Search This Blog

Thursday, October 8, 2015

Moving traffic between 2 IPSec tunnels using policy-based VPN

Where R2 local network (192.168.20.0/24) can reach R3 local network (192.168.30.0/24) and vice versa.
The first tunnel is between R1 and R2, the second tunnel is between R1 and R3.

This is the network diagram:


R1 configuration:

ip access-list extended ACL_R1_TO_R2
 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
!
ip access-list extended ACL_R1_TO_R3
 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
!
crypto keyring VPN_KEY_R2
  pre-shared-key address 10.1.12.2 key cisco
!
crypto keyring VPN_KEY_R3
  pre-shared-key address 10.1.13.3 key cisco
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp profile ISAKMP_PROFILE_R2
   keyring VPN_KEY_R2
   match identity address 10.1.12.2 255.255.255.255
!
crypto isakmp profile ISAKMP_PROFILE_R3
   keyring VPN_KEY_R3
   match identity address 10.1.13.3 255.255.255.255
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map POLICY_VPN_R2 10 ipsec-isakmp
 match address ACL_R1_TO_R2
 set peer 10.1.12.2
 set transform-set MYSET
 set isakmp-profile ISAKMP_PROFILE_R2
 reverse-route static
 set reverse-route distance 10
!
crypto map POLICY_VPN_R3 10 ipsec-isakmp
 match address ACL_R1_TO_R3
 set peer 10.1.13.3
 set transform-set MYSET
 set isakmp-profile ISAKMP_PROFILE_R3
 reverse-route static
 set reverse-route distance 10
!
interface FastEthernet0/0
 crypto map POLICY_VPN_R2
!
interface FastEthernet1/0
 crypto map POLICY_VPN_R3
!

R2 configuration:

ip access-list extended ACL_R2_TO_R1
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
!
crypto keyring VPN_KEY
  pre-shared-key address 10.1.12.1 key cisco
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp profile ISAKMP_PROFILE
   keyring VPN_KEY
   match identity address 10.1.12.1 255.255.255.255
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map POLICY_VPN 10 ipsec-isakmp
 match address ACL_R2_TO_R1
 set peer 10.1.12.1
 set transform-set MYSET
 set isakmp-profile ISAKMP_PROFILE
 reverse-route static
 set reverse-route distance 10
!
interface FastEthernet0/0
 crypto map POLICY_VPN
!

R3 configuration:

ip access-list extended ACL_R3_TO_R1
 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
!
crypto keyring VPN_KEY
  pre-shared-key address 10.1.13.1 key cisco
!
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp profile ISAKMP_PROFILE
   keyring VPN_KEY
   match identity address 10.1.13.1 255.255.255.255
!
crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac
!
crypto map POLICY_VPN 10 ipsec-isakmp
 match address ACL_R3_TO_R1
 set peer 10.1.13.1
 set transform-set MYSET
 set isakmp-profile ISAKMP_PROFILE
 reverse-route static
 set reverse-route distance 10
!
interface FastEthernet0/0
 crypto map POLICY_VPN
!



No comments:

Post a Comment