05-07-2010 09:29 AM
Hi Guys, I am currently trying to configure a VPN link between 2 sites, I have replaced some crypto maps with ipsec tunnel interfaces instead. However I am unsure what configuration lines are still required below is snippets of the configuration, both sites have similar configurations however the documentation I found doesn't show the use of crypto isakmp policy line but when I remove it the link fails to establish.
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
lifetime 20000
!
!
crypto isakmp key keygoeshere address xxx.xxx.xxx.xxx
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile Site-to-Site
set transform-set ESP-3DES-SHA1
!
!
interface Tunnel0
description --- Connection to WA ---
ip address 192.168.250.1 255.255.255.252
tunnel source Dialer1
tunnel destination xxx.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile Site-to-Site
!
router rip
version 2
passive-interface Vlan1
network 192.168.1.0
network 192.168.250.0
!
Solved! Go to Solution.
05-07-2010 09:33 AM
Andrew,
If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).
You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?
What kind of VPN are you trying to establish?
Federico.
05-07-2010 09:33 AM
Andrew,
If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).
You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?
What kind of VPN are you trying to establish?
Federico.
05-07-2010 09:38 AM
That makes sense, does the number for the policy matter as its not linked anywhere?
I am using a IPSec SVTI, the main goal is to ensure the best security (well near best) possible between the 2 sites.
The final goal is to link branch offices (4) across the country to a central router, they all have Cisco 877 routers and I am looking at the possibility of replacing the central router with a higher end to handle the extra load.
PS. They all use ADSL2 as their WAN links
05-07-2010 09:44 AM
The number in the crypto isakmp policy is just a local identifier (it does not matter which number it is).
The only role of that number is that when a VPN connection against the router is attempted, the peer will look at the crypto isakmp policies in sequential order until finding a match. (so the number is only relevant in case you have multiple crypto isakmp policies and you need to have them in certain order).
The advantage of using VTI is that it simplifies configuration and allows multicast traffic to pass through the tunnel (as opposed to regular IPsec traffic which only allows IP unicast packets).
You should not have a problem with the implementation. Let us know if you have any questions.
Federico.
05-07-2010 09:49 AM
Thank you for your very fast and accurate responses, I find the SVTIs much easier to wrap my head around then the crypto maps.
Do you have any recommendations of a slightly higher end router that has either a extra WIC slot or inbuilt backup link systems(3G etc)?
Once again thanks for your help
05-07-2010 09:54 AM
Andrew,
You might want to look at the 1800 ISRs or the new 1900 ISRs:
http://www.cisco.com/en/US/prod/collateral/routers/ps10538/data_sheet_c78_556319.html
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide