One of the challenges faced by some network administrators is how to manage an established Cisco vpn tunnel, given that most of the times, the vpn setups are not configured by these administrators. Administering an already installed vpn server will include adding new networks to the ipsec proposals. Unfortunately, this is where some network administrators find it difficult as a result of little or no knowledge of the workings of ipsec vpn. In this piece, I will share on how to add a new network to an established Cisco ipsec vpn tunnel.
To understand the need for this post and the configurations that will be entered, you are to read my previous post on how to successfully configure Cisco IPsec vpn in 5 minutes. Please, find here. This post was borne out of the questions I received from readers of that post.
From my post on Cisco ipsec vpn, we have a site to site connection between two locations:
Recently, the company has added a new network, 192.168.30.0/24 to R1 and have requested that it should be reachable via the established ipsec vpn. To achieve this requirement, one needs to understand that unlike GRE/IPIP tunnels, ipsec does not make use of the conventional static route in its implementation of routing across the networks that connect through the vpn tunnel. Instead, it uses of extended access-list to determine which network should be reached through the vpn connection. Therefore, identifying the access-list used in ipsec vpn is the first step to implementing reachability to a new network attached to a vpn gateway.
Looking at the running configurations on R1 and R3 in my initial post on ipsec, you will notice the presence of an access-list named VPN on both routers. These ACLs permit inter-network communication between the two networks attached to R1 and R3 through the vpn tunnel. Since a new network has been added to R1, we will need to add a second line of statement to the access-lists in order to grant the new network vpn access.
On R1, we need to edit the ACL by adding the new network (192.168.30.0/24). See below:
R1(config)#ip access-list extended VPN
R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
We also edit the ACL on R3 but in a slightly different way. See below:
R3(config)#ip access-list extended VPN
R3(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R3(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
That is all you need to make the new network reachable through the already established ipsec vpn connection.