cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
819
Views
0
Helpful
8
Replies

VPN IPSec LAN-to-LAN

KagomeCISCO
Level 1
Level 1

Im trying to make a configuration with fake public adresses to a VPN IPSec (site to site) and this is my config can you please tell me if sothing wrong with it thank u.

And i have a question what should i do more than configuring the two CISCO 2600 routers in each site?? Should i make something else

I would be grateful if you answered my questions .

Please find attached my architecture.

BELL(config)# crypto isakmp policy 1

BELL(config-isakmp)# encryption 3des

BELL(config-isakmp)# hash md5

BELL(config-isakmp)# authentication pre-share

BELL(config-isakmp)# group 2

BELL(config-isakmp)#lifetime 480

BELL(config-isakmp)#exit

BELL(config)#crypto isakmp identity address

BELL(config)# crypto isakmp key BELLcon address 196.203.53.111

BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des

BELL(cfg-crypto-trans)#mode tunnel

BELL(cfg-crypto-trans)# exit

BELL(config)# access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any

BELL(config)# crypto map map_BELL 10 ipsec-isakmp

BELL(cfg-ctypto-map)#set peer 196.203.53.111

BELL(cfg-ctypto-map)#set transform-set ts1

BELL(cfg-ctypto-map)#match address 110

BELL(config)# interface tunnel 0

BELL(config-if)# ip address 192.168.18.1 255.255.255.0

BELL(config-if)# tunnel source 193. 205.53.11

BELL(config-if)# tunnel destination 196.203.53.111

BELL(config-if)# crypto map map_BELL

BELL(config-if)# exit

BELL(config)# interface Dialer0

BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

BELL(config)# ip route 192.168.18.0 255.255.255.0 Ethernet0

BELL(config-if)# exit

Configuration of internet accesvia ADSL

Step 1 : Configuration de l'interface Ethernet0

BELL#configure terminal

BELL(config)#interface ethernet0

BELL(config-if)#ip address 192.168.18.1 255.255.255.0

BELL(config-if)#ip nat inside

BELL(config-if)#ip virtual-reassembly

BELL(config-if)#ip tcp adjust-mss 1412

BELL(config-if)#hold-queue 100 out

BELL(config-if)#exit

Step 2 : Configuration de l'interface Dialer0

BELL#configure terminal

BELL(config)#interface dialer0

BELL(config-if)#ip address negotiated

BELL(config-if)#ip mtu 1442

BELL(config-if)#ip nat outside

BELL(config-if)#encapsulation ppp

BELL(config-if)#ip tcp adjust-mss 1452

BELL(config-if)#dialer pool 1

BELL(config-if)#dialer-group 1

BELL(config-if)#ppp authentication chap callin

BELL(config-if)#ppp chap hostname login_ISF

BELL(config-if)#ppp chap password 0 password_ISF

BELL(config-if)#ppp ipcp dns request

BELL(config-if)#exit

8 Replies 8

Richard Burts
Hall of Fame
Hall of Fame

Tima

There are several issues to correct and several things that I would suggest that you change:

- address 192.168.18.1 appears as the address for interface tunnel1 and also on interface ethernet0. You can not have two interfaces with the same address like this. Change the address on one of the interfaces.

- you have the crypto map on the tunnel interface and on no other interface. Depending on the version of code, some versions (older code) require that the crypto map be on both the tunnel interface and the outbound interface and some (more recent) require it only on the outbound interface (not the tunnel). Since we do not know what version of code you are running we can not advise which way it should be. But having it only on the tunnel is a problem.

- you have access list 110 as the access list to identify traffic to be protected by IPSec and it specifies IP for entire subnets:

access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

Since you want to encrypt the GRE traffic between router it would be better if the access list permitted GRE host host

- you specify the tunnel source address as tunnel source 193. 205.53.11 but I am not clear what that is. Logically I would think it was the dialer interface address. But that is configured as address negotiated. Is this the negotiated address?

- I do not see any need for this static route:

ip route 192.168.18.0 255.255.255.0 Ethernet0

since it identifies the connected interface subnet and that will be routed without any need for static. I do not think that it hurts anything, but neither does it help anything.

HTH

Rick

HTH

Rick

Thank you Rick for your answer.

i didn't notice the first issue thank you for mentioning it .

The IOS's versions in our CISCOs are 12.3 in fact i lack documentation and im a newbie in practisin all what i did before was pure theory unfortunately i never combined practise and theory.

I didn't get the 3rd point you noticed

u mean i put it like that

access-list 110 permit ip 192.168.18.1 0.0.0.254 192.168.1.1 0.0.0.254 ???

-the tunnel source adress 193.205.53.11 is the public adress of my router the one the internet service provider(ISP) gives us.

And i changed my ethernet adresse to 192.168.18.2 and the 192.168.18.1 is for the tunnel

thank you again for your answer.

Hi Rick

I tried to follow your recommandations and thsi is what i get now is it what u meant??

or still there something wrong??

I explain more what i want to do :

We dispose of 2 Cisco 2600 routers. Evry router is composed of an ethernet interface and an ADSL interface CONSOLE interface for configuration

• On the first site :

- ETHERNET interface connected to the LAN (IP@ 192.168.18.1 mask 255.255.255.0)

- ADSL interface used to connect to internet (adresse IP Bell ADSL : 193.111.12.1 )

• On the distent site Call :

- ETHERNET interface connected to the LAN (IP@ 192.168.1.2 masque 255.255.255.0)

- ADSL interface used for connecting to internet (@ IP Call Center ADSL:196.203.53.111)

This is the configuration of the first site router plus step 1 step 2 refers to the ADSL configuration.

BELL(config)# crypto isakmp policy 1

BELL(config-isakmp)# encryption 3des

BELL(config-isakmp)# hash md5

BELL(config-isakmp)# authentication pre-share

BELL(config-isakmp)# group 2

BELL(config-isakmp)#lifetime 480

BELL(config-isakmp)#exit

BELL(config)#crypto isakmp identity address

BELL(config)# crypto isakmp key Bellconsulting address 196.203.53.111

BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des

BELL(cfg-crypto-trans)#mode tunnel

BELL(cfg-crypto-trans)# exit

BELL(config)# access-list 110 permit ip host 193.111.12.1 host 196.203.53.111

BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any

BELL(config)# crypto map map_BELL 10 ipsec-isakmp BELL(cfg-ctypto-map)#set peer 196.203.53.111

BELL(cfg-ctypto-map)#set transform-set ts1

BELL(cfg-ctypto-map)#match address 110

BELL(config)# interface tunnel 0

BELL(config-if)# ip address 192.168.18.1 255.255.255.0

BELL(config-if)# tunnel source 193.111.12.1

BELL(config-if)# tunnel destination 196.203.53.111

BELL(config-if)# exit

BELL (config)# interface ethernet0

BELL(config-if)# cypto map map_bell

BELL (config-if)# exit

BELL(config)# interface Dialer0

BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

BELL(config)# ip route 192.168.18.0 255.255.255.0 Ethernet0

BELL(config-if)# exit

Step 1 : Configuration interface Ethernet0

BELL#configure terminal

BELL(config)#interface ethernet0

BELL(config-if)#ip address 192.168.18.2 255.255.255.0

BELL(config-if)#ip nat inside

BELL(config-if)#ip virtual-reassembly

BELL(config-if)#ip tcp adjust-mss 1412

BELL(config-if)#hold-queue 100 out

BELL(config-if)#exit

Step 2 : Configuration interface Dialer0

BELL#configure terminal

BELL(config)#interface dialer0

BELL(config-if)#ip address negotiated

BELL(config-if)#ip mtu 1442

BELL(config-if)#ip nat outside

BELL(config-if)#encapsulation ppp

BELL(config-if)#ip tcp adjust-mss 1452

BELL(config-if)#dialer pool 1

BELL(config-if)#dialer-group 1

BELL(config-if)#ppp authentication chap callin

BELL(config-if)#ppp chap hostname login_FAI

BELL(config-if)#ppp chap password 0 password_FAI

BELL(config-if)#ppp ipcp dns request

BELL(config-if)#exit

Tima

It is some better but still is problematic. Here are my comments:

- you changed the tunnel and Ethernet interface addresses to

interface tunnel 0

ip address 192.168.18.1 255.255.255.0

interface ethernet0

ip address 192.168.18.2 255.255.255.0

and this still puts the Tunnel and the Ethernet into the same subnet and this is a problem.

- you moved the crypto map from the tunnel (which was a problem) to the ethernet0 interface. Is this the outbound interface? It does not look like the outside interface and so putting the crypto map here is still a problem.

- you changed the access list to:

access-list 110 permit ip host 193.111.12.1 host 196.203.53.111

but what I suggested would be:

access-list 110 permit gre host 193.111.12.1 host 196.203.53.111

- you have the tunnel source address as 193.111.12.1 but I can not tell from this configuration what address that is and whether it is correct as the tunnel source or not.

- you still have the static route

ip route 192.168.18.0 255.255.255.0 Ethernet0

but a static route for a connected interface subnet is redundant and useless.

HTH

Rick

HTH

Rick

Hi Rick

Thank you again but my problem is that i want it IPSEC only not GRE over IPSEC so i think i don't have to use the access list that way

Tima

In your original post a GRE tunnel was part of your configuration. And GRE tunnels have been part of the other posts from you in this thread. If you now do not want GRE tunnels then remove the GRE tunnel.

HTH

Rick

HTH

Rick

Hi Rick

In fact they want me to do it IPSEC only.I don't know now what to add or to remove im confused

Best regards Tima

hi Rick

this is what i got for my VPN IPSEC site to site configuration the LANs adresses does not change, public adresses too

take a look please and tell me what do you think

! configure la priorité de la règle pour le protocole IKE

BELL(config)# crypto isakmp policy 1

! cette commande précise que l'algorithme de hachage sera le MD5.

BELL(config-isakmp)# hash md5

! cette commande indique que l'algorithme de cryptage de paquets qu'on va utiliser est le Triple DES.

BELL(config-isakmp)# encryption 3des

! cette commande indique que la clef d'authentification initiale sera partagée et qu'on ne dispose pas d'autorité de certification CA.

BELL(config-isakmp)# authentication pre-share

! Le group 2 de Diffie Hellman.

BELL(config-isakmp)# group 2

! Spécifie la durée de vie en seconde pour l'association de sécurité (SA) d'IKE.

BELL(config-isakmp)#lifetime 480

BELL(config-isakmp)#exit

! Cette commande indique que l'hôte distant sera identifié par son adresse et que la clé partagé est «Bellconsulting» et elle sera utilisé avec le client distant 196.x.x.111.

BELL(config)# crypto isakmp key Bellconsulting address 196.203.53.111

! fin de configuration

BELL(config)#end

!Définir une combinaison d'associations de sécurité(SA) qui interfère les négociations IPSEC

BELL(config)# crypto ipsec transform-set ts1 esp-md5-hmac esp-des

! Définir le type de tunnel

BELL(cfg-crypto-trans)#mode tunnel

BELL(cfg-crypto-trans)# exit

! access-list donne le droit aux utilisateurs du réseau LAN distant d'accéder au réseau local du siège.

BELL(config)#access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

! Ces deux access-list seront utilisées pour désactiver le natting entre les deux réseaux LAN et le permettre ailleurs (vers le réseau Internet) .On applique l'access-list 101 avec le natting comme suit :

BELL(config)# access-list 101 deny ip 192.168.18.0 0.0.0.255 192.168.1.0 0.0.0.255

BELL(config)# access-list 101 permit ip 192.168.18.0 0.0.0.255 any

BELL(config)# ip nat inside source list 101 interface Dialer0 overload

! le nom de la crypto map est map_BELL

BELL(config)# crypto map map_BELL 10 ipsec-isakmp

! spécifie l'adresse ip du routeur distant.

BELL(cfg-ctypto-map)#set peer 196.203.53.111

!on applique la transform-set ts1 sur cette crypto map.

BELL(cfg-ctypto-map)#set transform-set ts1

! l'access-list 110 sera appliqué au tunnel VPN.

BELL(cfg-ctypto-map)#match address 110

BELL(config-if)# exit

BELL (config)# interface ethernet0

BELL (config-if)# exit

BELL(config)# interface Dialer0

BELL(config)# ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

BELL(config)# ip route 192.168.1.0 255.255.255.0 Ethernet0

BELL(config-if)# cypto map map_bell

BELL(config-if)# exit

best regards

Tima

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: