|
|
 |
|
|
|||||||
| Petri.co.il is happy to award auglan the title of Most Valuable Member !!! |
| Register |  Calendar |
 Search |
 Today's Posts |
Mark Forums Read |
| Notices |
|
|
 |
IPSEC s2s ACLsthis thread has 3 replies and has been viewed 744 times
|
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
27th January 2012, 18:47
|
||||||||
|
||||||||
IPSEC s2s ACLs
I have two sites i need to create s2s between them, problem is:
site A is the HQ that has MPLS connections and routes OSPF over to other branches so its encryption domain is the whole 192.168.x.x/16 network site B is the branch that will need to access HQ and other branch resources by S2S with the HQ and its local networks are 192.168.20.0/24 through 192.168.24.0/24 meaning they fall under the general ACL for the HQ. The HQ has no 192.168.20-24/24 subnets on its side as those reserved for siteB. My question is... can i use the general ACL for site A to include 192.168.x.x/16 and 192.168.20-24.0/24 on site B to build a properly working tunnel that will allow site B to reach all other branches connected to site A (HQ) (see example bellow) ? topology: siteB(192.168.20.0/22)=====IPSEC s2s=====siteA(192.168.10.0/24) -------OSPF-------siteC(192.168.11.0/24) --------OSPF------....... --------OSPF------siteZ(192.168.45.0/24) vpn acl on site B : # access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.252.0 192.168.0.0 255.255.0.0 |
|
#2
28th January 2012, 04:41
|
||||||||||
|
||||||||||
|
Re: IPSEC s2s ACLs
You could create s2s ipsec tunnels to HQ and then to each branch but that would be a ton of configuration . Why not create a DMVPN .You could use Phase 1 which will give you reachability to HQ and the branches but any branch to branch goes through the "hub" or use Phase 2 DMVPN which creates dynamic tunnels from branch to branch. The configuration requires GRE and ipsec tunnels. Using DMVPN you can exchange routes with the hub as well as with the spokes using EIGRP, OSPF etc. The benefit of using DMVPN is that once the "hub" is configured you dont need any other configuration on the hub for other branch offices that come on line. There will be some configuration on the branches though.
I have never set this up in the field but I have configured it in my lab and with GNS3 and the config isn't that bad. |
|
#3
28th January 2012, 05:13
|
||||||||
|
||||||||
|
Re: IPSEC s2s ACLs
yup, i keep dreading i might need to do it....
Thanks |
|
#4
28th January 2012, 17:24
|
||||||||||
|
||||||||||
|
Re: IPSEC s2s ACLs
Here is a link that explains it very well for Phase 1. The only difference really between
Phase 1 and Phase 2 is Phase 1 uses p2p gre tunnels on the branches and Phase 2 is mGRE all the way around. http://blog.ine.com/2008/08/02/dmvpn-explained/ |
|
| Thread Tools | Search this Thread |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| ACLs on child folder do not match ACLs on parent folder? | JDMils | Windows Server 2000 / 2003 | 2 | 12th November 2010 08:28 |
| Zone-based firewall - why do I still need ACLs? | jimwillsher | Cisco Routers & Switches How-to | 0 | 31st October 2010 14:37 |
| Novell Trustee ACLs to NTFS | gepeto | General Scripting | 9 | 15th April 2008 17:33 |
| GPO with IPSEC | will.ton | GPO | 2 | 8th February 2008 21:07 |
| IPSEC what do I do ? | wazzie | General Security | 2 | 14th August 2007 11:13 |
(10)
Linear Mode
