|
|
|
Question : Problem: Route other taffics in a IPSec VPN tunnel.
|
|
Site A > Router > Site B FW > VPN > Site C FW > Router > Site D
Site A: 192.168.0.0/24
Site B: 10.1.1.0/24
Site C: 172.16.1.0/24
Site D: 192.168.10.0/24
I know how to setup the VPN between Site B and Site C, and its working now, but as I have to enter the source and dest address in the VPN policy, I am not sure could Site A's traffic route to site D throgh the IPSec VPN tunnel of B to C. If it is possible, could anyone provide some idea how to setup and how to configure the route in each device?
Setup a VPN directly from Site A to Site D is not an option for me.
|
Answer : Problem: Route other taffics in a IPSec VPN tunnel.
|
|
If the end point routers are ciscos you can create a GRE tunnel between the 2 of them which would allow you to create connection between A and D. This would appear as a tunnel interface in the router.
The routers can also do endpoint discovery so they can figure out what ips subnets can traverse the tunnel based on what it sees.
More information about the equipment is required
Netscreen does this rather easily, PIX's take some work , ASAs as well .
But looking at it
On a pix the vpn acl would appear like this
B FW
access-list site-to-site permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list site-to-site permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list site-to-site permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list site-to-site permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
setup your no nat properly
access-list nonat permit ip 192.168.0.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
access-list nonat permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0
Other firewall would be the inverse.
with approriate routing configured.
|
|
|
|
|
