Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Cisco L2L VPN Issue

From: <pilotalb () nycap rr com>
Date: Thu, 7 Jul 2005 23:44:01 -0400
Hey All,

I have kind of an in-depth question so hopefully it doesn’t become too much
that it’s too hard to understand.  I’ll start with the hardware scenario.

Host Site:
Cisco 3005 VPN Concentrator
Dual T1 connection to the Internet

Remote Site:
Cisco 2811 w/ IOS v12.4
Cable Modem connection to Internet

The remote site is basically an active retail site that we’re not planning
on inserting a legacy frame relay circuit as we’re about to begin a
conversion to MPLS.  I decided a business-class Road Runner connection and a
LAN-to-LAN VPN tunnel would fill the needs of getting the site connected to
our Intranet.  That aside I configure the IOS 2811 to connect to the Cisco
3005 without issue and have the IPSEC tunnel up and passing traffic without
issue.  I’ve found a problem that has me stumped and I can’t seem to figure
out how to fix it.

Problem:
Data sourced from the Cisco 2811 does not appear to be marked as interesting
and will not be forwarded over the IPSEC tunnel.  The issue with this is
that security requirements require AAA authentication to all network
devices.  The Intranet-based AAA server is configured properly on the router
but the AAA packets don’t seem to be marked as interesting and will simply
just not route anywhere.  I therefore cannot login without a console
connection.  I also have each of our remote site routers act as a DNS
proxy.  Basically that means the router is configured with the “ip dns
server” and “ip name-server <corporate DNS IP>” commands.  Once again the
Intranet-based DNS server traffic will not forward out the VPN tunnel (but
clients using the corporate DNS IP directly will work fine).

I tested a theory by running an extended ping.  Any data sourced from the
internal interface will forward out the VPN tunnel (or rather the traffic I
have marked as interesting… which is simply all Intranet-based traffic). 
Any other standard pings are simply unroutable and will not leave the
router.  It appears I need to somehow create a logical interface for the VPN
tunnel and point all traffic to that interface (using something like “ip
route 0.0.0.0 0.0.0.0 vpninterface0).  I’ve tried Googling and hitting
cisco.com but all I can see is brief mention of “tunnel0” interfaces.  Has
anyone else tried to setup a remote site to completely run off of a VPN
tunnel and have the config working?  Am I right in believing I need to
create a VPN interface?  If so how?


Any input would be appreciated.

Thanks,

Mike W.
Previous By Date Next
Previous By Thread Next

Current thread: