How to set up a site to site VPN between 2 cisco 1811 routers

Answered Question

I need to set up a site to site vpn between 2 cisoc 1811 routers. My understanding is it will work something like this:

There are 2 networks (A and B) A has an ip range of 10.10.11.xx and B has an ip range of 10.10.12.xx the site to site vpn will allow users in network A to pin( and use resources) from network B and vice versa. So my question is how do I set that up using the CCP (as I don't really understand the command line yet)

What do I put in the first box where it says select the interface for this vpn connection. My options are FastEthernet0 or Vlan. FE0 is where the internet is comming in and Vlan1 is the dhcp addresses.

I understand the next part about peer identity and authencation (here I enter in the static IP from my ISP and the pre shared key)

Then I get to the traffic to encrypt step. What do I put in the box where it says source? Again my options are FastEthernet0 and Vlan1. Then what do I put in the destination boxes? Is it the static ip assigned by my isp, along with the subnet, or is it the ip range I set up 10.10.12.xx or 10.10.11.xx?

One more question, this one isn't crutial but would be nice to know. Can I connect to one of the networks remotely by SSL vpn (which does work) and use CCP to access the router remotely.

I have this problem too.
0 votes
Correct Answer by manish arora about 6 years 3 months ago

On router A with  subnet 10.x.11.0/24 , the source will be 10.x.11.0 255.255.255.0 and destination will be 10.x.12.0 255.255.255.0

On router B with subnet 10.x.12.0/24 , the source will be 10.x.12.0 255.255.255.0 and destionation will be 10.x.11.0 255.255.255.0 ,  not sure if ios needs wildcards or subnets for acl but you can always verify that. also, these are called crypto acl's and they distinguish the traffic that needs to be encrypted before sending it out using ipsec.

also , It is always better to use CLI then GUI and i agree with that part

Thanks

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Paolo Bevilacqua Thu, 08/26/2010 - 15:57

Do you need encrypted or clear traffic is OK ?

Do you have static or dynamic addresses ?

Paolo Bevilacqua Fri, 08/27/2010 - 13:44

I would advise you against using any GUI when it comes to get professional results from Cisco routers.

Correct Answer
manish arora Fri, 08/27/2010 - 14:13

On router A with  subnet 10.x.11.0/24 , the source will be 10.x.11.0 255.255.255.0 and destination will be 10.x.12.0 255.255.255.0

On router B with subnet 10.x.12.0/24 , the source will be 10.x.12.0 255.255.255.0 and destionation will be 10.x.11.0 255.255.255.0 ,  not sure if ios needs wildcards or subnets for acl but you can always verify that. also, these are called crypto acl's and they distinguish the traffic that needs to be encrypted before sending it out using ipsec.

also , It is always better to use CLI then GUI and i agree with that part

Thanks

Manish

Ok That's good. But in the first box that says select this interface for this vpn connection I have two choiced vlan1 and fastethernet0. Which one do I pick?

While it probably is better to configure it with the CLI, I don't have time right now to learn the CLI (management wants this VPN set up soon), so for now I'll use the GUI and learn the CLI when I have time.

manish arora Fri, 08/27/2010 - 14:47

I would say fastethernet 0. try to configure it with that GUI if it works

then fine otherwise post the sh run of both the routers and we can then resolve the problem faster looking at the configuration.

remove passwords & public ip like this example 4.2.2.2  x.x.2.2 .

Thanks

Manish

Actions

This Discussion