Security Basics mailing list archives
Cisco L2L VPN Issue
From: <pilotalb () nycap rr com>
Date: Thu, 7 Jul 2005 23:44:01 -0400
Hey All, I have kind of an in-depth question so hopefully it doesnt become too much that its too hard to understand. Ill start with the hardware scenario. Host Site: Cisco 3005 VPN Concentrator Dual T1 connection to the Internet Remote Site: Cisco 2811 w/ IOS v12.4 Cable Modem connection to Internet The remote site is basically an active retail site that were not planning on inserting a legacy frame relay circuit as were about to begin a conversion to MPLS. I decided a business-class Road Runner connection and a LAN-to-LAN VPN tunnel would fill the needs of getting the site connected to our Intranet. That aside I configure the IOS 2811 to connect to the Cisco 3005 without issue and have the IPSEC tunnel up and passing traffic without issue. Ive found a problem that has me stumped and I cant seem to figure out how to fix it. Problem: Data sourced from the Cisco 2811 does not appear to be marked as interesting and will not be forwarded over the IPSEC tunnel. The issue with this is that security requirements require AAA authentication to all network devices. The Intranet-based AAA server is configured properly on the router but the AAA packets dont seem to be marked as interesting and will simply just not route anywhere. I therefore cannot login without a console connection. I also have each of our remote site routers act as a DNS proxy. Basically that means the router is configured with the ip dns server and ip name-server <corporate DNS IP> commands. Once again the Intranet-based DNS server traffic will not forward out the VPN tunnel (but clients using the corporate DNS IP directly will work fine). I tested a theory by running an extended ping. Any data sourced from the internal interface will forward out the VPN tunnel (or rather the traffic I have marked as interesting which is simply all Intranet-based traffic). Any other standard pings are simply unroutable and will not leave the router. It appears I need to somehow create a logical interface for the VPN tunnel and point all traffic to that interface (using something like ip route 0.0.0.0 0.0.0.0 vpninterface0). Ive tried Googling and hitting cisco.com but all I can see is brief mention of tunnel0 interfaces. Has anyone else tried to setup a remote site to completely run off of a VPN tunnel and have the config working? Am I right in believing I need to create a VPN interface? If so how? Any input would be appreciated. Thanks, Mike W.
Current thread:
- Cisco L2L VPN Issue pilotalb (Jul 11)
- Re: Cisco L2L VPN Issue Karsten Iwen (Jul 12)