Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn between 2 cisco 1700 routers

Can anyone please post a simple config of a ipsec vpn between 2 of these routers, I have seen an example config but I just want to know what each command means and is used for, I would be extremely greatful if someone can help, thanks

Carlos

12 REPLIES

Re: vpn between 2 cisco 1700 routers

Hello Carlos,

From CCO you get some documented example explaining what the different parts of the config are for. Example:

!--- Define the Phase 1 policy.

!--- These are the IKE parameters.

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 10.66.79.180

!

!

!--- Define the encryption policy for this setup.

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

!--- Define a static crypto map entry for the peer

!--- with mode ipsec-isakmp. This indicates that IKE

!--- is used to establish the IPSec

!--- SAs to protect the traffic

!--- specified by this crypto map entry.

crypto map cisco 10 ipsec-isakmp

set peer 10.66.79.180

set transform-set cisco

match address 100

!

!

!--- Apply the crypto map to the interface.

interface Ethernet0/0

ip address 10.66.79.99 255.255.255.224

crypto map cisco

!

interface Ethernet0/1

ip address 192.168.6.1 255.255.255.0

!

!

!--- Configure the routing so that the device

!--- is directed to reach its destination network.

ip route 0.0.0.0 0.0.0.0 10.66.79.97

!

!--- This is the crypto ACL.

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

!

Did this Help? Please rate all posts.

Regards, Martin

Gold

Re: vpn between 2 cisco 1700 routers

just a litte bit add-on.

in real world, it's very likely that 2 more acls are required. one is no-nat; another one is inbound.

e.g. no-nat

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

route-map nonat permit 10

match ip address 101

with the deny entry on the top, the router will forward any packet originated from 192.168.2.0 and destined fro 192.168.1.0 without performing nat/pat; whereas for all other destinations, router will perform nat/pat, such as internet browsing.

e.g. for inbound acl,

interface Dialer0

ip address 1.1.1.2 255.255.255.0

ip access-group 111 in

ip nat outside

crypto map mymap

access-list 111 permit udp any host 1.1.1.2 eq non500-isakmp

access-list 111 permit udp any host 1.1.1.2 eq isakmp

access-list 111 permit esp any host 1.1.1.2

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 111 deny ip any any

udp 500, udp 4500, and esp are required for establishing vpn as well as the on-going crypto traffic. the entry permitting 192.168.1.0 to 192.168.2.0 is also required as the router will check the inbound acl after decrypting the packet; 192.168.1.0 is the private network scheme of the remote net, and 192.168.2.0 is the private network scheme of the local net.

New Member

Re: vpn between 2 cisco 1700 routers

Im a little confused

Can someone please tell me what each policy means and does, what bits of the config do I change, and what is the no-nat used for ?

New Member

Re: vpn between 2 cisco 1700 routers

I think the previous poster explained it quite well, but basically your config will have NAT outside on the Public interface, and NAT inside on the private interface - this allows Internet access for the LAN.

When you do VPN, you need to STOP nat from happening to traffic going between the 2 LAN's you are connecting - this is what the Route-map and the no-nat access lists do.

Without this the source address of packets will be changed by NAT and the VPN will fail.

New Member

Re: vpn between 2 cisco 1700 routers

Hi all, thanks for the replys,

Could you possibly give me the config for both routers and with relevant ip addresses, also can you tell me any particular info that both routers will need to create the tunnel, ie what needs to be the same either end ?

thanks a million

Re: vpn between 2 cisco 1700 routers

Site A

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 10.66.79.180

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

set peer 10.66.79.180

set transform-set cisco

match address 100

!

interface Ethernet0/0

ip address 10.66.79.99 255.255.255.224

crypto map cisco

!

interface Ethernet0/1

ip address 192.168.6.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.66.79.97

!

access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

Site B

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key cisco address 10.66.79.99

!

crypto ipsec transform-set cisco esp-des esp-md5-hmac

!

crypto map cisco 10 ipsec-isakmp

set peer 10.66.79.180

set transform-set cisco

match address 100

!

interface Ethernet0/0

ip address 10.66.79.180 255.255.255.224

crypto map cisco

!

interface Ethernet0/1

ip address 192.168.5.1 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 10.66.79.97

!

access-list 100 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

You need to have same Isamkp policy parameters defined at both the ends like the hash,group and the authentication type.

Also the Key which if you are using the preshared method should be the same.

Then comes your encryption strength which you define with the transform set this encryption combination should be the same to encrypt/decrypt the packets.

Also you need to give proper care for the traffic which is getting encrypted.

Try to keep away internet or other traffic being encrypted which will hog up your hardware resources.

regds

New Member

Re: vpn between 2 cisco 1700 routers

Hello

thankyou for the response, I am nearly with it now, Just 2 more things

1. What does each thing mean in this line

"crypto ipsec transform-set cisco esp-des esp-md5-hmac "

and also, Say I have these routers on 2 ends of the internet, Do I just need to set the 2 end routers up and nothing in between !!

cheers

Carlos

Re: vpn between 2 cisco 1700 routers

hi

Transform set represents the security protocols and algorithms being used with the interesting traffic which you mention up using the Access lists.

Also you have few compatible groups which u can make use off ..do refer this link for more info ..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/secur_r/sec_c2g.htm#wp1071090

The ipsec tunnel is between your 2 endpoints ,in this case you need to have reachability to both these routers so that you can have the tunnel established over the internet.

Also make sure you are applying the crypto map under the public interface connected to the outside network and not under the inside interface which is connected to the local lan..

regds

New Member

Re: vpn between 2 cisco 1700 routers

I cant seem to configure this on any of my routers, where do I start ?

thanks

Re: vpn between 2 cisco 1700 routers

hi

To start with you need to have your routers loaded with the ios code which support IPSEC either DES/3DES based on the encryption strength you choose.

If you still need more info on the ios codes do post out the router models also the full ios name so that it can checked out for possible ipsec support..

regds

New Member

Re: vpn between 2 cisco 1700 routers

How hard would it be to configure the vpn, so one of the routers gives out dhcp addresses to the other end ?

New Member

Re: vpn between 2 cisco 1700 routers

Giving out DHCP addresses has nothing to do with the VPN configuration - you are talking here about the LAN subnet specific to one side of you VPN, so you'd just configure DHCP on you router in the usual way:-

eg:

ip dhcp pool PCs

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server xxx.xxx.xxx.xxx

domain-name whatever.com

lease infinite

p.

210
Views
0
Helpful
12
Replies
CreatePlease login to create content