site to site VPN

support.golan · ‎07-08-2010

hello

i have couple of questions.

i am using cisco 1841 router

1. can i create site to site vpn from my cisco router 1841 to check point FW?

2. i am using at my router cisco 1841 vpn can i add one more VPN on my existing router ?

thanks

golna

Federico Coto Fajardo · ‎07-08-2010

Hi Golan,

1. Definitely you can connect both devices using IPsec. IPsec is a standard and therefore can work between different vendors.

2. You can have multiple L2L and remote access VPNs terminating on the same router.

Federico.

support.golan · ‎07-08-2010

Thanks

support.golan · ‎07-11-2010

hello

can you assist me and let me know how can i configure the site to site vpn from my cisco 1841 router to check point fw

thanks

golan

saurabh joshi · ‎07-11-2010

Hi,

Decide your Phase-1 IKE and Phase-2 IPSEC parameters.

configuration for your refrence

# isakmp phase

crypto isakmp policy 20

hash md5

authentication pre-share

crypto isakmp key 123456 address 159.44.123.44

# IPSec phase

crypto ipsec transform-set TEST esp-des esp-md5-hmac

crypto map CISCO 1 ipsec-isakmp

set peer 159.44.123.44

set transform-set TEST

interface gig 1/0

ip address 10.10.10.1 255.255.255.252

crypto map CISCO

no ip redirects

no ip unreachables

ip mtu 1500

ip route-cache flow

Cheerss.....

Saurabh Joshi

support.golan · ‎07-11-2010

please see below my sh run

Adsl#show run
Building configuration...

Current configuration : 5543 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Adsl
!
boot-start-marker
boot-end-marker
!
enable password 7 144614590A162C2922
!
no aaa new-model
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.155.94.1
!
ip dhcp pool Dhcp
   network x.x.x.0 255.255.255.0
   dns-server y.y.y.y
   default-router 10.155.94.1
!
!
ip multicast-routing
vpdn enable
!
!
password encryption aes
!
crypto pki trustpoint TP-self-signed-2271325173
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2271325173
revocation-check none
rsakeypair TP-self-signed-2271325173
!
!
crypto pki certificate chain TP-self-signed-2271325173
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32323731 33323531 3733301E 170D3130 30333232 30393038
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32373133
32353137 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C9C2 4BE4EE8E C16A3750 1136E6C1 89C135AE 6C1590AE BF60C4E5 22EAD985
CD069EA0 90D786B7 5D892A81 F31D5BF7 05A96250 29771870 83C56998 F618D6EA
17D71040 1488A8F2 8671C00F 79E27839 C85365ED E8042C15 48C17AC6 CD221232
E9DC9567 545E5115 31F19771 618F7C26 DE20FB9E 5A9F3122 D5AC8803 0681217C
1DC30203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 0750692D 4164736C 301F0603 551D2304 18301680 14E8A09B
1344513B 24D5BE20 E9B7D2F8 D47CC29A DA301D06 03551D0E 04160414 E8A09B13
44513B24 D5BE20E9 B7D2F8D4 7CC29ADA 300D0609 2A864886 F70D0101 04050003
818100B7 C2822874 CCC9E94B A8A550D7 EA41799A C32A747E 8B1BCAD2 5244A8FB
8D6C790F FA2233A5 E63C88E1 41D051A4 834D0468 3D2B5EC1 A853CAFF 2270CC58
B7BB9ACD 8EBC4E01 715694E0 695EB15F BE0C8FCB 39A9F0D0 4382B757 29B1ED93
865026C4 F839AA4B EB029883 10FFB645 3A9129A9 839BBCB2 9F4FD296 E88FEBDA 5F2639
quit
username golana privilege 15 secret 5 $1$wYi6$2uO1W8ujwU/X7vG5CmW0j0
!
!
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
crypto isakmp key 6 NaVD^_BObeIK\ZCbCKdiaeZScJHGCZQVSYIgRHVYVF[ag address 164.74
.129.2
!
!
crypto ipsec transform-set vpngolan esp-3des esp-md5-hmac
!
crypto map vpngolan 1 ipsec-isakmp
set peer z.z.z.z
set transform-set cmevpn
match address 199
!
!
!
interface Tunnel0
ip address 10.155.2.54 255.255.255.252
ip pim sparse-mode
tunnel source 10.155.0.94
tunnel destination 10.155.254.1
!
interface Loopback0
ip address 10.155.0.94 255.255.255.255
!
interface FastEthernet0/0
description Lan-Office
ip address 10.155.94.1 255.255.255.0
ip pim sparse-mode
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Wan-Office
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Vlan1
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname a@111
ppp chap password 7
ppp pap sent-username b@012 password 7 06175E361E4B5A
crypto map cmevpn
!
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.132.19.0 255.255.255.0 Tunnel0
!
no ip http server
no ip http secure-server
ip pim rp-address 10.132.19.9
ip mroute 10.132.19.0 255.255.255.0 Tunnel0
ip nat inside source list 100 interface Dialer1 overload
!
access-list 1 permit 10.155.94.0 0.0.0.255
access-list 69 permit 80.178.95.33
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.135.70.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.135.71.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.135.172.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.135.173.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.140.120.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.140.18.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 100 deny   ip 10.155.94.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 100 deny   gre host 10.155.0.94 host 10.155.254.1
access-list 100 permit ip 10.155.94.0 0.0.0.255 any
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.135.70.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.135.71.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.135.172.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.135.173.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.140.120.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.140.18.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.1.16.0 0.0.0.255
access-list 199 permit ip 10.155.94.0 0.0.0.255 10.1.63.0 0.0.0.255
access-list 199 deny   ip 10.155.94.0 0.0.0.255 any
access-list 199 permit gre host 10.155.0.94 host 10.155.254.1
dialer-list 1 protocol ip permit
snmp-server community mrtg-pi RO 69
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
password 7 065709734A5C0F1B03
login local
!
scheduler allocate 20000 1000
end

what should i do to configure the VPN please

support.golan · ‎07-11-2010

hello

i set all configuration as you told me

but when i am tryoing to add the crypto map on my dialer interface its overwriten the existing one

what should i do ?

interface gig 1/0

ip address 10.10.10.1 255.255.255.252

crypto map CISCO

no ip redirects

no ip unreachables

ip mtu 1500

ip route-cache flow

thanks

golan

support.golan · ‎07-12-2010

hello

are you there?

golan