VPN/IPSec connection from two routers behind two 'Internet' routers ????

Unanswered Question
Apr 19th, 2008

Hi all,

Situation:

Two sites both with a router connected to Internet.

My client wants to have on each site another router behind the respective Internet router.

A IPSec/VPN connection has to be built between the two routers (871s) behind the Internet routers.

Is this possible? And if so how ?

Thanks for your help

Jaap Laaij

Netherlands

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
carl_j_meza Sat, 04/19/2008 - 10:58

Jaap,

If your client has a spare public address on both Internet router subnet that you can use, you might want to try 1-to-1 NAT that traslates your FA4 IPs to a 81.x.x.x and 83.x.x.x IP. Specify the far end public IP as your IPSEC peer and build a site-to-site tunnel.

jlaay-diode Sat, 04/19/2008 - 22:56

Hi Carl,

Thanks for your reply.

The problem is that my client doesn't have spare public addresses. The addresses that he has are also leased.

However if he did, how do you 'push' the spare public address to F4 WAN port of the router (870)behind the internet router? How do you tell the internet router that the incoming public addres belongs to the 870 router?

Is there any other way to get around this?

Thanks,

Jaap

cisco24x7 Sun, 04/20/2008 - 15:38

Jaap,

It CAN be done without spare IP address.

On both Internet routers, do this:

ip nat inside source static udp 192.168.0.101 500 interface F0/0 500

ip nat inside source static udp 192.168.0.101 4500 interface F0/0 4500

ip nat inside source static esp 192.168.0.101 interface F0/0

interface F0/0

description Internet Facing

ip address 81.x.x.x

ip nat outside

interface F0/1

description RFC1918

ip address 192.168.0.101

ip nat inside

on the router behind the 81.x.x.x router:

access-list 101 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255

crypto isakmp key cciesec address 83.x.x.x no-xauth

crypto isakmp pol 1

auth pre

encr 3des

hash sha

group 2

life 86400

crypto ipsec trans 3des esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 83.x.x.x

set trans 3des

match address 101

inteface F4

ip address 192.168.0.101

crypto map vpn

on the router behind the 83.x.x.x router:

access-list 101 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

crypto isakmp key cciesec address 81.x.x.x no-xauth

crypto isakmp pol 1

auth pre

encr 3des

hash sha

group 2

life 86400

crypto ipsec trans 3des esp-3des esp-sha-hmac

crypto map vpn 10 ipsec-isakmp

set peer 83.x.x.x

set trans 3des

match address 101

inteface F4

ip address 192.168.0.101

crypto map vpn

This way, when isakmp, NAT-T and ESP traffics

hit the 81.x.x.x or 83.x.x.x IP address,

it will be translated to 192.168.0.101 and

it will work. I do this all the times.

This works on both IOS 12.2(15)T17 and ISO 12.3(24a)

CCIE Security

Actions

This Discussion