VPN creation

Unanswered Question
May 2nd, 2008
User Badges:

Good day,


When creating a vpn site to site tunnel using SDM, where would I place the static route? I have configured everything else but the ststic route.


Any help would be appriceated.


Chris


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Istvan_Rabai Sat, 05/03/2008 - 04:10
User Badges:
  • Gold, 750 points or more

Hi Chris,


If the SDM software did not already generate the appropriate static routes, then you can configure them manually:


You have to configure static routes pointing to the subnets of the remote network on both sides. This is needed because the routing protocol updates cannot pass over an IPSec VPN tunnel. (GRE over IPSec is needed for this).


Then you need to configure a static route pointing to the peer interface of the VPN on both sides (if you have no such route in the routing table). This is needed so the initial isakmp and ipsec negotiations can occur.


If you tell more about your network then I will be able to tell you more specific guidelines.


Cheers:

Istvan

chrisrapolla Sun, 05/04/2008 - 03:11
User Badges:

Istvan,


Thanks for your help. Here is a little on my network. I have an 877 at site A, and I am needing to connect to Site B (Another Company) wich is being brought up by their network guys.So they send me their mirror config wich is below. Like I mentioned in a previous postI have used SDM and created the site to site with nowhere to place the static route.


Here is the mirror they sent me.


Ip route 192.168.94.0 255.255.255.0 access-list 105



Access-list 105 permit 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255


Access-list 106 permit 192.168.94.0 0.0.0.255 172.16.0.0 0.0.0.255



Access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255


Access-list 110 permit ip 192.168.0.0 0.0.0.255 any



Route-map nonat permit 10


Match ip address 110



Crypto isakmp policy 20


Encr 3des


Authentication pre-share


Hash md5


Group 2


Lifetime 86400



crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx



crypto ipsec transform-set testset esp-3des esp-md5-hmac



crypto dynamic-map dynmap 20


set transform_set testset



crypto map testmap 2 ipsec-isakmp


set peer xxx.xxx.xxx.xxx


set transform-set test

match address 106


I have yet to check out the GRE over IPSec, I am hoping this all works out. Give me your thoughts, and thanks again for your help.


Chris



Istvan_Rabai Mon, 05/05/2008 - 10:07
User Badges:
  • Gold, 750 points or more

Hi Chris,


What do the network guys of the other company want to configure?

An IPSec VPN tunnel or a GRE over IPSEC tunnel?


If an IPSec VPN tunnel, then I can see the following:


- "crypto ipsec transform-set test" is not configured

- "crypto map testmap" is not applied to the outgoing interface similarly to this example:

interface serial1/1

crypto map testmap


- I don't understand the command in the beginning: Ip route 192.168.94.0 255.255.255.0 access-list 105


The static route should be like this:

Ip route 192.168.94.0 255.255.255.0 serial1/1 or something similar.


- If the 192.168.94.0 255.255.255.0 network is the remote subnet, then access-list 106 specifying the interseting traffic is wrongly configured:

It should be like this:

Access-list 106 permit ip 172.16.0.0 0.0.0.255 192.168.94.0 0.0.0.255

With the supposition that 172.16.0.0 255.255.255.0 is the local network and 192.168.94.0 255.255.255.0 is the remote network.


If the guys want to create a GRE over IPSEC tunnel, then let them give you also the tunnel interface details, in addition to the isakmp and ipsec configuration.


Then I will be able to help you configure GRE over IPSec.


Cheers:

Istvan

chrisrapolla Mon, 05/05/2008 - 14:32
User Badges:

Istvan,


Thanks for all your help, the configuration that I provided was sent by them to me for setup on my end. I am using SDM and cannot seem to figure where the IP ROUTE address goes. I can setup the site to site but when I test the connection I get no response. I am not sure if I am supposed to set up the connection via gre over ipsec but I have already sent a note.


Thanks again for all your help.


Chris

chrisrapolla Wed, 05/07/2008 - 00:15
User Badges:

Istvan,


Good day, I was informed it is not a gre over ipsec but a lan to lan tunnel, would you be able to assist me with this via SDM? I really need to set the static mapping. NOTE I am using a Cisco 877 I have configured the DSL to interface dialer0. but still cant bring up this vpn.


Chris

Istvan_Rabai Wed, 05/07/2008 - 10:27
User Badges:
  • Gold, 750 points or more

Hi Chris,


Sure, I will help you.


As our first step, could you please ask the guys to send you all the configs related to the ipsec vpn, or even better the whole running-config of the router.


Then you can post it here and I will help create the mirror config for this.


Do you have access to the CLI through the console, or you can configure the router through SDM only?


Cheers:

Istvan

chrisrapolla Wed, 05/07/2008 - 11:42
User Badges:

Thanks again, I do have access to the CLI, and they will only send me a mirror config from their router not the whole config, I have asked. . I could possable send you my running config, I hope this is enough, please give me your thoughts.


Chris

Istvan_Rabai Fri, 05/09/2008 - 07:33
User Badges:
  • Gold, 750 points or more

Hi Chris,


Yes, your running-config will be quite useful, but please also post the config the other guys send you so we can create the mirror config out of that.

We will try to configure this through the CLI.


Thanks:

Istvan

Actions

This Discussion