cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2622
Views
3
Helpful
8
Replies

GRE IPSec VPN issue with mapped IP

nimalrajphilips
Level 1
Level 1

Hi,

I am trying to configure two Cisco routers (1801 & 837) for a GRE IPSec VPN. One of them has static IP and other one is a DSL connection; so a dynamic IP. We have some additional static IPs assigned to us through DSL connection. So i am trying to use a static NAT to obtain the VPN connection.Unfortuantely, the VPN connection is not comming up. Can anyone help..? The config of both the routers is attached here.

1.jpg

R1

crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600

!
crypto isakmp key XXXX address 11.22.33.44
!
crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set 10

!

interface Tunnel10
ip address 192.168.100.1 255.255.255.0
tunnel source 22.33.44.55
tunnel destination 11.22.33.44
tunnel protection ipsec profile myprof

ip nat inside source static 192.168.3.1   22.33.44.55

R2

crypto isakmp policy 11
encr 3des
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key XXXX address 22.33.44.55
!
crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set 10

!
interface Tunnel10
ip address 192.168.100.2 255.255.255.0
tunnel source 11.22.33.44
tunnel destination 22.33.44.55
tunnel protection ipsec profile myprof

FYI:- I try the same config with a loop back also with no luck. But, if i just change the R1's source IP address to be the Dynamic IP, it works fine. But, since this is a dynamic IP, i cant implement this.

Advance thanks to you all..

Nimal

1 Accepted Solution

Accepted Solutions

Hi Nimal,

If the public IP 22,33,44,55 is routable from R2, then you can use p2p gre+ipsec vpn. You can test it by creating an loopback address on R1

int lo10

ip add 22.33.44.55 255.255.255.255

and ping 22.33.44.55 source 11.22.33.44 from R2.

If that public IP is routable, you can use your configuration.

HTH,

Lei Tian

View solution in original post

8 Replies 8

wkamil123
Level 1
Level 1

Hi,

You must use DMVPN in your configuration.

You can't assign IP address to the crypto on the R2 router because you don't know what is a address.

So you must specify 0/0 IP address of the end of the IPSec tunnel.

Also, you must configure R1 router as a side that will be negotiate IPSec policy with R2.

Lei Tian
Cisco Employee
Cisco Employee

Hi Nimal,

You cannot use your static IP on R1, because SP doesnt know how to route traffic to this IP. cisco has 2 VPN solutions support dynamic IP on one site, DMVPN and EZVPN. For your case, a point to point link, you can use EZVPN. Here is a configuration example.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdb.pdf

HTH,

Lei Tian

Hi,

As i mentioned, i have few more public IP addresses assigned to us by our ISP with the DSL connection. Can i use on of those IPs to map it LAN interface of R1 or a Loopback interface of R1 and establish the Secure VPN connection?

Before putting my hands into DMVPN, i would like to verify whether the Static NAT in the R1 will work..?

Could you please advice.

Cheers

Hi,

If you have free address on the DSL connection then you can use standard site-to-site IPSec VPN tunnel instead DMVPN.

The Loopback interfaces are used if you want forward multicasts (for example: OSPF, EIGRP). The IPSec protocol are operate on Layer 3 and forward only IP traffic. If you want to forward dynamic routing protocols packets then you must configure GRE over IPSec to traverse multicasts.

Configure tunnel interface on R1 and assign to it loopback interface as a source and destination as a outside IP address of your R2. The same do it on R2. Remember that you must create ACL to permit gre on R1 and R2.

I don't understand what about static NAT on R1? Do you have mapped hosts from inside to outside on R1?

In this situation you must create ACL which traffic are not be NAT translated.

Regards Kamil

Hi Kamil,

I am trying to use GRE/IPSec VPN. So that i can use Dynamic Routing protocols. If you go through my config, you can see it.

I have mapped a public IP to internal interface too. I have tried mapping the IP to a Loopback also. But no luck.

I havent put any accesslist for the site-to-site vpn connection. Where di i have to apply this ACL if i configured one..?

Cheers

Hi,

Please read this documents, I think this may be helpful.

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/1_p2pGRE_Phase2.html

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/5_p2pGRE.html

Hi Nimal,

If the public IP 22,33,44,55 is routable from R2, then you can use p2p gre+ipsec vpn. You can test it by creating an loopback address on R1

int lo10

ip add 22.33.44.55 255.255.255.255

and ping 22.33.44.55 source 11.22.33.44 from R2.

If that public IP is routable, you can use your configuration.

HTH,

Lei Tian

Hello Lei,

That did the trick for me. I just add the public IP address to the loopback interfae directly and configured the Source and Destination IP address accordingly. Then i enable the dynamic routing also. Working perfectly alright.

Thanks alot guys for help. I am gonna try the DMVPN and see how can improve the connectivity from different locations.

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: