07-30-2003 12:46 AM - edited 02-21-2020 12:41 PM
I'm looking to do a site-to-site VPN with 2600 routers. For the sake of understanding VPNs better, what should I begin with. I have tutorials on several topics, but all of which assume I have the basic tunnel already created. It seems that GRE might be the first step.
Thanks~
Solved! Go to Solution.
07-30-2003 09:53 AM
You don't need to use GRE tunnels. GRE tunnels are typically used to route other protocols (like IPX) over TCP/IP networks.
A basic Router to Router VPN config:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SOMEPASSWORD address IP ADDRESS OF REMOTE PEER
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map myvpn ipsec-isakmp
set peer IP ADDRESS OF REMOTE PEER
set transform-set myset
match address 170
interface X
ip address x.x.x.x x.x.x.x
crypto map myvpn
access-list 170 permit ip SOURCE NETWORK DESTINATION NETWORK
The access list 170 should define what traffic will be encrypted.
Be sure to put the crypto map myvpn on the incoming interface of the router (typically the interface connected to the Internet)
Do the same config on the other router (swapping the source network and destination network in the access list 170 appropriately).
Also check out:
07-30-2003 09:53 AM
You don't need to use GRE tunnels. GRE tunnels are typically used to route other protocols (like IPX) over TCP/IP networks.
A basic Router to Router VPN config:
crypto isakmp policy 1
authentication pre-share
crypto isakmp key SOMEPASSWORD address IP ADDRESS OF REMOTE PEER
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map myvpn ipsec-isakmp
set peer IP ADDRESS OF REMOTE PEER
set transform-set myset
match address 170
interface X
ip address x.x.x.x x.x.x.x
crypto map myvpn
access-list 170 permit ip SOURCE NETWORK DESTINATION NETWORK
The access list 170 should define what traffic will be encrypted.
Be sure to put the crypto map myvpn on the incoming interface of the router (typically the interface connected to the Internet)
Do the same config on the other router (swapping the source network and destination network in the access list 170 appropriately).
Also check out:
07-30-2003 11:06 PM
Wonderful. I see what I was missing. Thank you very much. Much more than I expected.
No tunnels per se, but just encrypt traffic. (Which would be a tunnel... :) Big Aha...
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide