VPN

jimcalano · ‎10-04-2007

Is it possible to set up a VPN with the same subnet at both ends? For example, router 1 FA0/0 interface IP address 10.1.1.10 255.255.255.0, serial interface 192.168.100.1 255.255.255.0. Router 2 FA0/0 interface 10.1.1.20 255.255.255.0, serial interface 192.168.100.2 255.255.255.0. I need to connect the 10.1.1.x subnet through the 192.168.100.x link to connect a remote office to the main office.

Any help will be greatly appreciated.

Jim

Jon Marshall · ‎10-04-2007

Hi Jim

Yes, you can do this. Attached is a document that will take you through it step by step.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b07ed.shtml

HTH

Jon

jimcalano · ‎10-04-2007

Jon,

Thank you VERY much. Sorry I didn't have much time to look this up myself. I'm under the gun here.

I'll let you know how it goes.

Jon Marshall · ‎10-04-2007

Jim

No problem. I've used IPSEC config docs quite a few times myself so i'm familiar with where to look.

Hope it goes okay.

Jon

sundar.palaniappan · ‎10-04-2007

Jim,

I just edited the post in which I had stated that you can't do IPSEC when overlapping addresses are in use. Though it's true in a straightforward scenario because of reasons I cited. However, Jon has posted a link that offers a workaround (NAT w/IPSEC) to this problem.

Good Luck!!

Jon that's a good link you have provided.

HTH

Sundar

jimcalano · ‎10-04-2007

The crypto command doesn't seem to be a recognized command in global, or any, mode. I'm using a 2621 router with software version 12.3(17a).

sundar.palaniappan · ‎10-04-2007

You probably do not have a crypto image, it would have k9 embedded in the filename of the IOS, running in the router to do IPSEC. Use software advisor on CCO to select the IOS that supports IPSEC functionality. Here's one that supports IPSEC c2600-jk9s-mz.12.2-46a.

HTH

Sundar

jimcalano · ‎10-04-2007

Thank you Sundar. I'll continue with this tomorrow when I get back to the office.

timothykerr · ‎10-04-2007

Hi Jim,

If I recall, and someone correct me if I am wrong. But you will need to have a 2600XM router to support the k9 IOS's. This is due to the memory restrictions on the 2600 routers. They only support a max of 16/64 flash/dram. You will need a 2600XM router in order to upgrade the memory that will be required to download the newer IOS images that support the crypto command set.

hth

Tim

jimcalano · ‎10-05-2007

Don't have those. Does anybody else have any suggestions?

This whole exercise is an attempt to manage routers across a serial link from a single point of contact. Both sides of the link are on a 10.1.1.x network because of a wireless mesh configuration.

sundar.palaniappan · ‎10-05-2007

Actually 2621 supports up to 32mb flash. Even if you only have a 16mb flash card there's a workaround available to run a crypto image. Check out this link for the workaround.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_field_notice09186a008040c94d.shtml

HTH

Sundar