×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How to set up a site to site VPN between 2 cisco 1811 routers

Answered Question
Aug 26th, 2010
User Badges:

I need to set up a site to site vpn between 2 cisoc 1811 routers. My understanding is it will work something like this:


There are 2 networks (A and B) A has an ip range of 10.10.11.xx and B has an ip range of 10.10.12.xx the site to site vpn will allow users in network A to pin( and use resources) from network B and vice versa. So my question is how do I set that up using the CCP (as I don't really understand the command line yet)


What do I put in the first box where it says select the interface for this vpn connection. My options are FastEthernet0 or Vlan. FE0 is where the internet is comming in and Vlan1 is the dhcp addresses.


I understand the next part about peer identity and authencation (here I enter in the static IP from my ISP and the pre shared key)


Then I get to the traffic to encrypt step. What do I put in the box where it says source? Again my options are FastEthernet0 and Vlan1. Then what do I put in the destination boxes? Is it the static ip assigned by my isp, along with the subnet, or is it the ip range I set up 10.10.12.xx or 10.10.11.xx?


One more question, this one isn't crutial but would be nice to know. Can I connect to one of the networks remotely by SSL vpn (which does work) and use CCP to access the router remotely.

Correct Answer by manish arora about 6 years 11 months ago

On router A with  subnet 10.x.11.0/24 , the source will be 10.x.11.0 255.255.255.0 and destination will be 10.x.12.0 255.255.255.0

On router B with subnet 10.x.12.0/24 , the source will be 10.x.12.0 255.255.255.0 and destionation will be 10.x.11.0 255.255.255.0 ,  not sure if ios needs wildcards or subnets for acl but you can always verify that. also, these are called crypto acl's and they distinguish the traffic that needs to be encrypted before sending it out using ipsec.


also , It is always better to use CLI then GUI and i agree with that part


Thanks

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
paolo bevilacqua Thu, 08/26/2010 - 15:57
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Do you need encrypted or clear traffic is OK ?

Do you have static or dynamic addresses ?

jsandau@mpe.ca Fri, 08/27/2010 - 07:00
User Badges:

The traffic should be encrypted and I have static IP address assigned by my ISP.

jsandau@mpe.ca Fri, 08/27/2010 - 13:39
User Badges:

Thanks, but that article gets into the command line a lot. I'm pretty new to cisco routers and don't really understand the command line yet, so I was hoping to set up the site to site vpn via the Cisco Configuration Professional.

paolo bevilacqua Fri, 08/27/2010 - 13:44
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

I would advise you against using any GUI when it comes to get professional results from Cisco routers.

Correct Answer
manish arora Fri, 08/27/2010 - 14:13
User Badges:
  • Silver, 250 points or more

On router A with  subnet 10.x.11.0/24 , the source will be 10.x.11.0 255.255.255.0 and destination will be 10.x.12.0 255.255.255.0

On router B with subnet 10.x.12.0/24 , the source will be 10.x.12.0 255.255.255.0 and destionation will be 10.x.11.0 255.255.255.0 ,  not sure if ios needs wildcards or subnets for acl but you can always verify that. also, these are called crypto acl's and they distinguish the traffic that needs to be encrypted before sending it out using ipsec.


also , It is always better to use CLI then GUI and i agree with that part


Thanks

Manish

jsandau@mpe.ca Fri, 08/27/2010 - 14:38
User Badges:

Ok That's good. But in the first box that says select this interface for this vpn connection I have two choiced vlan1 and fastethernet0. Which one do I pick?


While it probably is better to configure it with the CLI, I don't have time right now to learn the CLI (management wants this VPN set up soon), so for now I'll use the GUI and learn the CLI when I have time.

manish arora Fri, 08/27/2010 - 14:47
User Badges:
  • Silver, 250 points or more

I would say fastethernet 0. try to configure it with that GUI if it works

then fine otherwise post the sh run of both the routers and we can then resolve the problem faster looking at the configuration.

remove passwords & public ip like this example 4.2.2.2  x.x.2.2 .

Thanks

Manish

Actions

This Discussion