Istvan,

Thanks for your help. Here is a little on my network. I have an 877 at site A, and I am needing to connect to Site B (Another Company) wich is being brought up by their network guys.So they send me their mirror config wich is below. Like I mentioned in a previous postI have used SDM and created the site to site with nowhere to place the static route.

Here is the mirror they sent me.

Ip route 192.168.94.0 255.255.255.0 access-list 105

Access-list 105 permit 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

Access-list 106 permit 192.168.94.0 0.0.0.255 172.16.0.0 0.0.0.255

Access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

Access-list 110 permit ip 192.168.0.0 0.0.0.255 any

Route-map nonat permit 10

Match ip address 110

Crypto isakmp policy 20

Encr 3des

Authentication pre-share

Hash md5

Group 2

Lifetime 86400

crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx

crypto ipsec transform-set testset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 20

set transform_set testset

crypto map testmap 2 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set test

match address 106

I have yet to check out the GRE over IPSec, I am hoping this all works out. Give me your thoughts, and thanks again for your help.

Chris

Hi Chris,

What do the network guys of the other company want to configure?

An IPSec VPN tunnel or a GRE over IPSEC tunnel?

If an IPSec VPN tunnel, then I can see the following:

- "crypto ipsec transform-set test" is not configured

- "crypto map testmap" is not applied to the outgoing interface similarly to this example:

interface serial1/1

crypto map testmap

- I don't understand the command in the beginning: Ip route 192.168.94.0 255.255.255.0 access-list 105

The static route should be like this:

Ip route 192.168.94.0 255.255.255.0 serial1/1 or something similar.

- If the 192.168.94.0 255.255.255.0 network is the remote subnet, then access-list 106 specifying the interseting traffic is wrongly configured:

It should be like this:

Access-list 106 permit ip 172.16.0.0 0.0.0.255 192.168.94.0 0.0.0.255

With the supposition that 172.16.0.0 255.255.255.0 is the local network and 192.168.94.0 255.255.255.0 is the remote network.

If the guys want to create a GRE over IPSEC tunnel, then let them give you also the tunnel interface details, in addition to the isakmp and ipsec configuration.

Then I will be able to help you configure GRE over IPSec.

Cheers:

Istvan

Istvan,

Thanks for all your help, the configuration that I provided was sent by them to me for setup on my end. I am using SDM and cannot seem to figure where the IP ROUTE address goes. I can setup the site to site but when I test the connection I get no response. I am not sure if I am supposed to set up the connection via gre over ipsec but I have already sent a note.

Thanks again for all your help.

Chris

Istvan,

Good day, I was informed it is not a gre over ipsec but a lan to lan tunnel, would you be able to assist me with this via SDM? I really need to set the static mapping. NOTE I am using a Cisco 877 I have configured the DSL to interface dialer0. but still cant bring up this vpn.

Chris

Hi Chris,

Sure, I will help you.

As our first step, could you please ask the guys to send you all the configs related to the ipsec vpn, or even better the whole running-config of the router.

Then you can post it here and I will help create the mirror config for this.

Do you have access to the CLI through the console, or you can configure the router through SDM only?

Cheers:

Istvan

Thanks again, I do have access to the CLI, and they will only send me a mirror config from their router not the whole config, I have asked. . I could possable send you my running config, I hope this is enough, please give me your thoughts.

Chris

Hi Chris,

Yes, your running-config will be quite useful, but please also post the config the other guys send you so we can create the mirror config out of that.

We will try to configure this through the CLI.

Thanks:

Istvan