Quantcast
Channel: Comments on: Lan-to-Lan IPSEC VPN Between Cisco Routers – Configuration Example
Viewing all 51 articles
Browse latest View live

By: Blog Admin

December 20, 2013, 1:02 am
$
0
0

Yeah, using the VTI with IPSEC is a good option as well (VTIs are very flexible also)….good luck

Harris

Search

By: Steve

November 16, 2009, 2:54 am
$
0
0

Ok Blogadmin thanks very much for the time and support.

I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.

thnanks agian,

Steve

By: Aline

January 12, 2011, 5:07 am
$
0
0

I would like to know if someone already configured a VPN with two links balanced. How can I configure if the interfaces were FastEthernet, because I can´t configure multilink and I´ll have two ip address and I need one ip address to configure the peer of VPN.

By: Dave

May 29, 2011, 10:51 pm
$
0
0

There should not be any problem to configure VPN if the two interfaces were fastethernet

By: Kunal

August 9, 2011, 6:18 pm
$
0
0

I have followed this guide as well as several others and setup both my routers according to them but for some reason I cannot see any connection when I do show crypto isakmp sa. I have tried sending traffic from pc’s connected to the lan interfaces but nothing ever comes up. I have the map set on the correct interface and do get the message isakmp is on but neither side shows anything.

By: Kunal

August 9, 2011, 6:51 pm
$
0
0

This is the config for the above mentioned question:

version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router_A
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp pool LANClients
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address aaa.bbb.ccc.ddd
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer aaa.bbb.ccc.ddd
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address ddd.ccc.bbb.aaa 255.255.255.224
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
half-duplex
!
router rip
version 2
passive-interface Ethernet0/0
network 192.168.2.0
no auto-summary
!
ip nat pool POOL1 ddd.ccc.bbb.aaa ddd.ccc.bbb.aaa prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 192.168.2.0 0.0.0.255 10.141.185.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 10.141.0.0 0.0.255.255

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router_B
!
boot-start-marker
boot-end-marker
!
memory-size iomem 10
no aaa new-model
ip subnet-zero
ip cef
!
ip dhcp excluded-address 10.141.185.1 10.141.185.99
ip dhcp excluded-address 10.141.185.150 10.141.185.255
!
ip dhcp pool Clients
network 10.141.185.0 255.255.255.0
default-router 10.141.185.1
!
ip audit po max-events 100
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
crypto isakmp key cisco123 address ddd.ccc.bbb.aaa
!
crypto ipsec transform-set aes-sha-transform esp-aes 256 esp-sha-hmac
!
crypto map aesmap 10 ipsec-isakmp
set peer ddd.ccc.bbb.aaa
set transform-set aes-sha-transform
match address acl_vpn
!
interface Ethernet0/0
description connected to Internet
ip address aaa.bbb.ccc.ddd 255.255.255.192
ip nat outside
half-duplex
crypto map aesmap
!
interface Ethernet0/1
description connected to EthernetLAN
ip address 10.141.185.1 255.255.255.0
ip nat inside
half-duplex
!
ip nat pool POOL1 aaa.bbb.ccc.ddd aaa.bbb.ccc.ddd prefix-length 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
!
ip access-list extended acl_nat
deny ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 10.141.185.0 0.0.0.255 any
ip access-list extended acl_vpn
permit ip 10.141.185.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 1 permit 10.141.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.255.255
!

By: Blog Admin

August 10, 2011, 11:49 am
$
0
0

My friend you have not followed exactly the configuration as shown on my post. You must exclude the vpn traffic from nat.

ip nat inside source list acl_nat interface Ethernet0/0 overload

By: Kunal

August 12, 2011, 9:21 pm
$
0
0

Admin,

Thanks for the quick reply.

I would like to say I am brand new to Cisco IOS so please forgive my stupidity (past or future).

I added the entry on both routers and still have no activity.
The command show crypto isakmp sa still shows blank. Ive tried sending ping packets to initiate traffic but no luck. Is there anything else I have to do on the routers themselves?

Search

By: SamAwatif

September 15, 2011, 12:26 pm
$
0
0

Man Many Many Thanks, I was Confused as to how to go about Allowing IPsec Tunnel While using NAT Since IPsec traffic can’t be natted, I’ve read other blogs but coudn’t get my head around it 🙁 but your descritption & config made it a breath..GOD BLESS 🙂

By: Gagan

February 25, 2013, 12:13 am
$
0
0

im very new to cisco Can you help me on this i have to configure site to site vpn with 2 cisco router. Router A using ADSL internet connection (Dynamic IP Address, ADSL modem lan port connected to fe0) connected on fe0 in brigemode. Router A Internal Subnet 172.16.1.0/24 Connected on fe1. Router B using Broadband (RJ45) internet connection (Dynamic IP Address) connected on Fe0. Router B Internal Subnet 192.168.1.0/24 connected on fe1 . both router hav nat overload enabled.
Thanks

By: Blog Admin

February 25, 2013, 1:22 am

By: Tim

December 19, 2013, 8:16 pm
$
0
0

Hi i followed the instructions, once i got UP-Idle, once i cleared the session the status went from negotiating to DOWN and i keep getting: No peer struct to get peer description

can you please shed some light?

By: Blog Admin

December 19, 2013, 9:31 pm
$
0
0

Tim,
This might have to do with your VPN ACL which is applied in the crypto map. The two VPN ALCs on the two sites must be exactly mirror of each other.

Post the config here to take a look.

Harris

By: Tim

December 19, 2013, 9:41 pm
$
0
0

Hi Harris,

Thanks, for the quick replay, even Cisco Tac wouldn’t had responded so fast 🙂
I’m sure your way works well, but after going back and forth all day, i chose a different path and it does not requires a NAT/ACL..

Created a tunnel interface and defined a static route using tunnel0 int.

I’ll try your method on my other two routers in my LAB! SO i can get both methods working for my own knowledge..

based on this Cisco doc.
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl.html#wp1110852

By: Blog Admin

December 20, 2013, 1:02 am
$
0
0

Yeah, using the VTI with IPSEC is a good option as well (VTIs are very flexible also)….good luck

Harris

Search

By: J B

October 16, 2015, 8:28 am
$
0
0

!–add another site to ROUTER-A (assumes you use the same interface w/multiple vpns)
!– this additional site (ROUTER-C) has a WAN IP 300.0.0.1 LAN IP 192.168.3.0/24
!– (note: you can use a new key if you wish)
crypto isakmp key testkey1234 address 300.0.0.1

!– add to
set peer 300.0.0.1

!– add to
deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!– add to
permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

!– ROUTER-C comments nearly identical to ROUTER-B
!– Change IP address’ on interfaces for WAN and LAN
!–WAN IP 300.0.0.1 LAN IP 192.168.3.0/24
!– change deny and permit statements for acl_nat and acl_vpn
!– instead of 192.168.2.0 use 192.168.3.0
!– if you did change the pre-authentication key on Router-A,
!– you’ll need to ensure its the same on Router-C, see below:
!!– crypto isakmp key testkey1234 address 100.0.0.1

By: Steve

November 16, 2009, 2:54 am
$
0
0

Ok Blogadmin thanks very much for the time and support.

I figured out what the problem was. When configured as it should with the correct acl for the crypto map, the vpn stayed down until I generated traffic from the source behind the vpn router. In my case the vpn came up without errors when I generated traffic from the 172.16.10.2. So all a long my problem why the vpn stayed down was that there was no traffic.

thnanks agian,

Steve

By: Aline

January 12, 2011, 5:07 am
$
0
0

I would like to know if someone already configured a VPN with two links balanced. How can I configure if the interfaces were FastEthernet, because I can´t configure multilink and I´ll have two ip address and I need one ip address to configure the peer of VPN.

By: Dave

May 29, 2011, 10:51 pm
$
0
0

There should not be any problem to configure VPN if the two interfaces were fastethernet

By: Kunal

August 9, 2011, 6:18 pm
$
0
0

I have followed this guide as well as several others and setup both my routers according to them but for some reason I cannot see any connection when I do show crypto isakmp sa. I have tried sending traffic from pc’s connected to the lan interfaces but nothing ever comes up. I have the map set on the correct interface and do get the message isakmp is on but neither side shows anything.

Viewing all 51 articles
Browse latest View live
Search