Site-To-Site VPN

softpro77 · ‎10-05-2008

I'm want to build a Site-To-site VPN.

HQ will using Cisco 1841 ISR

HQ will be using registered PUBLIC IP.

DSL

Branch will be using Cisco 877 series ISR

Branch will be using only dynamic IP provided by the country internet service provider.

ADSL

What approach should I use and how to configure to make the vpn connection works ?

JORGE RODRIGUEZ · ‎10-06-2008

Chong,

You can build the tunnel in a hub-spoke architecture. The spoke in your case will be using dynamic IP assigned by ISP , your hub uses static..

Have a look here for dynamic L2L config sections.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Rgds

Jorge

Jorge Rodriguez

softpro77 · ‎10-06-2008

Thanks Jorge for the pointing it the right direction.

I'm a beginner at cisco router, do you know link to SDM type of example that I can follow easier ?

JORGE RODRIGUEZ · ‎10-07-2008

I have not seen a SDM link, the above link is easy to follow try using it omiting the RA client configuration, at least try creating a configuration sketch in notepad for each router without entering in the router, you may post the proposed config from both router that we could see prior to implementing them.

Jorge Rodriguez

softpro77 · ‎10-07-2008

Thanks Jorge !

I have not got a clue how to get the project started . Now that you mentioned that i will start a 'sketch' in notepad for each router, u or anyone can take a look and suggest where I got wrong. Thanks in advance !

softpro77 · ‎10-09-2008

Hi Jorge, I've been trying to create the 'sketch' , but I encounter problem regarding how to 'glue' the HQ VPN Head-end server to the 'peers'-ends to create a connectivity. The peers are using dynamic IPs , so how do I get over this obstacles ? Do I have to resort to e.g. getting each peers to register an hostname e.g. peer1.members.dyndns.org. After that I enter the peer1.members.dyndns.org instead in the HQ's VPN's configuration?

Thanks in advance

softpro77 · ‎10-16-2008

Hello Jorge.

! HUB's Configurations

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Hub

!

no logging on

!

username admin password xxx

aaa new-model

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

no ip domain lookup

!

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key mykey123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group myclientgroup

key xxx

dns 165.21.83.88 165.21.100.88

wins 3.3.3.3 4.4.4.4

domain myclient.com

pool ippool

crypto isakmp profile VPNclient

description VPN clients profile

match identity group testgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Two instances of the dynamic crypto map

!--- reference the two previous IPsec profiles.

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNclient

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile L2L

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

description Outside interface

ip address 10.48.67.181 255.255.255.224

no ip mroute-cache

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

description Inside interface

ip address 10.1.1.1 255.255.254.0

duplex auto

speed auto

no keepalive

!

ip local pool ippool 10.5.5.1 10.5.5.254

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.48.66.181

!

call rsvp-sync

!

dial-peer cor custom

!

line con 0

exec-timeout 0 0

escape-character 27

line aux 0

line vty 0 4

password xxx

!

end

_____________________________________________

! SPOKE's configurations

!

!version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname spoke_01

!

no logging on

!

ip subnet-zero

no ip domain lookup

!

ip cef

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key mykey123 address 10.40.67.181

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Standard crypto map on the spoke router

!--- that references the known hub IP address.

crypto map mymap 10 ipsec-isakmp

set peer 10.40.67.181

set transform-set myset

match address 100

!

controller ISA 5/1

!

interface Dialer1

description Outside interface

ip address dhcp

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/0

description Inside interface

ip address 10.2.2.2 255.255.255.0

duplex auto

speed auto

no keepalive

!

interface ATM1/0

no ip address

shutdown

no atm ilmi-keepalive

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.100.2.3

no ip http server

no ip http secure-server

access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

!

call rsvp-sync

!

mgcp profile default

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password xxx

login

!

end

___________________________________________