Announcement

Collapse
No announcement yet.

IPSEC s2s ACLs

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • IPSEC s2s ACLs

    I have two sites i need to create s2s between them, problem is:

    site A is the HQ that has MPLS connections and routes OSPF over to other branches so its encryption domain is the whole 192.168.x.x/16 network
    site B is the branch that will need to access HQ and other branch resources by S2S with the HQ and its local networks are 192.168.20.0/24 through 192.168.24.0/24 meaning they fall under the general ACL for the HQ. The HQ has no 192.168.20-24/24 subnets on its side as those reserved for siteB.
    My question is...
    can i use the general ACL for site A to include 192.168.x.x/16 and 192.168.20-24.0/24 on site B to build a properly working tunnel that will allow site B to reach all other branches connected to site A (HQ) (see example bellow) ?


    topology:

    siteB(192.168.20.0/22)=====IPSEC s2s=====siteA(192.168.10.0/24) -------OSPF-------siteC(192.168.11.0/24)
    --------OSPF------.......
    --------OSPF------siteZ(192.168.45.0/24)
    vpn acl on site B :

    #
    access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.252.0 192.168.0.0 255.255.0.0

  • #2
    Re: IPSEC s2s ACLs

    You could create s2s ipsec tunnels to HQ and then to each branch but that would be a ton of configuration . Why not create a DMVPN .You could use Phase 1 which will give you reachability to HQ and the branches but any branch to branch goes through the "hub" or use Phase 2 DMVPN which creates dynamic tunnels from branch to branch. The configuration requires GRE and ipsec tunnels. Using DMVPN you can exchange routes with the hub as well as with the spokes using EIGRP, OSPF etc. The benefit of using DMVPN is that once the "hub" is configured you dont need any other configuration on the hub for other branch offices that come on line. There will be some configuration on the branches though.

    I have never set this up in the field but I have configured it in my lab and with GNS3 and the config isn't that bad.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: IPSEC s2s ACLs

      yup, i keep dreading i might need to do it....
      Thanks

      Comment


      • #4
        Re: IPSEC s2s ACLs

        Here is a link that explains it very well for Phase 1. The only difference really between
        Phase 1 and Phase 2 is Phase 1 uses p2p gre tunnels on the branches and Phase 2 is mGRE all the way around.

        http://blog.ine.com/2008/08/02/dmvpn-explained/
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X