cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1106
Views
0
Helpful
9
Replies

IPSec VPN

raulzulueta
Level 1
Level 1

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

3 Accepted Solutions

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

raulzulueta wrote:

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

No you don't to use GRE unless you need a routing protocol to run between the 2 sites

You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Jon

View solution in original post

raulzulueta wrote:

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

No, the configurations should be the same for all routers ie. they don't change per router model.

Jon

View solution in original post

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

View solution in original post

9 Replies 9

Jon Marshall
Hall of Fame
Hall of Fame

raulzulueta wrote:

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

No you don't to use GRE unless you need a routing protocol to run between the 2 sites

You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Jon

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

raulzulueta wrote:

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

No, the configurations should be the same for all routers ie. they don't change per router model.

Jon

I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.

raulzulueta wrote:

I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.

Couple of things -

1) make sure the acls you use in your cryto map on each router are a mirror of the other one ie. on SF you have 10.0.0.0 0.255.255.255, on TOR you have 10.6.0.0 0.0.255.255 although one includes the other so it shouldn't matter too much.

2) what is happening with NAT on SF - you don't seem to have an ip nat inside soure .... etc. statement ?

Can you run some debugging when you try the VPN ie.

debug crypto ipsec sa

debug crypto isakmp

note debugging can impact the CPU of the router so don't do this during peak usage.

Jon

Raul

One other point. How are you testing the VPN ? Ideally it should be from one of the 192.x.x.x hosts to one of the 10.6.x.x hosts (or vice-versa ) eg. a ping should do it.

Jon

Here are the debug outputs from both sides.

And the NAT in SF.

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

They are not military related. I will make the changes you recommended and let you know how it goes. Thanks for the assist. I hope I can get this tunnel up soon. Cisco VPN IOS configuration is a bit challenging.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: