Setting up VPN using 1861 behind an Actiontec Router

Unanswered Question
Feb 8th, 2008
User Badges:

I need to setup a vpn between our main office and a remote user using his verizon fios internet connection,

he uses this service for both data and TV. Verizon provided him an actiontech MI-424-WR router.


* Can I setup gre/ipsec tunnel behind the actiontec router using a Cisco a 1861 router?


* Will there be any configuration changes done on the actiontec router?


* any caveat?


The router in the main office will have a static external IP.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Fri, 02/08/2008 - 10:32
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gerardo


A customer that I work with has set up lots of VPN connections to remote sites where the remote site is behind a cable network connection including actiontech routers. We are using the 1841 router but I would think that the 1861 would be able to do this without much problem.


As to the specific questions that you ask:

- We use GRE/IPSec tunnels and it works well.

- there should not be any configuration changes on the actiontech router.

- as far as caveats:

+ make sure that the image on the 1861 is the advanced security feature set or the advanced services feature set so that you get support for the encryption needed for VPN.

+ in our implementation we require that the remote site have a fixed IP address which allows each end of the VPN to uniquely specify its peer and allows either end of the VPN to initiate the connection. I assume that your user is getting an address via DHCP from the actiontech. This will mean that your head end will have to accept connection requests from anyone and authenticate to verify that it is an authorized request. And it will mean that the remote must initiate the connection.


If it is a single user at this remote location would it be feasible to set it up as a remote access VPN rather than a site to site VPN and to have the user use the VPN client which would eliminate the requirement for a router at the remote site?


HTH


Rick

abknoc Mon, 02/11/2008 - 06:27
User Badges:

Rick,


Thank you, your post is very helpful. To answer your questions:

* static ip is not possible, because the remote site is using fios tv.

* the site will have a single user but multiple devices, including a tandberg codec which we'll use for videoconferencing.


Richard Burts Mon, 02/11/2008 - 08:28
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Gerardo


I expected that static ip might not be possible in your case. This just means that the head end will not be able to specifically identify the remote peer and must accept connection requests from anyone and use authentication to determine whether this is a legitimate peer.


If there are multiple devices at the remote then a site to site VPN certainly makes sense.


HTH


Rick

Daniel Voicu Mon, 02/11/2008 - 09:29
User Badges:
  • Silver, 250 points or more

Hi,


You might want to implement an Easy VPN Server/Client configuration that is more straight forward than a GRE/IPSEC behind NAT.


This way you don't need to open 0.0.0.0 with crypto isakmp for the preshared key.


Check:

http://cisco.com/en/US/products/hw/routers/ps221/prod_configuration_guide09186a008007cfa7.html


Rate if it helps.


Regards,

Daniel

Actions

This Discussion