Cisco IPSEC VPN - 7200

subra4u · ‎07-21-2009

Hi,

We have a VPN tunnel setup on the above mentioned router to one of our partners. Here is the Setup

Partner VPN Router 7.7.7.2 <--> Internet <--> (6.6.6.6) Internet Router (10.1.1.1) <--> (10.1.1.2) VPN Router(6.6.6.2).

The VPN router has 2 interfaces with 10.1.1.2 (also to reach the servers in the internal network) and 6.6.6.2 just terminated on a switch to keep the interface up.

Please find the config below:

{

version 12.2

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 14400

crypto isakmp key ********* address 7.7.7.2

!

crypto ipsec transform-set set1 esp-3des esp-sha-hmac

!

crypto map mymap local-address FastEthernet2/0

crypto map mymap 10 ipsec-isakmp

set peer 7.7.7.2

set transform-set myset

set pfs group2

match address 160

!

interface FastEthernet0/0

ip address 10.1.1.2 255.255.255.0

no ip redirects

no ip unreachables

duplex full

no cdp enable

crypto map mymap

!

interface FastEthernet2/0

ip address 6.6.6.2 255.255.255.240

no ip redirects

no ip unreachables

duplex auto

speed auto

no cdp enable

!

ip route 10.0.0.0 255.0.0.0 10.1.1.3 (to a different router to reach internal network)

ip route 172.16.0.0 255.255.0.0 10.1.1.1

no ip http server

!

access-list 160 permit ip host 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

}

We are able to reach the remote partner network and they can reach us too. Iam interested to know how it works when the Crypto map being applied on the internal interface. Can someone help me clarify this config. please

Thx,

Subra

Giuseppe Larosa · ‎07-21-2009

Hello Subra,

>> ip route 172.16.0.0 255.255.0.0 10.1.1.1

this static route does the trick:

traffic destined to net 172.16.0.0/16 is sent out the internal interface where it matches the ACL of the crypto map and so gets encrypted and is sent to ipsec peer.

However, I agree that the external interface should be the place where to place this crypto map so that you can be sure of a correct behaviour for all internal vlans in net 10/8 like acl 160

access-list 160 permit ip host 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255

For example we have used this trick on a remote site that has a secondary crypto map applied to a loopback interface.

Hope to help

Giuseppe

subra4u · ‎07-22-2009

Hi,

Thanks for your Inputs.

Now we would like to do some natting on the VPN like for e.g. 10.10.10.10 Xlated to 192.168.10.10 for the remote subnet. How do we assign the the inside and outside interface?

Thx,

Sundar

Giuseppe Larosa · ‎07-22-2009

Hello Sundar,

you should use GRE inside IPSec for achieving this

the GRE traffic becomes the only one to be encrypted

remote ip subnet has to point to the GRE tunnel with a static route

GRE tunnel is the place where to put the ip nat outside command

tunnel GRE destination has to be reached via the interface where the crypto map is applied.

Hope to help

Giuseppe

subra4u · ‎07-22-2009

Hi Giuseppe,

We are trying to introduce NAT into the environmet without the remote end intervention.PLease let me know, if we could achieve this.

Thx,

Sundar