Hey everyone, I have an issue and Im kinda stuck finding the solution.
The scenario is the following, I have a router (Cisco 2811) who has two IPSec VPNs established with SiteA and SiteB.
The thing is, the network address of SiteA overlaps with SiteB. I got 172.16.0.0/12 on SiteA and 172.21.226.0./23 on SiteB. The problem is that none of the remote sites is willing to make any change on their devices, therefore my router has to manage everything.
Im using the following configuration:
Crypto Maps:
crypto map rtp 2 ipsec-isakmp
set peer B.B.B.B (SITE B)
set transform-set TSASA
match address CISCO_TO_ASA
crypto map rtp 4 ipsec-isakmp
set peer A.A.A.A (SITE A)
set transform-set 3des-sha
match address LAN-UOL-vpn
ACLs for interesting traffic:
Used by site A:
ip access-list extended LAN-UOL-vpn
permit ip 10.233.0.0 0.0.255.255 172.16.0.0 0.15.255.255
Used by site B:
ip access-list extended CISCO_TO_ASA
permit ip 10.233.18.0 0.0.1.255 172.21.226.0 0.0.1.255
permit ip 10.233.22.0 0.0.0.255 172.21.226.0 0.0.1.255
Both VPN are using the same Crypto Map, I tried changing the sequence number in order to use first the site B address (Since its smaller than Site A) and then use Site A. However, when I try to send traffic meant for siteB its routed to site A because of the network address is overlapping both segments.
Any suggestions are appreciated. Let me know If you would like any other information that might be relevant to fulfill the objective.
No comments:
Post a Comment