site-to-site ip route

Discussion in 'Cisco' started by Robert Jacobs, Mar 23, 2007.

  1. Hello all. I have recently configured a site-to-site vpn tunnel
    between two Cisco 2801 routers. What I am trying to do now is setup a
    static route to go over this tunnel.

    Network A: Network B:

    111.198.5.0 111.198.3.0
    255.255.255.0 255.255.255.0

    I don't know the correct syntax, but I want to say:

    On Router A:
    ip route 111.198.3.0 255.255.255.0 over VPN Tunnel

    On Router B:
    ip route 111.198.5.0 255.255.255.0 over VPN Tunnel

    I have tried just specifying the next hop router it will go through,
    but it doesn't travel over the tunnel. How do I specify I want all
    network traffic (listed above) to go through the VPN tunnel to reach
    destination address?
     
    Robert Jacobs, Mar 23, 2007
    #1
    1. Advertising

  2. Robert Jacobs wrote:

    >I have tried just specifying the next hop router it will go through,
    >but it doesn't travel over the tunnel. How do I specify I want all
    >network traffic (listed above) to go through the VPN tunnel to reach
    >destination address?


    IMO this is a little bit strange in IOS and PIX. You don't have to set a
    route, it's implicitly there by means of the ACLs for the tunnel.
    Confusingly, the route is not visible in "show ip route" or "show route",
    respectively - but packets are actually routed.

    Regards

    fw
     
    Frank Winkler, Mar 23, 2007
    #2
    1. Advertising

  3. On Mar 23, 8:58 am, Frank Winkler <> wrote:
    > Robert Jacobs wrote:
    >
    > >I have tried just specifying the next hop router it will go through,
    > >but it doesn't travel over the tunnel. How do I specify I want all
    > >network traffic (listed above) to go through the VPN tunnel to reach
    > >destination address?

    >
    > IMO this is a little bit strange in IOS and PIX. You don't have to set a
    > route, it's implicitly there by means of the ACLs for the tunnel.
    > Confusingly, the route is not visible in "show ip route" or "show route",
    > respectively - but packets are actually routed.
    >
    > Regards
    >
    > fw


    So it's already there? Currently we have a static route that sends
    all data over our frame relay. When I removed this route, no traffic
    went over the site-to-site vpn (that was destined for our second
    network). Also, how can you tell the router which traffic to send
    over the vpn tunnel, and which traffic to send over the frame if it is
    implicitly there? Man, now I'm confused.

    Thanks for the quick reply. Any more information would be very
    appreciated!
     
    Robert Jacobs, Mar 23, 2007
    #3
  4. Robert Jacobs

    Smokey Guest

    Robert Jacobs wrote:
    > So it's already there? Currently we have a static route that sends
    > all data over our frame relay. When I removed this route, no traffic
    > went over the site-to-site vpn (that was destined for our second
    > network). Also, how can you tell the router which traffic to send
    > over the vpn tunnel, and which traffic to send over the frame if it is
    > implicitly there? Man, now I'm confused.
    >
    > Thanks for the quick reply. Any more information would be very
    > appreciated!
    >


    The router sends traffic over the tunnel based on the ACL created and is
    matched in your crypto statement.

    For example:

    access-list outside_cryptomap_20 permit ip 10.0.2.0 255.255.255.0
    10.0.0.0 255.255.255.0

    crypto map outside_map 20 match address outside_cryptomap_20

    The 2 above statements are from a PIX not a router but I think the
    concept is the same.

    The crypto map specifies what ACL will specify traffic that needs
    encrypting the ACL defines the network nodes.

    So in the example above any traffic from 10.0.2.0/24 with a destination
    of 10.0.0.0/24 will be encrypted and sent over the VPN tunnel all other
    traffic will use the routers default gateway.


    HTH
     
    Smokey, Mar 23, 2007
    #4
  5. Robert Jacobs wrote:

    >So it's already there? Currently we have a static route that sends
    >all data over our frame relay. When I removed this route, no traffic
    >went over the site-to-site vpn (that was destined for our second
    >network). Also, how can you tell the router which traffic to send
    >over the vpn tunnel, and which traffic to send over the frame if it is
    >implicitly there? Man, now I'm confused.


    Are you sure the tunnel is working? If so, you should have ACLs telling the
    router what traffic is to be encrypted and sent through the tunnel.

    IIRC other vendors create tunnel interfaces and you have to point a route
    into it. This seems to be more legible.

    Regards

    fw
     
    Frank Winkler, Mar 23, 2007
    #5
  6. On Mar 23, 10:03 am, Frank Winkler <>
    wrote:
    > Robert Jacobs wrote:
    >
    > >So it's already there? Currently we have a static route that sends
    > >all data over our frame relay. When I removed this route, no traffic
    > >went over the site-to-site vpn (that was destined for our second
    > >network). Also, how can you tell the router which traffic to send
    > >over the vpn tunnel, and which traffic to send over the frame if it is
    > >implicitly there? Man, now I'm confused.

    >
    > Are you sure the tunnel is working? If so, you should have ACLs telling the
    > router what traffic is to be encrypted and sent through the tunnel.
    >
    > IIRC other vendors create tunnel interfaces and you have to point a route
    > into it. This seems to be more legible.
    >
    > Regards
    >
    > fw


    I have the following site-to-site vpns setup. We setup the site-to-
    site vpn using the wizard, so I can only assume it setup the correct
    access lists. Only the second one listed is Up according to the SDM
    (which is the one that we are trying to get up and running) which is
    fine. I did not find any access lists pointing to SDM_CMAP_1 2. Is
    this what I should be looking for? do you see any problems with the
    listed output?

    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to63.162.x.x
    set peer 63.162.x.x
    set transform-set xyzxyz
    match address 101

    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to216.195.x.x
    set peer 216.195.x.x
    set transform-set ESP-3DES-SHA8
    match address 111

    interface Serial0/2/0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    ip address 216.62.x.x 255.255.255.224 secondary
    ip address 151.164.x.x 255.255.255.252
    ip access-group 102 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    frame-relay interface-dlci 16 IETF
    crypto map SDM_CMAP_1
     
    Robert Jacobs, Mar 23, 2007
    #6
  7. On Mar 23, 10:03 am, Frank Winkler <>
    wrote:
    > Robert Jacobs wrote:
    >
    > >So it's already there? Currently we have a static route that sends
    > >all data over our frame relay. When I removed this route, no traffic
    > >went over the site-to-site vpn (that was destined for our second
    > >network). Also, how can you tell the router which traffic to send
    > >over the vpn tunnel, and which traffic to send over the frame if it is
    > >implicitly there? Man, now I'm confused.

    >
    > Are you sure the tunnel is working? If so, you should have ACLs telling the
    > router what traffic is to be encrypted and sent through the tunnel.
    >
    > IIRC other vendors create tunnel interfaces and you have to point a route
    > into it. This seems to be more legible.
    >
    > Regards
    >
    > fw


    And here's the other router. Notice the numbers at the end of
    ESP-3DES-SHA don't match?!? Problem?

    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to63.162.x.x
    set peer 63.162.x.x
    set transform-set xyzxyz
    match address 101

    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to151.164.x.x
    set peer 151.164.x.x
    set transform-set ESP-3DES-SHA4
    match address 107

    interface FastEthernet0/1
    description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
    ip address 216.195.x.x 255.255.255.240
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
     
    Robert Jacobs, Mar 23, 2007
    #7
  8. On Mar 23, 10:24 am, "Robert Jacobs" <> wrote:
    > On Mar 23, 10:03 am, Frank Winkler <>
    > wrote:
    >
    >
    >
    >
    >
    > > Robert Jacobs wrote:

    >
    > > >So it's already there? Currently we have a static route that sends
    > > >all data over our frame relay. When I removed this route, no traffic
    > > >went over the site-to-site vpn (that was destined for our second
    > > >network). Also, how can you tell the router which traffic to send
    > > >over the vpn tunnel, and which traffic to send over the frame if it is
    > > >implicitly there? Man, now I'm confused.

    >
    > > Are you sure the tunnel is working? If so, you should have ACLs telling the
    > > router what traffic is to be encrypted and sent through the tunnel.

    >
    > > IIRC other vendors create tunnel interfaces and you have to point a route
    > > into it. This seems to be more legible.

    >
    > > Regards

    >
    > > fw

    >
    > And here's the other router. Notice the numbers at the end of
    > ESP-3DES-SHA don't match?!? Problem?
    >
    > crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    > crypto map SDM_CMAP_1 client configuration address respond
    > crypto map SDM_CMAP_1 1 ipsec-isakmp
    > description Tunnel to63.162.x.x
    > set peer 63.162.x.x
    > set transform-set xyzxyz
    > match address 101
    >
    > crypto map SDM_CMAP_1 2 ipsec-isakmp
    > description Tunnel to151.164.x.x
    > set peer 151.164.x.x
    > set transform-set ESP-3DES-SHA4
    > match address 107
    >
    > interface FastEthernet0/1
    > description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
    > ip address 216.195.x.x 255.255.255.240
    > ip verify unicast reverse-path
    > no ip redirects
    > no ip unreachables
    > no ip proxy-arp
    > ip nat outside
    > ip inspect DEFAULT100 out
    > ip ips sdm_ips_rule in
    > ip virtual-reassembly
    > duplex auto
    > speed auto
    > crypto map SDM_CMAP_1- Hide quoted text -
    >
    > - Show quoted text -


    I found the ACL I think:

    Router A:
    access-list 111 remark SDM_ACL Category=4
    access-list 111 remark IPSec Rule
    access-list 111 permit ip 151.164.27.72 0.0.0.3 216.195.117.160
    0.0.0.15
    access-list 111 remark IPSec Rule

    Router B:
    access-list 107 remark SDM_ACL Category=4
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 216.195.117.160 0.0.0.15 151.164.27.72
    0.0.0.3

    Does this look right? Also, is there a way to say, all network
    traffic take one route, and all internet traffic take another route?
    Just as a secondary question which I don't expect to be answered.
     
    Robert Jacobs, Mar 23, 2007
    #8
  9. Robert Jacobs wrote:

    >And here's the other router. Notice the numbers at the end of
    >ESP-3DES-SHA don't match?!? Problem?


    No, that's just a symbolic name. As long as the assigned values in "crypto
    ipsec transform-set" match, you're fine.

    Regards

    fw
     
    Frank Winkler, Mar 23, 2007
    #9
  10. On Mar 23, 11:02 am, Frank Winkler <>
    wrote:
    > Robert Jacobs wrote:
    >
    > >And here's the other router. Notice the numbers at the end of
    > >ESP-3DES-SHA don't match?!? Problem?

    >
    > No, that's just a symbolic name. As long as the assigned values in "crypto
    > ipsec transform-set" match, you're fine.
    >
    > Regards
    >
    > fw

    Here are the transform-set entries.

    Router A:
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac

    Router B:
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
     
    Robert Jacobs, Mar 23, 2007
    #10
  11. Robert Jacobs wrote:

    >Here are the transform-set entries.


    That's teh result of configuration with the GUI - they are all the same,
    only the name differs. This looks fine IMO.

    Regards

    fw
     
    Frank Winkler, Mar 23, 2007
    #11
  12. Robert Jacobs

    L J Guest

    true dat
    "Frank Winkler" <> wrote in message
    news:...
    > Robert Jacobs wrote:
    >
    > >I have tried just specifying the next hop router it will go through,
    > >but it doesn't travel over the tunnel. How do I specify I want all
    > >network traffic (listed above) to go through the VPN tunnel to reach
    > >destination address?

    >
    > IMO this is a little bit strange in IOS and PIX. You don't have to set a
    > route, it's implicitly there by means of the ACLs for the tunnel.
    > Confusingly, the route is not visible in "show ip route" or "show route",
    > respectively - but packets are actually routed.
    >
    > Regards
    >
    > fw
     
    L J, Mar 25, 2007
    #12
  13. On Mar 25, 7:45 am, "L J" <> wrote:
    > true dat"Frank Winkler" <> wrote in message
    >
    > news:...
    >
    >
    >
    > > Robert Jacobs wrote:

    >
    > > >I have tried just specifying the next hop router it will go through,
    > > >but it doesn't travel over the tunnel. How do I specify I want all
    > > >network traffic (listed above) to go through the VPN tunnel to reach
    > > >destination address?

    >
    > > IMO this is a little bit strange in IOS and PIX. You don't have to set a
    > > route, it's implicitly there by means of the ACLs for the tunnel.
    > > Confusingly, the route is not visible in "show ip route" or "show route",
    > > respectively - but packets are actually routed.

    >
    > > Regards

    >
    > > fw- Hide quoted text -

    >
    > - Show quoted text -


    Alright. Everything IS working now. I had to create more access
    lists. Because the access lists above were only allowing the external
    IP addresses in, I had to create access lists on both sides to also
    allow the LAN addresses in. Now all I have to do is figure out how to
    setup dynamic routing on these routers, so if one line goes down, the
    router will dynamically start sending data over the VPN. Any insight
    would be nice, otherwise, thanks for the help!
     
    Robert Jacobs, Mar 28, 2007
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. AM
    Replies:
    3
    Views:
    666
  2. Replies:
    1
    Views:
    5,278
    Barry Margolin
    Aug 13, 2005
  3. Bruce Cao
    Replies:
    3
    Views:
    4,546
    Barry Margolin
    Dec 6, 2005
  4. Karnov
    Replies:
    3
    Views:
    6,581
    Walter Roberson
    Feb 2, 2006
  5. Replies:
    9
    Views:
    5,597
    Scott Perry
    Aug 7, 2008
Loading...

Share This Page