Configuration Steps
LAN-to-LAN tunnel configuration involves configuring two tunnel end points (two concentrators for example) as peers of each other. This section explains the configuration required on one of the VPN Concentrators for a LAN-to-LAN tunnel. The same configuration with minor changes can be implemented on the other Concentrator. Work through the following steps to configure one of the VPN 3000 Concentrator for LAN-to-LAN tunnel:
Step 1. Go to Configuration > Interfaces and configure the IP addresses on both public and private interfaces. Also, be sure that a filter is applied for each interface. It is recommended to select the default filter for the respective interface (for example, apply the Private Default) filter on the Private interface).
Step 2. Browse to page Configuration > System > IP Routing > Default Gateways to set up a Default Gateway for the Concentrator and a Tunnel Default Gateway for the decrypted tunneled traffic.
Step 3. To define a more specific route for the private network on both sides of the tunnel, go under Configuration > System > IP Routing > Static Routes to define the routes.
Step 4. To define Network Lists for the interesting traffic that will go through the tunnel, go to Configuration > Policy Management > Traffic Management > Network Lists, and either Add or Modify the Network List for both the local side and the remote side. Remember that these network lists should be the mirror images of each other for both the Concentrators.
Step 5. If a certificate is used for IKE authentication, you need to install a certificate by going to Administration > Certificate Management (see the section in this chapter entitled "Digital Certificate Issues" for more details). If a pre-shared key is used, ignore this step.
Step 6. If you want to configure an IKE proposal (and do not want to use the default ones), you can go to Configuration > Tunneling and Security > IPsec > IKE Proposals, and Add or Modify the IKE proposal. Be sure that the IKE proposal is under Active Proposals.
Step 7. To define a custom IPsec Security Association (IPSEC SAs), go to Configuration > Policy Management > Traffic Management > Security Associations. Then either Add or Modify the IPsec SAs.
Step 8. Go to Configuration > Tunneling and Security > IPsec > LAN-to-LAN to add or modify a LAN-to-LAN connection. Use the parameters defined in Steps 4-7 to complete the LAN-to-LAN tunnel connection configuration.
For more details on configuration of VPN 3000 Concentrator refer to the following link:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_configuration_examples_list.html
Troubleshooting Steps
The problem areas of a LAN-to-LAN tunnel can be classified as follows:
Tunnel not established
Tunnel established but unable to send traffic
Interpretability issues with other vendors
The sections that follow present detailed discussions of these topics.