05-02-2008 12:42 PM - edited 02-21-2020 03:42 PM
Good day,
When creating a vpn site to site tunnel using SDM, where would I place the static route? I have configured everything else but the ststic route.
Any help would be appriceated.
Chris
05-03-2008 04:10 AM
Hi Chris,
If the SDM software did not already generate the appropriate static routes, then you can configure them manually:
You have to configure static routes pointing to the subnets of the remote network on both sides. This is needed because the routing protocol updates cannot pass over an IPSec VPN tunnel. (GRE over IPSec is needed for this).
Then you need to configure a static route pointing to the peer interface of the VPN on both sides (if you have no such route in the routing table). This is needed so the initial isakmp and ipsec negotiations can occur.
If you tell more about your network then I will be able to tell you more specific guidelines.
Cheers:
Istvan
05-04-2008 03:11 AM
Istvan,
Thanks for your help. Here is a little on my network. I have an 877 at site A, and I am needing to connect to Site B (Another Company) wich is being brought up by their network guys.So they send me their mirror config wich is below. Like I mentioned in a previous postI have used SDM and created the site to site with nowhere to place the static route.
Here is the mirror they sent me.
Ip route 192.168.94.0 255.255.255.0 access-list 105
Access-list 105 permit 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
Access-list 106 permit 192.168.94.0 0.0.0.255 172.16.0.0 0.0.0.255
Access-list 110 deny ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
Access-list 110 permit ip 192.168.0.0 0.0.0.255 any
Route-map nonat permit 10
Match ip address 110
Crypto isakmp policy 20
Encr 3des
Authentication pre-share
Hash md5
Group 2
Lifetime 86400
crypto isakmp key xxxxxx address xxx.xxx.xxx.xxx
crypto ipsec transform-set testset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20
set transform_set testset
crypto map testmap 2 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set test
match address 106
I have yet to check out the GRE over IPSec, I am hoping this all works out. Give me your thoughts, and thanks again for your help.
Chris
05-05-2008 10:07 AM
Hi Chris,
What do the network guys of the other company want to configure?
An IPSec VPN tunnel or a GRE over IPSEC tunnel?
If an IPSec VPN tunnel, then I can see the following:
- "crypto ipsec transform-set test" is not configured
- "crypto map testmap" is not applied to the outgoing interface similarly to this example:
interface serial1/1
crypto map testmap
- I don't understand the command in the beginning: Ip route 192.168.94.0 255.255.255.0 access-list 105
The static route should be like this:
Ip route 192.168.94.0 255.255.255.0 serial1/1 or something similar.
- If the 192.168.94.0 255.255.255.0 network is the remote subnet, then access-list 106 specifying the interseting traffic is wrongly configured:
It should be like this:
Access-list 106 permit ip 172.16.0.0 0.0.0.255 192.168.94.0 0.0.0.255
With the supposition that 172.16.0.0 255.255.255.0 is the local network and 192.168.94.0 255.255.255.0 is the remote network.
If the guys want to create a GRE over IPSEC tunnel, then let them give you also the tunnel interface details, in addition to the isakmp and ipsec configuration.
Then I will be able to help you configure GRE over IPSec.
Cheers:
Istvan
05-05-2008 02:32 PM
Istvan,
Thanks for all your help, the configuration that I provided was sent by them to me for setup on my end. I am using SDM and cannot seem to figure where the IP ROUTE address goes. I can setup the site to site but when I test the connection I get no response. I am not sure if I am supposed to set up the connection via gre over ipsec but I have already sent a note.
Thanks again for all your help.
Chris
05-07-2008 12:15 AM
Istvan,
Good day, I was informed it is not a gre over ipsec but a lan to lan tunnel, would you be able to assist me with this via SDM? I really need to set the static mapping. NOTE I am using a Cisco 877 I have configured the DSL to interface dialer0. but still cant bring up this vpn.
Chris
05-07-2008 10:27 AM
Hi Chris,
Sure, I will help you.
As our first step, could you please ask the guys to send you all the configs related to the ipsec vpn, or even better the whole running-config of the router.
Then you can post it here and I will help create the mirror config for this.
Do you have access to the CLI through the console, or you can configure the router through SDM only?
Cheers:
Istvan
05-07-2008 11:42 AM
Thanks again, I do have access to the CLI, and they will only send me a mirror config from their router not the whole config, I have asked. . I could possable send you my running config, I hope this is enough, please give me your thoughts.
Chris
05-09-2008 07:33 AM
Hi Chris,
Yes, your running-config will be quite useful, but please also post the config the other guys send you so we can create the mirror config out of that.
We will try to configure this through the CLI.
Thanks:
Istvan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: