VPN configuration on cisco 1941

Zigmunds Vitins · ‎04-27-2010

Hi all,

first time I try to create VPN between two Cisco routers, but unsuccessfully.

I have Cisco1941 and Cisco 2811, configuration on my 1941 router are:

router#sh run
Building configuration...

Current configuration : 5601 bytes
!
! Last configuration change at 17:01:49 PCTime Tue Apr 27 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login exvpnxauth local
aaa authorization network ezvpnnetwork local
!
!
aaa session-id common
!
no ipv6 cef
no ip source-route
ip cef
!
!
no ip bootp server
!
multilink bundle-name authenticated
!
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh version 2
no ip rcmd domain-lookup
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key vpnpassword address 2.3.4.5
!
!
crypto ipsec transform-set STRONG esp-3des esp-sha-hmac
!
crypto map Cisco-vpn 10 ipsec-isakmp
set peer 2.3.4.5
set transform-set STRONG
set pfs group2
match address 122
!
!
interface Loopback0
ip address 20.20.20.20 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
!
!
interface GigabitEthernet0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 570
ip address 2.2.2.2 255.255.255.248
ip access-group 110 in
ip nat outside
ip virtual-reassembly
no cdp enable
crypto map Cisco-vpn
!
interface GigabitEthernet0/1
description internal-net
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip nat inside source static 10.10.10.2 2.2.2.3
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
logging trap debugging
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 10 permit 10.10.10.2
access-list 10 deny any
access-list 110 permit tcp any any established
access-list 110 permit icmp any any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit tcp host 2.3.4.5 host 2.2.2.2
access-list 110 permit udp any any
access-list 110 permit gre any any
access-list 122 permit ip 10.10.10.0 0.0.0.255 10.3.0.0 0.0.255.255
!
no cdp run

!
!
!
!
!
control-plane
!
!
!

Whats is wrong in this config?

In logs I can not see any error about VPN.

Thanks.

Federico Coto Fajardo · ‎04-27-2010

Hi,

The VPN (interesting traffic) should flow between these two networks:

10.10.10.0 0.0.0.255 and 10.3.0.0 0.0.255.255

Try to send traffic between these networks and please post the output of the following two commands:

sh cry isa sa

sh cry ips sa

Federico.

Zigmunds Vitins · ‎04-27-2010

#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

#sh cry ips sa

interface: GigabitEthernet0/0.1
Crypto map tag: vpn-test, local addr 2.2.2.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.3.0.0/255.255.0.0/0/0)
   current_peer 2.3.4.5 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 2.3.4.5
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Zigmunds Vitins · ‎04-28-2010

Hi all,

I found my mistake, I forgot to allow esp from peer IP.

Now VPN is up and running

Thanks.

nasirbh78 · ‎08-04-2019

Hi;

I want to connect two branches by using Cisco 1941. can you send me working configuration .... I have internet router with static public ip address on both sides...

How to configure VPN site-to-site ... please help me sir...

nasirbh78 · ‎08-04-2019

Hi Sir;

Can you add allow esp from peer IP with your whole script and copy here sir.. sir i have 2 cisco 1941 routers want to connect two branches please help me sir ...

Where i will configure public internet ip address.. I have internet router provided by ISP .. please help the steps .. i will be grateful to you sir ....

Rob Ingram · ‎08-04-2019

Hi,

Examples on how to configure a Site-to-Site VPN on Cisco routers, here and here.

HTH