«

Hello all. I have recently configured a site-to-site vpn tunnel
between two Cisco 2801 routers. What I am trying to do now is setup a
static route to go over this tunnel.

Network A: Network B:

111.198.5.0 111.198.3.0
255.255.255.0 255.255.255.0

I don't know the correct syntax, but I want to say:

On Router A:
ip route 111.198.3.0 255.255.255.0 over VPN Tunnel

On Router B:
ip route 111.198.5.0 255.255.255.0 over VPN Tunnel

I have tried just specifying the next hop router it will go through,
but it doesn't travel over the tunnel. How do I specify I want all
network traffic (listed above) to go through the VPN tunnel to reach
destination address?

Robert Jacobs wrote:

>I have tried just specifying the next hop router it will go through,
>but it doesn't travel over the tunnel. How do I specify I want all
>network traffic (listed above) to go through the VPN tunnel to reach
>destination address?

IMO this is a little bit strange in IOS and PIX. You don't have to set a
route, it's implicitly there by means of the ACLs for the tunnel.
Confusingly, the route is not visible in "show ip route" or "show route",
respectively - but packets are actually routed.

Regards

fw

On Mar 23, 8:58 am, Frank Winkler <frank-use...@kfw-family.org> wrote:
> Robert Jacobs wrote:
>
> >I have tried just specifying the next hop router it will go through,
> >but it doesn't travel over the tunnel. How do I specify I want all
> >network traffic (listed above) to go through the VPN tunnel to reach
> >destination address?
>
> IMO this is a little bit strange in IOS and PIX. You don't have to set a
> route, it's implicitly there by means of the ACLs for the tunnel.
> Confusingly, the route is not visible in "show ip route" or "show route",
> respectively - but packets are actually routed.
>
> Regards
>
> fw

So it's already there? Currently we have a static route that sends
all data over our frame relay. When I removed this route, no traffic
went over the site-to-site vpn (that was destined for our second
network). Also, how can you tell the router which traffic to send
over the vpn tunnel, and which traffic to send over the frame if it is
implicitly there? Man, now I'm confused.

Thanks for the quick reply. Any more information would be very
appreciated!

Robert Jacobs wrote:
> So it's already there? Currently we have a static route that sends
> all data over our frame relay. When I removed this route, no traffic
> went over the site-to-site vpn (that was destined for our second
> network). Also, how can you tell the router which traffic to send
> over the vpn tunnel, and which traffic to send over the frame if it is
> implicitly there? Man, now I'm confused.
>
> Thanks for the quick reply. Any more information would be very
> appreciated!
>

The router sends traffic over the tunnel based on the ACL created and is
matched in your crypto statement.

For example:

access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0
10.0.0.0 255.255.255.0

crypto map outside_map 20 match address outside_cryptomap_20

The 2 above statements are from a PIX not a router but I think the
concept is the same.

The crypto map specifies what ACL will specify traffic that needs
encrypting the ACL defines the network nodes.

So in the example above any traffic from 10.0.2.0/24 with a destination
of 10.0.0.0/24 will be encrypted and sent over the VPN tunnel all other
traffic will use the routers default gateway.


HTH

Robert Jacobs wrote:

>So it's already there? Currently we have a static route that sends
>all data over our frame relay. When I removed this route, no traffic
>went over the site-to-site vpn (that was destined for our second
>network). Also, how can you tell the router which traffic to send
>over the vpn tunnel, and which traffic to send over the frame if it is
>implicitly there? Man, now I'm confused.

Are you sure the tunnel is working? If so, you should have ACLs telling the
router what traffic is to be encrypted and sent through the tunnel.

IIRC other vendors create tunnel interfaces and you have to point a route
into it. This seems to be more legible.

Regards

fw

On Mar 23, 10:03 am, Frank Winkler <frank-use...@kfw-family.org>
wrote:
> Robert Jacobs wrote:
>
> >So it's already there? Currently we have a static route that sends
> >all data over our frame relay. When I removed this route, no traffic
> >went over the site-to-site vpn (that was destined for our second
> >network). Also, how can you tell the router which traffic to send
> >over the vpn tunnel, and which traffic to send over the frame if it is
> >implicitly there? Man, now I'm confused.
>
> Are you sure the tunnel is working? If so, you should have ACLs telling the
> router what traffic is to be encrypted and sent through the tunnel.
>
> IIRC other vendors create tunnel interfaces and you have to point a route
> into it. This seems to be more legible.
>
> Regards
>
> fw

I have the following site-to-site vpns setup. We setup the site-to-
site vpn using the wizard, so I can only assume it setup the correct
access lists. Only the second one listed is Up according to the SDM
(which is the one that we are trying to get up and running) which is
fine. I did not find any access lists pointing to SDM_CMAP_1 2. Is
this what I should be looking for? do you see any problems with the
listed output?

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to63.162.x.x
set peer 63.162.x.x
set transform-set xyzxyz
match address 101

crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to216.195.x.x
set peer 216.195.x.x
set transform-set ESP-3DES-SHA8
match address 111

interface Serial0/2/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 216.62.x.x 255.255.255.224 secondary
ip address 151.164.x.x 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip ips sdm_ips_rule in
ip virtual-reassembly
frame-relay interface-dlci 16 IETF
crypto map SDM_CMAP_1

On Mar 23, 10:03 am, Frank Winkler <frank-use...@kfw-family.org>
wrote:
> Robert Jacobs wrote:
>
> >So it's already there? Currently we have a static route that sends
> >all data over our frame relay. When I removed this route, no traffic
> >went over the site-to-site vpn (that was destined for our second
> >network). Also, how can you tell the router which traffic to send
> >over the vpn tunnel, and which traffic to send over the frame if it is
> >implicitly there? Man, now I'm confused.
>
> Are you sure the tunnel is working? If so, you should have ACLs telling the
> router what traffic is to be encrypted and sent through the tunnel.
>
> IIRC other vendors create tunnel interfaces and you have to point a route
> into it. This seems to be more legible.
>
> Regards
>
> fw

And here's the other router. Notice the numbers at the end of
ESP-3DES-SHA don't match?!? Problem?

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to63.162.x.x
set peer 63.162.x.x
set transform-set xyzxyz
match address 101

crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to151.164.x.x
set peer 151.164.x.x
set transform-set ESP-3DES-SHA4
match address 107

interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 216.195.x.x 255.255.255.240
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip ips sdm_ips_rule in
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1

On Mar 23, 10:24 am, "Robert Jacobs" <robertjacob...@gmail.com> wrote:
> On Mar 23, 10:03 am, Frank Winkler <frank-use...@kfw-family.org>
> wrote:
>
>
>
>
>
> > Robert Jacobs wrote:
>
> > >So it's already there? Currently we have a static route that sends
> > >all data over our frame relay. When I removed this route, no traffic
> > >went over the site-to-site vpn (that was destined for our second
> > >network). Also, how can you tell the router which traffic to send
> > >over the vpn tunnel, and which traffic to send over the frame if it is
> > >implicitly there? Man, now I'm confused.
>
> > Are you sure the tunnel is working? If so, you should have ACLs telling the
> > router what traffic is to be encrypted and sent through the tunnel.
>
> > IIRC other vendors create tunnel interfaces and you have to point a route
> > into it. This seems to be more legible.
>
> > Regards
>
> > fw
>
> And here's the other router. Notice the numbers at the end of
> ESP-3DES-SHA don't match?!? Problem?
>
> crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> crypto map SDM_CMAP_1 client configuration address respond
> crypto map SDM_CMAP_1 1 ipsec-isakmp
> description Tunnel to63.162.x.x
> set peer 63.162.x.x
> set transform-set xyzxyz
> match address 101
>
> crypto map SDM_CMAP_1 2 ipsec-isakmp
> description Tunnel to151.164.x.x
> set peer 151.164.x.x
> set transform-set ESP-3DES-SHA4
> match address 107
>
> interface FastEthernet0/1
> description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
> ip address 216.195.x.x 255.255.255.240
> ip verify unicast reverse-path
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip nat outside
> ip inspect DEFAULT100 out
> ip ips sdm_ips_rule in
> ip virtual-reassembly
> duplex auto
> speed auto
> crypto map SDM_CMAP_1- Hide quoted text -
>
> - Show quoted text -

I found the ACL I think:

Router A:
access-list 111 remark SDM_ACL Category=4
access-list 111 remark IPSec Rule
access-list 111 permit ip 151.164.27.72 0.0.0.3 216.195.117.160
0.0.0.15
access-list 111 remark IPSec Rule

Router B:
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 216.195.117.160 0.0.0.15 151.164.27.72
0.0.0.3

Does this look right? Also, is there a way to say, all network
traffic take one route, and all internet traffic take another route?
Just as a secondary question which I don't expect to be answered.

Robert Jacobs wrote:

>And here's the other router. Notice the numbers at the end of
>ESP-3DES-SHA don't match?!? Problem?

No, that's just a symbolic name. As long as the assigned values in "crypto
ipsec transform-set" match, you're fine.

Regards

fw

On Mar 23, 11:02 am, Frank Winkler <frank-use...@kfw-family.org>
wrote:
> Robert Jacobs wrote:
>
> >And here's the other router. Notice the numbers at the end of
> >ESP-3DES-SHA don't match?!? Problem?
>
> No, that's just a symbolic name. As long as the assigned values in "crypto
> ipsec transform-set" match, you're fine.
>
> Regards
>
> fw
Here are the transform-set entries.

Router A:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

Router B:
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac