Basic Site-to-Site VPN Config Needed

Unanswered Question
Apr 21st, 2010

Hi There,

I'm looking for a very basic site-to-site vpn configuration for 2x 831's (v12.4).

Both sites have DSL.

The HQ has a static IP and the branch has a dynamic IP.

Each site needs to browse the internet via its own internet connection and access a server at the remote location via the VPN.

HQ(192.168.1.0/24) has static external IP

Branch(192.168.0.0/24) has Dynamic external IP

Thanks for the help,

Keith

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
keithatwood Wed, 04/21/2010 - 14:32

Wow, thanks for the instant response.

I've gone and tried this example, but seems I can't ping from one router to the other, Here are my Configs

HQ CONFIG

---------------

version 12.4
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password 7 xxx
!
no aaa new-model
!
resource policy
!
!
!
ip cef
vpdn enable
!
!
!
crypto pki trustpoint TP-self-signed-268504649
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-268504649
revocation-check none
rsakeypair TP-self-signed-268504649
!
!
crypto pki certificate chain TP-self-signed-268504649
certificate self-signed 01
  30820239 308201A2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32363835 30343634 39301E17 0D303330 35303832 33333335
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3236 38353034
  36343930 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B8C75914 132B1A7D 04363E00 93FDCDA1 1D43842C 593D233E 6B96C2E0 5B6E3F1C
  B4D14694 5416BE51 FBBC9E03 414C07D0 172669BD 3ECCDA25 9D2C45B0 66819E71
  F2C2EF17 AF78208F B066E979 D9189BA4 9A381A8F D22845BD DE5B04BF E16E206E
  DBE3C628 19F81E72 75B3BBAE 6FF1CC5D 7EB95764 0256AB8F 788D040F B3F0C37F
  02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
  11040730 05820352 322E301F 0603551D 23041830 16801450 D1EB3514 62EEBB57
  A9433708 651A2BB9 2356D530 1D060355 1D0E0416 041450D1 EB351462 EEBB57A9
  43370865 1A2BB923 56D5300D 06092A86 4886F70D 01010405 00038181 006FC020
  1DD96851 099B6A3C D8A401BD 408E18DC 622BF7D5 1CBC4767 0D65F8A0 FF335743
  6F376797 A126B54F 32D71F54 9E89E9FC 86D13305 E7EC4906 C0ECFA8B CC2895D0
  5466C257 7B6FFC94 EB495989 D1B049B6 E1CA6B5D A41EB67C 1DD4640D 28E7094C
  297F34CB 0AE34E88 DE78CE11 FADD3D8E 4F237856 EC89D2E2 1CABCD9B F7
  quit
username acs privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key mypass address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
!
interface Ethernet0
description My LAN Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description Physical ADSL Interface (Facing the ISP)
no ip address
no ip mroute-cache
duplex auto
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet2
no ip address
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
description Logical ADSL Interface
ip address negotiated
ip access-group 102 in
ip access-group 101 out
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 xxx
ppp pap sent-username [email protected] password 7 xxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map rtptrans
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 115 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 120
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
login local
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
end

BRANCH OFFICE CONFIG

----------------------------------------

!
version 12.4
no parser cache
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password 7 xxx
!
no aaa new-model
!
resource policy
!
!
!
ip cef
!
!
crypto pki trustpoint TP-self-signed-3981562869
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3981562869
revocation-check none
rsakeypair TP-self-signed-3981562869
!
!
crypto pki certificate chain TP-self-signed-3981562869
certificate self-signed 01
  3082023B 308201A4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33393831 35363238 3639301E 170D3033 31303036 31373434
  34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39383135
  36323836 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C551 7DA660B7 24EC941A C3866CC5 A3ED583D 8E1417A5 27273524 411E2622
  7AC29688 7C20DA6D A1303AF7 97862EF3 C832EBE3 AFB070F0 1639F969 D4990D87
  0041C02C 2C4696C1 61562813 E8A2CBDB FBA4C867 7B64D301 A7295D17 8962FCC3
  EC36EDB3 3C01754F A21075D6 121C27D6 5D993E68 A0706C5A F3478EA5 08264A38
  040F0203 010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603
  551D1104 07300582 0352312E 301F0603 551D2304 18301680 148EA441 3AF658C6
  6B552510 C2CC3752 237D9C87 ED301D06 03551D0E 04160414 8EA4413A F658C66B
  552510C2 CC375223 7D9C87ED 300D0609 2A864886 F70D0101 04050003 818100A6
  ACE36FD1 52D92219 585ED104 9ECFEA19 C7DB0A41 8BB19F19 8C041F3B 241B0DE1
  3F4D5E6D A9F13AF3 38839631 C24B22EB A124BC97 30DBAA46 AEE1B31A AA34A357
  72C4C088 0A6415AC E8B15267 487F603E 28939725 F3BA2AF3 063406D9 28A2D9DF
  1C1E7682 B6E128F4 56B0DC80 ACB7A65D 6D476429 FA4FE21D 23D4F532 79EEC1
  quit
username acs privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key mypass address 75.119.xxx.xxx
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 75.119.xxx.xxx
set transform-set rtpset
match address 115
!
!
!
interface Ethernet0
description Facing my LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no cdp enable
!
interface Ethernet1
description Facing the ISP (the WAN)
ip address dhcp
ip access-group 102 in
ip access-group 101 out
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
no cdp enable
crypto map rtp
!
interface Ethernet2
no ip address
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer1
no ip address
no cdp enable
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 10 interface Ethernet1 overload
!
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 115 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 115 deny   ip 192.168.0.0 0.0.0.255 any
access-list 120 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
match ip address 120
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 xxx
logging synchronous
login
no modem enable
stopbits 1
line aux 0
password 7 xxx
login
line vty 0 4
exec-timeout 0 0
privilege level 15
password 7 xxx
login local
length 0
transport input telnet ssh
!
scheduler max-task-time 5000
end

Please disregard the fact that the branch is using DHCP and not PPOE like I mentioned. This is just my lab environment, I have one DSL with static and one Cable with DHCP. But the live sites will both have DSL (1static and 1 dynamic)

Thanks!

Keith

keithatwood Wed, 04/21/2010 - 16:00

i noticed one error

missing was --> ip nat inside source route-map nonat interface Ethernet1 overload

I've added this, but still nothing..

output of show crypto ipsec sa

R1#show crypto ipsec sa

interface: Ethernet1
    Crypto map tag: rtp, local addr 70.76.xxx.xxx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 75.119.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 70.76.xxx.xxx, remote crypto endpt.: 75.119.xxx.xxx

     path mtu 1500, ip mtu 1500
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

R2#sh crypto ipsec sa

nothing....

Keith

Jon Marshall Wed, 04/21/2010 - 16:38

Keith

Apologies, it's late here in the UK and i need to get up early tomorrow. Can you run the debug commands in the troubleshooting section of the document and then post the results and i'll have a look at it tomorrow unless someone else steps in.

Jon

keithatwood Wed, 04/21/2010 - 20:24

Hey Jon,

R1#debug crypto engine
Crypto Engine debugging is on
R1#debug crypto isakmp
Crypto ISAKMP debugging is on
R1#debug crypto ipsec
Crypto IPSEC debugging is on

Shows no output....

R2#debug crypto engine
Crypto Engine debugging is on
R2#debug crypto isakmp
Crypto ISAKMP debugging is on
R2#debug crypto ipsec
Crypto IPSEC debugging is on

Shows no output

I can get a connection established using a GRE Tunnel, the only problem seems to be that GRE doesn't allow for dyndns (or similar) for a tunnel destination.

The command --> tunnel destination remotesite.dyndns.org        will only resolve to an IP address then insert that IP into the tunnel config.

Thanks again,

Keith

keithatwood Wed, 04/21/2010 - 20:59

Here the working config for the GRE setup

R2

HQ Router

----------------

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 7200
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0 no-xauth
!
!
crypto ipsec transform-set HQ_SET esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set HQ_SET
!
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source Dialer1
tunnel destination remotesite.dyndns.org
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_PROFILE
!
router rip
network 10.0.0.0
network 192.168.1.0
no auto-summary
!

R1

BRANCH ROUTER

--------------------------

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 7200
crypto isakmp key Cisco address 75.119.xxx.xxx no-xauth
!
!
crypto ipsec transform-set SPOKE1_SET esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set SPOKE1_SET
!
!
!
!
interface Tunnel0
ip address 10.0.0.2 255.255.255.252
tunnel source Ethernet1
tunnel destination 75.119.xxx.xxx

tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_PROFILE
!
router rip
network 10.0.0.0
network 192.168.0.0
no auto-summary
!

The problem is... When I enter into HQ Tunnel0 --->  tunnel destination remotesite.dyndns.org

it translates into  --> tunnel destination 70.76.xxx.xxx

Which I'm assuming will not update when the IP changes.

I would prefer to use the GRE Tunnel since I'm a bit more familiar with it, but I'll take what ever works.

Thanks,

Keith

Actions

This Discussion