Site to Site VPN Tunnel with 2 Cisco 1921 Routers

Answered Question
Feb 22nd, 2012

Hi All,

   So OK I'm stumped. I've create many s2s vpn tunnels before, but this one I just can't seem to get going. It's just a simple Site to Site VPN tunnel using preshared keys. Would appreciate it if someone, anyone could take a look at our running configs for both routers and provide a little comment. Below is the running config for both routers. Thanks!

Router 1

=======

Current configuration : 4009 bytes

!

! Last configuration change at 19:01:31 UTC Wed Feb 22 2012 by asiuser

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SJWHS-RTRSJ

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

ip dhcp excluded-address 192.168.200.1 192.168.200.110

ip dhcp excluded-address 192.168.200.200 192.168.200.255

!

ip dhcp pool SJWHS-POOL

   network 192.168.200.0 255.255.255.0

   default-router 192.168.200.1

   dns-server 10.10.2.1 10.10.2.2

!

!

no ip domain lookup

ip name-server 10.10.2.1

ip name-server 10.10.2.2

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-236038042

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-236038042

revocation-check none

rsakeypair TP-self-signed-236038042

!

!

crypto pki certificate chain TP-self-signed-236038042

certificate self-signed 01

  30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  8B1E638A EC

        quit

license udi pid CISCO1921/K9 sn xxxxxxxxxx

!

!

!

redundancy

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key presharedkey address 112.221.44.18

!

!

crypto ipsec transform-set IPSecTransformSet1 esp-3des esp-md5-hmac

!

crypto map CryptoMap1 10 ipsec-isakmp

set peer 112.221.44.18

set transform-set IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

ip address 192.168.200.1 255.255.255.0

duplex auto

speed auto

!

!

interface GigabitEthernet0/1

description Wireless Bridge

ip address 172.17.1.2 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

description Verizon DSL for VPN Failover

ip address 171.108.63.159 255.255.255.0

duplex auto

speed auto

crypto map CryptoMap1

!

!

!

router eigrp 88

network 172.17.1.0 0.0.0.255

network 192.168.200.0

redistribute static

passive-interface GigabitEthernet0/0

passive-interface FastEthernet0/0/0

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 172.17.1.1

ip route 112.221.44.18 255.255.255.255 171.108.63.1

!

access-list 100 permit ip 192.168.200.0 0.0.0.255 10.10.0.0 0.0.255.255

!

!

!

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

=======

Router 2

=======

Current configuration : 3719 bytes

!

! Last configuration change at 18:52:54 UTC Wed Feb 22 2012 by asiuser

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SJWHS-RTRHQ

!

boot-start-marker

boot-end-marker

!

logging buffered 1000000

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

no ip domain lookup

!

multilink bundle-name authenticated

!

!

crypto pki trustpoint TP-self-signed-3490164941

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3490164941

revocation-check none

rsakeypair TP-self-signed-3490164941

!

!

crypto pki certificate chain TP-self-signed-3490164941

certificate self-signed 01

  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  EA1455E2 F061AA

        quit

license udi pid CISCO1921/K9 sn xxxxxxxxxx

!

!

!

redundancy

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key presharedkey address 171.108.63.159

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set IPSecTransformSet1 esp-3des esp-md5-hmac

!

crypto map CryptoMap1 10 ipsec-isakmp

set peer 171.108.63.159

set transform-set IPSecTransformSet1

match address 100

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.1

encapsulation dot1Q 1 native

ip address 10.10.1.6 255.255.0.0

!

interface GigabitEthernet0/1

ip address 172.17.1.1 255.255.255.0

duplex auto

speed auto

!

!

interface FastEthernet0/0/0

ip address 112.221.44.18 255.255.255.248

duplex auto

speed auto

crypto map CryptoMap1

!

!

!

router eigrp 88

network 10.10.0.0 0.0.255.255

network 172.17.1.0 0.0.0.255

redistribute static

passive-interface GigabitEthernet0/0

passive-interface GigabitEthernet0/0.1

!

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 112.221.44.17

!

access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.200.0 0.0.0.255

!

!

!

!

!

!

control-plane

!

!

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

end

I have this problem too.
0 votes
Correct Answer by rizwanr74 about 3 years 6 months ago

When GRE tunnel carries your private-ip range traffic, your ACL must contain point to point host address of the IPSec tunnel.

Since, both routers are running EIGRP in corporate network, let the EIGRP exchange the routes over GRE tunnel, which is a best practice, rather than pushing individual private-ip ranges going over IPSec tunnel.

Let me know, if this is what you want to.

Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
rizwanr74 Wed, 02/22/2012 - 12:04

Apply this on Router1

interface Tunnel0

ip address 3.3.3.1 255.255.255.252

keepalive 3 2

tunnel source FastEthernet0/0/0

tunnel destination 112.221.44.18

exit



router eigrp 88

network 3.3.3.0 0.0.0.3

----------------------------------------------


Apply this on Router2





interface Tunnel0

ip address 3.3.3.2 255.255.255.252

keepalive 3 2

tunnel source FastEthernet0/0/0

tunnel destination 171.108.63.159

exit



router eigrp 88
network 3.3.3.0 0.0.0.3

-------------------------------------------------------------


When done, look for eigrp neighbor on network 3.3.3.0


Hope that helps.


thanks







milkboy33 Wed, 02/22/2012 - 15:09

Ok, what just happend here.

I'm able to ping 3.3.3.1 from Router 2 and vice versa from Router 1 to 3.3.3.2. However when I do a sh cryptpo isakmp sa I don't see a VPN tunnel. Then a show an ip route and it shows that 3.3.3.0 is going through Tunnel 0 and when I do a show ip eigrp neighbor it shows 3.3.3.0 via Tunnel0. Do I need to go back to my books and read them again? What just happend? Is my tunnel actually up and like in a state awaiting for the Fast Ethernet connection to go down?

rizwanr74 Wed, 02/22/2012 - 16:01

Please delete your ACL 100 and recreate it as shown below and likewise you do at other end as well on Router2 and make sure you reverse the ip host on Router2.

access-list 100 permit ip host 171.108.63.159 host 112.221.44.18

That's should fix up.

Thanks

Rizwan Rafeek

milkboy33 Wed, 02/22/2012 - 16:05

Wait, why would I want to do that? Don't I want to specify my two networks instead?

Correct Answer
rizwanr74 Wed, 02/22/2012 - 16:38

When GRE tunnel carries your private-ip range traffic, your ACL must contain point to point host address of the IPSec tunnel.

Since, both routers are running EIGRP in corporate network, let the EIGRP exchange the routes over GRE tunnel, which is a best practice, rather than pushing individual private-ip ranges going over IPSec tunnel.

Let me know, if this is what you want to.

Thanks

milkboy33 Thu, 02/23/2012 - 13:55

Alright going to test this out tonight. I'll let you/everybody know how it goes.

milkboy33 Thu, 02/23/2012 - 18:02

Alright it works, but I still don't understand why the Tunnel interface is needed. I guess I just gotta study some more. Thanks anyhow!!

Actions

This Discussion