Search this Blog

Monday, November 11, 2013

VPN site-to-site LAN to multi LAN connection


We have  a site-to-site connection, currently  we have a stable connection from my LAN 192.168.1.100 /24 to far end LAN 192.168.55.1 /24, and now I need to add another LAN connection from my current LAN to anew LAN from the far-end (We want to have an interconnection to multi LAN in the far end). the LAN ip address of the new LAN in the far end is 172.16.1.1 /24 
Applied the below policy from both ends  but it couldn't work
 my end: 
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.55.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.244 172,16.1.0 0.0.0.225


in the far end we applied:
 access-list 102 permit ip 192.168.55.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

The syntax of your change seems to be right (other than the typo in the original post) and we do not believe that the configuration itself is the problem (assuming that it was implemented correctly on both routers).
One potential issue might be a question of timing. When you make the configuration change the existing Security Associations are based on the old config. Did you flush the SAs and force them to renegotiate? Otherwise you need to wait until the SAs expire and are renegotiated. This is true on both ends. One way to check this would be to look into the output of show crypto ipsec sa and see if the new LAN addresses are in the SA.

The other possibility might be something like a routing issue on the other end. What can you tell us about the topology of the other side? Is the new LAN directly connected on the same router and the current LAN? Is it possible that there is some access list restrictions that are impacting traffic from the new LAN (might be possible on either side)? Is it possible that there is some special routing on the other side that is not sending traffic from the new LAN out the interface where the crypto map is connected? It is not clear what platform these are configured on and this might make a difference. It is not clear whether these devices are doing address translation and if so whether there needs to be a change in address translation to not translate traffic for the new LAN.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

No comments :

Post a Comment

 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */