Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cisco L2L VPN Issue

From: Karsten Iwen <newsletter () saviya de>
Date: Tue, 12 Jul 2005 17:59:53 +0200
I think you don't need a logical interface but "ip radius source-interface fastEthernet 0/0" (or whatever your internal interface is). 


regards, Karsten Iwen

--
Dipl.-Ing. Karsten Iwen
Network- and Security Consultant/Trainer

CCIE #14602 (Security)
CCSI, CCSP, CCNP
MCSE: Security



pilotalb () nycap rr com schrieb:


Problem:
Data sourced from the Cisco 2811 does not appear to be marked as interesting
and will not be forwarded over the IPSEC tunnel.  The issue with this is
that security requirements require AAA authentication to all network
devices.  The Intranet-based AAA server is configured properly on the router
but the AAA packets don’t seem to be marked as interesting and will simply
just not route anywhere.  I therefore cannot login without a console
connection.  I also have each of our remote site routers act as a DNS
proxy.  Basically that means the router is configured with the “ip dns
server” and “ip name-server <corporate DNS IP>” commands.  Once again the
Intranet-based DNS server traffic will not forward out the VPN tunnel (but
clients using the corporate DNS IP directly will work fine).

I tested a theory by running an extended ping.  Any data sourced from the
internal interface will forward out the VPN tunnel (or rather the traffic I
have marked as interesting… which is simply all Intranet-based traffic). Any other standard pings are simply unroutable and will not leave the 
router.  It appears I need to somehow create a logical interface for the VPN
tunnel and point all traffic to that interface (using something like “ip
route 0.0.0.0 0.0.0.0 vpninterface0).  I’ve tried Googling and hitting
cisco.com but all I can see is brief mention of “tunnel0” interfaces.  Has
anyone else tried to setup a remote site to completely run off of a VPN
tunnel and have the config working?  Am I right in believing I need to
create a VPN interface?  If so how?


Any input would be appreciated.

Thanks,

Mike W.
Previous By Date Next
Previous By Thread Next

Current thread: