I facing issue while understanding route based vpn with cisco device. I tried to lab the scenario but its not working. the topology is as follows.
R1--> Checkpoint firewall --> R2
R1 loopback - 184.108.40.206/32
R2 loopback - 220.127.116.11/32
the objective is to ping 18.104.22.168 to 22.214.171.124 and traffic should go through tunnel.
So i am creating route based vpn between checkpoint and r2. The steps that i performed on checkpoint firewall:
1. created a tunnel interface
remote peer: 192.168.229.10
local address 126.96.36.199
remote address 188.8.131.52
2. add route for 184.108.40.206
220.127.116.11 ----> vpn tunnel int (next HOP)
3. on checkpoint gateway in VPN domain call 18.104.22.168. is it necessary to mention VPN domain in route based VPN or we can select or subnets behind gateway option.
4. add inter-operable device - R2.
5. in VPN community used mesh --> added gateway and router, configured phase 1 and phase 2 parameters and added shared secret key.
now on Cisco router i configured following.
R1(config)#crypto isakmp policy 1
R1(config-isakmp)#crypto isakmp key admin@123 address 192.168.229.11
R1(config)#crypto ipsec transform-set MY_TRANSFORM_SET esp-3des esp-sha256-hmac
R1(config)#crypto ipsec profile IPSEC_PROFILE
R1(ipsec-profile)#set transform-set MY_TRANSFORM_SET
R1(config)#interface Tunnel 0
R1(config-if)#ip address 22.214.171.124 255.255.255.0
R1(config-if)#tunnel source 192.168.229.10
R1(config-if)#tunnel destination 192.168.229.11
R1(config-if)#tunnel protection ipsec profile IPSEC_PROFILE
R1(config)#ip route 126.96.36.199 255.255.255.255 Tunnel0
do we need to mention proxy-acl on cisco router as well.
As i understand it is not necessary and routing decision will be taken in account instead of policy.
Correct me if i am wrong somewhere. I am still a learner.