[c-nsp] Site to site VPN

Justin M. Streiner streiner at cluebyfour.org
Wed Feb 9 08:22:04 EST 2005 

On Wed, 9 Feb 2005, simon.pitwood wrote:

> Hope someone out there can help, I have two sites connected with site to
> site VPN and my understanding is that they should be able to see each others
> LAN's and PC's?  I have set this up but this is not the case, if I take
> control of a machine in one office I cannot ping or see the other office's
> LAN etc.

Setting up a site-to-site VPN  between to points, by itself, is not 
necessarily enough to be able to see everything on a remote network.
Do the IKE (phase 1) and IPSEC (phase 2) negotiations complete 
successfully?  In other words, do you see that the tunnel itself is up?

1) The VPN tunnel endpoints need to know how to route traffic and accept
 	traffic from the remote networks.  How this is accomplished varies
 	from device to device, but it's often done with an access list (IOS
 	routers, PIXes, etc).
2) Very often, companies use RFC 1918 address space for their internal
 	networks.  This is a Good Thing, but can create some additional
 	headaches in setting up a VPN.  If the private address space used
 	by the two networks overlaps at all - i.e. both use
 	192.168.1.0/24, or one uses 192.168.0.0/20 and the other uses
 	192.168.6.0/24, etc - then the traffic that gets sent through the
 	VPN tunnel needs to be NAT'd in both directions.  Cisco has
 	documentation on this on their website.  I might be able to dig
 	some up, if needed, though it will take time.
3) Do the VPN endpoints have access lists written to permit traffic
 	between the tunnel and the rest of the network?  Are they
 	configured to route return traffic back through the VPN?
4) Are there additional routers or firewalls between the VPN endpoints on
 	either side, and the rest of that site's internal network?  If so,
 	those may need to be checked for access lists/routes/etc too.
 	Some companies I've seen will land their VPN tunnels in a DMZ
 	network, then that traffic has to be carried through an internal
 	router or firewall to get to the inside.

hope this helps
jms

More information about the cisco-nsp mailing list