IPSec VPN

Answered Question
Sep 3rd, 2010
User Badges:

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

Correct Answer by gatlin007 about 6 years 6 months ago

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

Correct Answer by Jon Marshall about 6 years 6 months ago

raulzulueta wrote:


The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?


No, the configurations should be the same for all routers ie. they don't change per router model.


Jon

Correct Answer by Jon Marshall about 6 years 6 months ago

raulzulueta wrote:


Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?


No you don't to use GRE unless you need a routing protocol to run between the 2 sites


You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -


http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Jon Marshall Fri, 09/03/2010 - 14:11
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

raulzulueta wrote:


Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?


No you don't to use GRE unless you need a routing protocol to run between the 2 sites


You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -


http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html


Jon

raulzulueta Fri, 09/03/2010 - 14:49
User Badges:

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

Correct Answer
Jon Marshall Fri, 09/03/2010 - 14:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

raulzulueta wrote:


The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?


No, the configurations should be the same for all routers ie. they don't change per router model.


Jon

raulzulueta Sun, 09/05/2010 - 12:32
User Badges:

I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.

Attachment: 
Jon Marshall Sun, 09/05/2010 - 12:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

raulzulueta wrote:


I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.


Couple of things -


1) make sure the acls you use in your cryto map on each router are a mirror of the other one ie. on SF you have 10.0.0.0 0.255.255.255, on TOR you have 10.6.0.0 0.0.255.255 although one includes the other so it shouldn't matter too much.


2) what is happening with NAT on SF - you don't seem to have an ip nat inside soure .... etc. statement ?


Can you run some debugging when you try the VPN ie.


debug crypto ipsec sa

debug crypto isakmp


note debugging can impact the CPU of the router so don't do this during peak usage.


Jon

Jon Marshall Sun, 09/05/2010 - 12:55
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Raul


One other point. How are you testing the VPN ? Ideally it should be from one of the 192.x.x.x hosts to one of the 10.6.x.x hosts (or vice-versa ) eg. a ping should do it.


Jon

Correct Answer
gatlin007 Sun, 09/05/2010 - 14:30
User Badges:
  • Silver, 250 points or more

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

raulzulueta Sun, 09/05/2010 - 21:55
User Badges:

They are not military related. I will make the changes you recommended and let you know how it goes. Thanks for the assist. I hope I can get this tunnel up soon. Cisco VPN IOS configuration is a bit challenging.

Actions

This Discussion