Cisco IPsec Configuration

Question

drumichael87 0 Light Poster

11 Years Ago

Hi, I am using Cisco RV180W Small Business routers in our company with 12 locations plus 1 corporate office.

Currently, the setup looks like this:
Each of our stores' router connects with an IPsec connection to the router of the company who hosts our POS data and software (its an old AS400 system). I have the values from the company to put into the routers (FQDN, preshared key, encryption types, etc). The stores each have their own subnet (Store 1: 10.148.1.1; Store 2: 10.148.2.1; etc..), and when the IPsec tunnel is up, then we are able to use 10.0.0.9 as the Host on our terminal program to access the AS400, and it is as if we are right on their network.

The issue with this system is that now we are starting to use computers instead of just terminals, and we need to be able to share files, and remote desktop easily. I'm making it work, but its a little complicated and requires me connecting with PPTP to each store that I need to remote connect to (one at a time).

I would like to maintain this IPsec tunnel connection from each store to the POS company, but also have each store connected to each other. Each store should maintain it's own subnet just as it is now, but I want to be able to do some things like local shares from one computer designated as the file, VNC connections, and be able to do all of this just as if we were all on the same network (even though all stores are on different subnets.), from whichever store I might be at.

I'm not sure how to get this accomplished. I don't want to have to connect EVERY store to EVERY other store, is there a way to do this with just one VPN record on the router? I'm not even sure if the routers would accept 12 incoming connections or not.

Also, if it is possible to do this while connecting all 12 stores with one tunnel into the corporate office, how do I go about that setup? I have done the setup several times with the values provided by the POS company, but I don't know what the setup looks like on the receiving end of the tunnel.

Any help is appreciated! Thanks in advance!

2 Contributors
4 Replies
267 Views
1 Week Discussion Span
Latest Post 11 Years Ago Latest Post by CimmerianX

CimmerianX 197 Junior Poster

11 Years Ago

The VPNs from each store currently have 1 ACL to define the 'interesting traffic' along with a nonat for the same traffic. This sends the traffic down to the HQ. You will need to add a new ACE to the crypto_map and the NONAT for all the other stores subnets so that traffic gets swept up also.

I would say to use HQ as a hub between stores, otherwise you are managing 12 tunnels per 12 stores = 144 new IPSEC tunnels.

MAke the new nonat encompas 10.148.0.0 255.255.0.0 and the Crypto_map should have the same. Now any traffic destined for a remote store will match the tunnel's ACL and get encrypted over the tunnel.

From the HQ, you need to add nonats and crypto's to match the new entries from each location. (Remember that the cryptos must match exactly for the tunnels to build properly). You also need to add nonat's from each store subnet to each other store subnet. It will be a big list but it is needed.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

drumichael87 0 Light Poster · Answer 1 · 2013-06-13T14:04:24+00:00

I thought this was simple for someone who knows more than me! I guess I thought wrong! LOL

drumichael87 0 Light Poster · Answer 2 · 2013-06-18T14:59:37+00:00

I appreciate your response, however I do not understand what NONAT, ACE, crypto_map mean. I thought it would be just punching in settings on the VPN routers.

CimmerianX 197 Junior Poster · Answer 3 · 2013-06-18T16:00:32+00:00

That's what you are doing. Defining the subnets to encrypt on each device. If you setup Cisco Ipsec before, then you should be able to identify these items.