thanks for getting back to me. yes inded useful. one thing though, I found a sample VPN setup IPSec router to router but the link between the two routers was a normal ether link and not a T1, would this make any difference what type of interface to be used with IPSec Manual and Serial Interface connecting to a P2P T1?

please advise,

Masood

Not at all Masood.. IPSEC is not dependent on the WAN type.. you just need an end to end IP connectivity between the router's public IP's for IPSEC to work.. so, no worries at all..

Rate replies if found useful.

Raj

Hi,

I have found some sampls but I have problems putting that into my routers. I have one Cisco 3825 router and one Cisco 1700 series at both ends of the T1 line (p2p), also the 1700 will be changed by a 3825 soon.

I cannot apply the following commands into the routers:

crypto map gmac007 7 ipsec-manual

set peer 10.222.222.2

set session-key inbound esp 1001 cisco giveme5now12aragh authenticator 20

set session-key outbound esp 1000 cipher giveme5now12aragh authenticator 20

set transform-set encrypt-des

it seesm that it doesn't have the crypto map and crypto isakmp commands.

as said, I have not worked with VPN at all except for PIX.

Pls advise,

Masood

hello masood,

u need to have a security enabled IOS to support the crypto commands.. contact your local system integrator and ask him for a SEC-K9 IOS. once you have this installed, u can have all crypto commands..

Hope this helps..

Raj

so I need to upgrade the router's IOS to have support for this, correct?

listen, I am posting two drawing, one is for a current setup between two PIXs over the Internet and one is what I am trying to do to not send over the Internet and do the VPN between two routers or two PIXs (pls see diag) to go over the back door thatwe have, over the T1 and not the Internet. i really appreciate if you could share your thoughts on this after seeing the diags. again, i have not done any VPN and may not be able to jump steps. thanks in advance.

Masood

do u have another thread with the same diags?? I guess I have already seen these diags and replied to ur other query too.. you need to do the following things:

1) leave the default gateway on the pix to the internet router

2) put specific routes (for crypto peer IP/ private subnets etc) through the T1 link..

3) configure IPSEC , as given in the doc (given before) between these routers...

4) test the connectivity...

try doing ipsec on a test lab first, to give u more confidence on the technology..;

Raj

Thanks raj,

Yes you are right. I didn't realy understand what you were trying to say as I don't understand the technology although not new to networking, Cisco equipment in general but have not done VPN before i nth eenterprise environment.

couild you pls eleborate on the following:

1- i need to leave the default gateway as it is currently is on the PIX, correct?

2- put the crypto and IPSec on the router connecting to the T1 link?

3- go about the configuration.

this way I have brought the PIX to the picture. i wanted to disconnect the PIX altogether and connect the Server to a switch and the switch to the Ether inteface of the intenal router and configure the VPN over the serial line. Now, if I want to keep PIXs at both ends teh scenario changes and I don't know the fact that if I need to configure the two routers for VPN after the PIXes at bothe ends are configured as they are now or not?

see, two pixs are currently configured for VPN but I am replacing the going over the Internet with a physical T1 and this is where the routers come in picture.

Pls bare with me as I need to get this right so that I can learn it as well.

Thanks very much.

Masood

Masood,

thats ok.. remove the PIX if you want.. not an issue at all.. put the routers , terminate the T1 on the routers, connect the LAN port of your router to your Local LAN switch and then configure IPSEC given in that doc.. this should be enough on your setup.. default gateways for all the PCs will be the router ethernet interface. router will have route towards T1.. but is this T1 a private link?? if so, do u really require it to protect through IPSEC? normally private links are not shared on the ISP and IPSEC is not really required on such scenarios....

Hope this helps.. rate replies if found useful..

Raj

Hi Raj,

yes this is a private link but this subnet that I am trying to send over this T1 is supposed to be isolated from the other two subnets that are connected to other ether interfaces of this router (uers are on the other two subnets connecting to our remote location over this private T1).

this rack has three servers that don't see the Internet, one of these servers need to communicate to another server at the remote location and they want noone to be able to see any traffic from this secure subnet.

it was doing fine usin two PIXs going over the Internet but we had BW issues and they want it to go over this private link but encypted. today, I put this subnet on one of the free interfaces on the router (INternal router and gateway to our users for the other two subnets) and connected the server to th eremote location and it is doing fine and enjoying good BW. Now, they want me to send this traffic using VPN over this T1 link. so I don't know what security algorith i need to use i just picked IPSec!!

So, this is my dilemma now!

thx,

Masood

Thanks Raj. I really appreciate working on this with me. I am changing/uprading the IOS both routers to allow for VPN/IPSec and will go ahead with the configuration between the two.

Thanks again,

Masood

Hi Raj,

Also I closed this posting but I have one final question before I go about to implement later tonight after upgrading the IOS to support the VPN.IPSec.

Please take a look at the config file I have written but I don't know if this will addrss what I want to accomplish or not in a sense:

I need the traffic that enters only one FastEthert Interface being fa2/1 going over this T1 line to be encrypted and travell through this VPN/IPSec tunnel and the rest of traffic which belong to two other subnets on two other Gi0/0 and gi0/1 interfaces to travel normally as it is now.

the subnet that i want its traffic to travel over the VPN/IPSec is 10.1.3.0 with 10.1.3.251 being the the Ip address of the Fa2/1.

the IP addresses 10.222.222.1 and 10.222.222.2 are the serial interfaces of both ends of the T1.

Please see if this ocnfiguration will do what i want i.e. only passing traffic of Interface fa2/1 from 10.1.3.0 from host (directly connected to fa2/1) 10.1.3.41 to pass over thsi tunnel to get to hosts10.1.5.48 and 10.1.5.68 at the other side of the T1 line.

Please advise,

Regards,

Masood