09-09-2007 05:05 AM - edited 02-21-2020 03:15 PM
THIS IS MY NETWORK:
HTTP SERVER -10.10.X.X:8080
|
|
GATEWAY-FIREWALL-1811
|
192.168.251.X
|
1811-ROUTER1
X.X.X.X/ TUNNEL 192.168.200.1/30
|
GRE+IPSEC
|
Y.Y.Y.Y/TUNNEL 192.168.200.2/30
1711-ROUTER2
|
|
192.168.190.X/24
GATEWAY-FIREWALL-1811
version 12.4
!
interface FastEthernet0
ip address 10.10.X.X 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 192.168.251.1 255.255.255.0
ip access-group WEBSERVER in
ip virtual-reassembly
duplex auto
speed auto
!
!
ip route 192.168.190.0 255.255.255.0 192.168.251.2
ip route 192.168.200.0 255.255.255.252 192.168.251.2
ip route X.X.X.X 255.255.255.252 192.168.251.2
!
!
ip access-list extended WEBSERVER
permit tcp any host 10.10.X.X eq 8080
permit icmp any any
permit tcp any any eq 22
permit tcp any eq 22 any
deny ip any any
1811-ROUTER1
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto isakmp identity dn
!
!
crypto ipsec transform-set PROBA esp-3des esp-md5-hmac
mode transport
!
crypto map VPN-TUNNEL 10 ipsec-isakmp
set peer Y.Y.Y.Y
set transform-set PROBA
match address 140
!
!
interface Tunnel1
ip address 192.168.200.1 255.255.255.252
ip mtu 1420
ip virtual-reassembly
ip tcp adjust-mss 1436
tunnel source FastEthernet1
tunnel destination Y.Y.Y.Y
crypto map VPN-TUNNEL
!
interface FastEthernet0
ip address 192.168.251.2 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address X.X.X.X 255.255.255.252
ip access-group FROM_INTERNET in
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN-TUNNEL
!
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 10.30.X.X 255.255.255.0 192.168.251.1
ip route 192.168.190.0 255.255.255.0 Tunnel1
!
!
ip access-list extended FROM_INTERNET
permit icmp any any
permit gre host Y.Y.Y.Y host X.X.X.X
permit esp host Y.Y.Y.Y host X.X.X.X
permit udp host Y.Y.Y.Y eq isakmp host X.X.X.X
deny ip any any
!
access-list 140 permit gre host X.X.X.X host Y.Y.Y.Y
access-list 140 permit ip 10.30.X.X 0.0.0.255 192.168.190.0 0.0.0.255
no cdp run
!
1711-ROUTER2
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname OFFICE
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.190.1
!
ip dhcp pool sdm-pool
import all
network 192.168.190.0 255.255.255.0
default-router 192.168.190.1
lease 0 2
!
!
ip cef
crypto isakmp policy 10
encr 3des
hash md5
group 2
crypto isakmp identity dn
!
!
crypto ipsec transform-set PROBA esp-3des esp-md5-hmac
mode transport
!
crypto map VPN-TUNNEL 10 ipsec-isakmp
set peer X.X.X.X
set transform-set PROBA
match address 140
!
!
!
interface Tunnel1
ip address 192.168.200.2 255.255.255.252
ip mtu 1420
ip tcp adjust-mss 1436
tunnel source FastEthernet0
tunnel destination X.X.X.X
crypto map VPN-TUNNEL
!
interface FastEthernet0
ip address Y.Y.Y.Y 255.255.255.0
ip access-group 130 in
duplex auto
speed auto
no cdp enable
crypto map VPN-TUNNEL
!
interface Vlan1
description $OFFICE-LAN$
ip address 192.168.190.1 255.255.255.0
ip tcp adjust-mss 1452
!
!
ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y
ip route 10.30.X.X 255.255.255.0 Tunnel1
ip route 192.168.251.0 255.255.255.0 Tunnel1
!
!
!
access-list 130 permit gre host X.X.X.X host Y.Y.Y.Y
access-list 130 permit esp host X.X.X.X host Y.Y.Y.Y
access-list 130 permit udp host X.X.X.X eq isakmp host Y.Y.Y.Y
access-list 140 permit gre host Y.Y.Y.Y host X.X.X.X
access-list 140 permit ip 192.168.190.0 0.0.0.255 10.30.X.X 0.0.0.255
no cdp run
!
I WOUGHT LIKE CRYPT ALL TRAFFIC BETWEEN NET 10.30.X.X AND 192.168.190.0, IS THIS POSSIBLE WITH ACCESS-LIST 140 ON THIS EXAMPLE OR NOT.
IS A ANSWER IS NO HELP ME TO CONFIGURE ROUTERS TO CRYPT ALL TRAFFIC BETWEEN 10.30.X.X. 192.168.190.0
09-09-2007 01:07 PM
In your case it would be better to use tunnel with tunnel protection.
PS
ip mtu 1420
ip tcp adjust-mss 1436
If you have ip mtu 1420 bytes then "ip tcp adjust-mss" MUST be 40bytes lower.
So "ip tcp adjust-mss 1380"
09-10-2007 02:22 AM
can i use on same route"1811-ROUTER1" this all commands:
crypto ipsec profile vpn
set transform-set PPOBA
on interface tunnel1
tunnel protection ipsec profile vpn
crypto map VPN-TUNNEL 10 ipsec-isakmp
set peer X.X.X.X
set transform-set PPOBA
match address 140
on interface Fastethernet1
crypto map VPN-TUNNEL
and
access-list 140 permit gre host Y.Y.Y.Y host X.X.X.X
access-list 140 permit ip 192.168.190.0 0.0.0.255 10.30.X.X 0.0.0.255
Is necessity to use "crypto isakmp profile".
Thanks advance.
Please post any example or any link.
09-10-2007 02:44 AM
should be something like this
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
no crypto isakmp identity dn
!
!
crypto ipsec transform-set PROBA esp-3des esp-md5-hmac
mode transport
!
NO crypto map VPN-TUNNEL 10 ipsec-isakmp
crypto ipsec profile vpn
set transform-set PPOBA
!
!
interface Tunnel1
ip address 192.168.200.1 255.255.255.252
ip mtu 1420
ip virtual-reassembly
ip tcp adjust-mss 1380
tunnel source FastEthernet1
tunnel destination Y.Y.Y.Y
no crypto map VPN-TUNNEL
tunnel protection ipsec profile vpn
!
interface FastEthernet0
ip address 192.168.251.2 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address X.X.X.X 255.255.255.252
ip access-group FROM_INTERNET in
ip virtual-reassembly
duplex auto
speed auto
no crypto map VPN-TUNNEL
!
!
ip access-list extended FROM_INTERNET
permit icmp any any
permit gre host Y.Y.Y.Y host X.X.X.X
permit esp host Y.Y.Y.Y host X.X.X.X
permit udp host Y.Y.Y.Y host X.X.X.X eq 500
permit udp host Y.Y.Y.Y host X.X.X.X eq 4500
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: