Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
218
Views
0
Helpful
1
Replies

Site - to - Site VPN Cisco Router

ladopetrucci
Level 1
Level 1

‎09-27-2016 12:56 PM

hello,

I'm new in Cisco world and I have problem

In my cisco router 881 i have configured client to site vpn

this is configuration

aaa new-model
aaa local authentication attempts max-fail 500

aaa authentication login default local
aaa authentication login VPN_GMP_LOGIN local
aaa authorization exec default local
aaa authorization network VPN_GMP_GROUP local

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2


crypto isakmp client configuration group test_GMP
key XXXXXXXXXXXXX
dns 192.168.x.x
domain test.test
pool VPN_test_POOL
acl 100


crypto ipsec transform-set GMP_DEFAULT esp-3des esp-sha-hmac
mode tunnel

crypto dynamic-map GMP_DYNAMIC 10
set transform-set GMP_DEFAULT

crypto map GMP_MAP client authentication list VPN_GMP_LOGIN
crypto map GMP_MAP isakmp authorization list VPN_GMP_GROUP
crypto map GMP_MAP client configuration address respond

crypto map GMP_MAP 10 ipsec-isakmp dynamic GMP_DYNAMIC

ip local pool VPN_test_POOL 192.168.240.129 192.168.240.255
interface FastEthernet4
crypto map GMP-MAP

I want to configure Site to site vpn with another router. I know how to configure the other router but 

I do not know how configure this router. I want that both vpn (site to site and client to site) could work simultaneously. if anyone know answer please help me

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎09-27-2016 05:53 PM

Hi lado00001,

In this case the configuration of the S2S is not going to affect your remote clients at all.

Config:

crypto isakmp key <presharedkey> address <peerip>

crypto map GMP_MAP 1 ipsec-isakmp

set peer <ip>

set transform-set GMP_DEFAULT

match address <interesting traffic>

If this router is doing NAT you need to exempt the traffic that you would like to send through the tunnel.

Example:

ip access-list extended interesting-t 

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

ip access-list  extended nonat

deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

permit ip 1.1.1.0 0.0.0.255 any

ip nat inside source list nonat inteface g0/1 overload

With those commands you are going to make sure the traffic going through the tunnel is not going to be natted to your outside interface.

You can also take a look to this configuration guide:

http://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Customers Also Viewed These Support Documents