Guest

Cisco VPN 3000 Series Concentrators

Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes

Cisco - Configuring a Central Cisco VPN 3000 Concentrator to Allow Communication Between Spokes

Document ID: 22306

Updated: Jan 14, 2008

   Print

Introduction

This document illustrates how to create a LAN-to-LAN VPN tunnel between central and remote VPN 3000 Concentrators. Concurrent to the LAN-to-LAN VPN, the central concentrator also accepts remote access VPN connections. Communication is then enabled between the remote access VPN Client and the local LAN, behind the remote concentrator, through the central concentrator. The communication between spokes is enabled through the use of Reverse Route Injection (RRI), a feature introduced in version 3.5 of the VPN 3000 Concentrator code.

This sample configuration only covers a single subnet behind the VPN Concentrator; however, if you have multiple subnets behind the concentrator, you should use RRI with routing protocols. For more information, see How to Populate Dynamic Routes Using Reverse Route Injection, or use static routes accordingly. Although the illustration in this document uses a hardware client, the same example could be applied to a software client, LAN-to-LAN tunnels, or other devices supporting RRI.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco VPN 3000 Concentrator running software version 3.5.2 (This configuration has been tested successfully with version 4.0.)

  • Cisco VPN 3002 Hardware Client version 3.5.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Network Diagram

This document uses this network setup:

vpn3k_lan2lan_01.gif

Conventions

For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Configurations

Due to space limitations this configuration covers only the LAN-to-LAN configurations on the VPN Concentrators.

Central Concentrator

Follow these steps to configure the central concentrator.

  1. Go to Configuration > Policy Management > Traffic Management > Network Lists > Modify and define a local network list. In the example below, the network is included behind the VPN 3002 Hardware Client.

    vpn3k_lan2lan_02.gif

  2. Create a network list for the remote site.

    vpn3k_lan2lan_03.gif

  3. Go to Configuration > System > Tunneling Protocols > IPSec LAN-to-LAN > Modify and create a LAN-to-LAN configuration to the remote site.

    vpn3k_lan2lan_04.gif

    vpn3k_lan2lan_05.gif

  4. Once the remote network is defined on the LAN-to-LAN configuration, it will be advertised on the central concentrator's internal routing table.

    vpn3k_lan2lan_06.gif

  5. Define a network list for remote access clients.

    vpn3k_lan2lan_07.gif

  6. Go to Configuration > System > Address Management > Assignment and define the method of address assignment for remote VPN access users.

    vpn3k_lan2lan_08.gif

  7. Go to Configuration > User Management > Groups > Modify vpnclient and define the group settings for remote access clients.

    vpn3k_lan2lan_09.gif

  8. Define IPSec parameters for the group.

    vpn3k_lan2lan_10.gif

  9. Define Mode Config parameters for the group.

    vpn3k_lan2lan_11.gif

    vpn3k_lan2lan_11a.gif

  10. Select Groups > Address Pools > Modify and define the address pool for the group.

    vpn3k_lan2lan_12.gif

  11. Go to Configuration > System > IP Routing > Reverse Route Injection and enable RRI for client connections. The example below only has Network Extension RRI enabled.

    vpn3k_lan2lan_13.gif

Remote Concentrator

Follow this procedure to configure the remote concentrator.

  1. Go to Configuration > Policy Management > Traffic Management > Network Lists > Modify and define a remote network list. The example below includes the network behind the VPN 3002 Hardware Client.

    vpn3k_lan2lan_14.gif

  2. Define a local network list.

    vpn3k_lan2lan_15.gif

  3. Go to Configuration > System > Tunneling Protocols > IPSec LAN-to-LAN > Modify and create a LAN-to-LAN configuration to the central concentrator.

    vpn3k_lan2lan_16.gif

    vpn3k_lan2lan_17.gif

  4. Once RRI is defined on the LAN-to-LAN configuration, the remote LAN is advertised on the routing table.

    vpn3k_lan2lan_18.gif

VPN 3002 Hardware Client

The VPN 3002 Hardware Client is operating in network extension mode. The screen below shows the IPSec configuration of the client. For more information, see Configuring a Connection Between the VPN 3002 Hardware Client and a VPN 3000 Concentrator in Network Extension Mode.

vpn3k_lan2lan_19.gif

Verify

This section provides information you can use to confirm your configuration is working properly.

  1. Below are the central concentrator sessions once connections have been made.

    vpn3k_lan2lan_20.gif

  2. Check the sessions on the remote concentrator.

    vpn3k_lan2lan_21.gif

  3. Since the VPN 3002 Hardware Client is operating in network extension mode, the tunnel should be brought up immediately. Check the system status to verify the tunnel.

    vpn3k_lan2lan_22.gif

  4. Conduct further tests by initiating a ping from a host behind the VPN 3002 Hardware Client to a host behind the remote concentrator, and vice versa. Both tests should return successful results. Check the routing table to see the network behind the hardware client.

    vpn3k_lan2lan_23.gif

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Jan 14, 2008
Document ID: 22306