Categories: Cisco

How to add a new network to an already configured Cisco IPsec VPN tunnel

One of the challenges faced by some network administrators is how to manage an established Cisco vpn tunnel, given that most of the times, the vpn setups are not configured by these administrators. Administering an already installed vpn server will include adding new networks to the ipsec proposals. Unfortunately, this is where some network administrators find it difficult as a result of little or no knowledge of the workings of ipsec vpn. In this piece, I will share on how to add a new network to an established Cisco ipsec vpn tunnel.

Image showing connected sites

To understand the need for this post and the configurations that will be entered, you are to read my previous post on how to successfully configure Cisco IPsec vpn in 5 minutes. Please, find here. This post was borne out of the questions I received from readers of that post.

Objective:

From my post on Cisco ipsec vpn, we have a site to site connection between two locations:
R1: 192.168.10.0/24
R2: 192.168.20.0/24
Recently, the company has added a new network, 192.168.30.0/24 to R1 and have requested that it should be reachable via the established ipsec vpn. To achieve this requirement, one needs to understand that unlike GRE/IPIP tunnels, ipsec does not make use of the conventional static route in its implementation of routing across the networks that connect through the vpn tunnel. Instead, it uses of extended access-list to determine which network should be reached through the vpn connection. Therefore, identifying the access-list used in ipsec vpn is the first step to implementing reachability to a new network attached to a vpn gateway.
Looking at the running configurations on R1 and R3 in my initial post on ipsec, you will notice the presence of an access-list named VPN on both routers. These ACLs permit inter-network communication between the two networks attached to R1 and R3 through the vpn tunnel. Since a new network has been added to R1, we will need to add a second line of statement to the access-lists in order to grant the new network vpn access.
R1
On R1, we need to edit the ACL by adding the new network (192.168.30.0/24). See below:
R1(config)#ip access-list extended VPN
R1(config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config-ext-nacl)#permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
R1(config-ext-nacl)#exit
R1(config)#
R3
We also edit the ACL on R3 but in a slightly different way. See below:
R3(config)#ip access-list extended VPN
R3(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
R3(config-ext-nacl)#permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
R3(config-ext-nacl)#exit
R3(config)#
That is all you need to make the new network reachable through the already established ipsec vpn connection.

 

Spread the love
Timigate

Recent Posts

Optimize your Metro ethernet with Jumbo MTU

Optimizing Metro Ethernet segments with jumbo MTU (Maximum Transmission Unit) can significantly enhance network performance…

2 months ago

Mikrotik switchOS configuration: a step-by-step guide

MikroTik's SwitchOS is an operating system specifically designed for their line of network switches. It…

3 months ago

Improve your network uptime with VRRP right now

A properly configured VRRP setup does not only track device uptime but also tracks connection…

3 months ago

Have you been configuring NAT the right way on Mikrotik?

Network Address Translation (NAT) is a technique used in networking to map private IP addresses…

3 months ago

Implementing VXLAN over MPLS with Mikrotik

In the ever-evolving landscape of networking technologies, the demand for efficient and scalable solutions has…

3 months ago

Multi-Area OSPF implementation on Mikrotik routers

Setting up Multi-Area OSPF (Open Shortest Path First) on Mikrotik routers involves a few steps.…

3 months ago