remark SDM_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 216.195.117.160 0.0.0.15 151.164.27.72 0.0.0.3
Does this look right? Also, is there a way to say, all network traffic take one route, and all internet traffic take another route? Just as a secondary question which I don't expect to be answered.
Reply to
Robert Jacobs
No, that's just a symbolic name. As long as the assigned values in "crypto ipsec transform-set" match, you're fine.
Regards
fw
Reply to
Frank Winkler
Here are the transform-set entries.
Router A: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
Router B: crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
Reply to
Robert Jacobs
That's teh result of configuration with the GUI - they are all the same, only the name differs. This looks fine IMO.
Regards
fw
Reply to
Frank Winkler
Alright. Everything IS working now. I had to create more access lists. Because the access lists above were only allowing the external IP addresses in, I had to create access lists on both sides to also allow the LAN addresses in. Now all I have to do is figure out how to setup dynamic routing on these routers, so if one line goes down, the router will dynamically start sending data over the VPN. Any insight would be nice, otherwise, thanks for the help!
Reply to
Robert Jacobs

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.