VPN creation

Unanswered Question
May 2nd, 2008
User Badges:

Good day,

When creating a vpn site to site tunnel using SDM, where would I place the static route? I have configured everything else but the ststic route.

Any help would be appriceated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Istvan_Rabai Sat, 05/03/2008 - 04:10
User Badges:
  • Gold, 750 points or more

Hi Chris,

If the SDM software did not already generate the appropriate static routes, then you can configure them manually:

You have to configure static routes pointing to the subnets of the remote network on both sides. This is needed because the routing protocol updates cannot pass over an IPSec VPN tunnel. (GRE over IPSec is needed for this).

Then you need to configure a static route pointing to the peer interface of the VPN on both sides (if you have no such route in the routing table). This is needed so the initial isakmp and ipsec negotiations can occur.

If you tell more about your network then I will be able to tell you more specific guidelines.



chrisrapolla Sun, 05/04/2008 - 03:11
User Badges:


Thanks for your help. Here is a little on my network. I have an 877 at site A, and I am needing to connect to Site B (Another Company) wich is being brought up by their network guys.So they send me their mirror config wich is below. Like I mentioned in a previous postI have used SDM and created the site to site with nowhere to place the static route.

Here is the mirror they sent me.

Ip route access-list 105

Access-list 105 permit

Access-list 106 permit

Access-list 110 deny ip

Access-list 110 permit ip any

Route-map nonat permit 10

Match ip address 110

Crypto isakmp policy 20

Encr 3des

Authentication pre-share

Hash md5

Group 2

Lifetime 86400

crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx

crypto ipsec transform-set testset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20

set transform_set testset

crypto map testmap 2 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set test

match address 106

I have yet to check out the GRE over IPSec, I am hoping this all works out. Give me your thoughts, and thanks again for your help.


Istvan_Rabai Mon, 05/05/2008 - 10:07
User Badges:
  • Gold, 750 points or more

Hi Chris,

What do the network guys of the other company want to configure?

An IPSec VPN tunnel or a GRE over IPSEC tunnel?

If an IPSec VPN tunnel, then I can see the following:

- "crypto ipsec transform-set test" is not configured

- "crypto map testmap" is not applied to the outgoing interface similarly to this example:

interface serial1/1

crypto map testmap

- I don't understand the command in the beginning: Ip route access-list 105

The static route should be like this:

Ip route serial1/1 or something similar.

- If the network is the remote subnet, then access-list 106 specifying the interseting traffic is wrongly configured:

It should be like this:

Access-list 106 permit ip

With the supposition that is the local network and is the remote network.

If the guys want to create a GRE over IPSEC tunnel, then let them give you also the tunnel interface details, in addition to the isakmp and ipsec configuration.

Then I will be able to help you configure GRE over IPSec.



chrisrapolla Mon, 05/05/2008 - 14:32
User Badges:


Thanks for all your help, the configuration that I provided was sent by them to me for setup on my end. I am using SDM and cannot seem to figure where the IP ROUTE address goes. I can setup the site to site but when I test the connection I get no response. I am not sure if I am supposed to set up the connection via gre over ipsec but I have already sent a note.

Thanks again for all your help.


chrisrapolla Wed, 05/07/2008 - 00:15
User Badges:


Good day, I was informed it is not a gre over ipsec but a lan to lan tunnel, would you be able to assist me with this via SDM? I really need to set the static mapping. NOTE I am using a Cisco 877 I have configured the DSL to interface dialer0. but still cant bring up this vpn.


Istvan_Rabai Wed, 05/07/2008 - 10:27
User Badges:
  • Gold, 750 points or more

Hi Chris,

Sure, I will help you.

As our first step, could you please ask the guys to send you all the configs related to the ipsec vpn, or even better the whole running-config of the router.

Then you can post it here and I will help create the mirror config for this.

Do you have access to the CLI through the console, or you can configure the router through SDM only?



chrisrapolla Wed, 05/07/2008 - 11:42
User Badges:

Thanks again, I do have access to the CLI, and they will only send me a mirror config from their router not the whole config, I have asked. . I could possable send you my running config, I hope this is enough, please give me your thoughts.


Istvan_Rabai Fri, 05/09/2008 - 07:33
User Badges:
  • Gold, 750 points or more

Hi Chris,

Yes, your running-config will be quite useful, but please also post the config the other guys send you so we can create the mirror config out of that.

We will try to configure this through the CLI.




This Discussion