Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Beginner VPN

I'm looking to do a site-to-site VPN with 2600 routers. For the sake of understanding VPNs better, what should I begin with. I have tutorials on several topics, but all of which assume I have the basic tunnel already created. It seems that GRE might be the first step.

Thanks~

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Beginner VPN

You don't need to use GRE tunnels. GRE tunnels are typically used to route other protocols (like IPX) over TCP/IP networks.

A basic Router to Router VPN config:

crypto isakmp policy 1

authentication pre-share

crypto isakmp key SOMEPASSWORD address IP ADDRESS OF REMOTE PEER

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map myvpn ipsec-isakmp

set peer IP ADDRESS OF REMOTE PEER

set transform-set myset

match address 170

interface X

ip address x.x.x.x x.x.x.x

crypto map myvpn

access-list 170 permit ip SOURCE NETWORK DESTINATION NETWORK

The access list 170 should define what traffic will be encrypted.

Be sure to put the crypto map myvpn on the incoming interface of the router (typically the interface connected to the Internet)

Do the same config on the other router (swapping the source network and destination network in the access list 170 appropriately).

Also check out:

http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSec&s=Implementation_and_Configuration

2 REPLIES
Bronze

Re: Beginner VPN

You don't need to use GRE tunnels. GRE tunnels are typically used to route other protocols (like IPX) over TCP/IP networks.

A basic Router to Router VPN config:

crypto isakmp policy 1

authentication pre-share

crypto isakmp key SOMEPASSWORD address IP ADDRESS OF REMOTE PEER

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto map myvpn ipsec-isakmp

set peer IP ADDRESS OF REMOTE PEER

set transform-set myset

match address 170

interface X

ip address x.x.x.x x.x.x.x

crypto map myvpn

access-list 170 permit ip SOURCE NETWORK DESTINATION NETWORK

The access list 170 should define what traffic will be encrypted.

Be sure to put the crypto map myvpn on the incoming interface of the router (typically the interface connected to the Internet)

Do the same config on the other router (swapping the source network and destination network in the access list 170 appropriately).

Also check out:

http://www.cisco.com/cgi-bin/Support/browse/psp_view.pl?p=Internetworking:IPSec&s=Implementation_and_Configuration

New Member

Re: Beginner VPN

Wonderful. I see what I was missing. Thank you very much. Much more than I expected.

No tunnels per se, but just encrypt traffic. (Which would be a tunnel... :) Big Aha...

Thanks again

90
Views
0
Helpful
2
Replies
CreatePlease login to create content