Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Configuring IPSEC between two routers Cisco 827 and Cisco VPN client 3.x

Hi,

I want to connect two site via Ipsec and permit It connections with cisco vpn client 3.x for my remote acces users via Internet.

This is the configuration but I think that it isn´t correct. The conections with the cisco vpn client it is ok but site to site it is the problem.

Any idea ???

Thanks

The configurations routers:

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname ADSLBILBAO

!

enable secret 5 $1$LKYB$iqp2TI4poW72DlscNbHKc0

enable password 7 0216160F5E000A731F

!

username COMAcceso password 7 0233337E3D23377019

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

class-map match-all voice

match none

!

!

policy-map POLICY

class voice

priority 480

!

!

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key cisco123 address 212.145.203.130

!

!

crypto ipsec transform-set vpn-transform esp-3des esp-md5-hmac

!

crypto map rasvpn 1 ipsec-isakmp

set peer 212.145.203.130

set transform-set vpn-transform

match address 107

!

!

!

!

interface Loopback0

no ip address

!

interface Ethernet0

ip address 192.168.145.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

mtu 300

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/33

vbr-rt 640 640 10

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

shutdown

dialer pool 1

ppp authentication chap

ppp chap hostname xxxxxxxxxxxxxxxxxx

ppp chap password xxxxxxxxxxxxxxxxxx

crypto map rasvpn

!

ip nat inside source route-map nonat interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip pim bidir-enable

!

!

access-list 101 deny ip 192.168.145.0 0.0.0.255 192.168.143.0 0.0.0.255

access-list 101 deny ip 192.168.145.0 0.0.0.255 192.168.146.0 0.0.0.255

access-list 101 permit ip 192.168.145.0 0.0.0.255 any

access-list 107 permit ip 192.168.145.0 0.0.0.255 192.168.143.0 0.0.0.255 preced

ence critical

access-list 107 permit ip 192.168.145.0 0.0.0.255 192.168.146.0 0.0.0.255 preced

ence critical

access-list 107 permit ip 192.168.145.0 0.0.0.255 192.168.143.0 0.0.0.255

access-list 107 permit ip 192.168.145.0 0.0.0.255 192.168.146.0 0.0.0.255

!

route-map nonat permit 1

match ip address 101

!

!

line con 0

stopbits 1

line vty 0 4

password 7 1352431A0D555C212C2C

login

!

scheduler max-task-time 5000

end

Another router:

Current configuration : 3122 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname CISCOADSL

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

enable secret 5 $1$7v25$iZXmJqMoRMIknHTkna4ms0

enable password 7 1545531A13797E25

!

username COMAcceso password 7 110210314234060251

username voiceware password 7 14011D020F013D2A362D

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 212.145.206.254

!

crypto isakmp client configuration group rasvpn

key cisco123

dns 192.168.143.70

wins 192.168.143.64

domain voiceware.net

pool ippool

!

!

crypto ipsec transform-set rasvpn-transform esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set rasvpn-transform

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 212.145.206.254

set transform-set rasvpn-transform

match address 107

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface Loopback0

no ip address

!

interface Ethernet0

ip address 192.168.143.5 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/33

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

shutdown

dialer pool 1

ppp authentication chap

ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx

ppp chap password xxxxxxxxxxxxxxxxxxxxxxxxxx

crypto map clientmap

!

ip local pool ippool 192.168.147.1 192.168.147.254

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 192.168.143.65 1352 212.145.203.130 1352 extenda

ble

ip nat inside source static tcp 192.168.143.70 25 212.145.203.130 25 extendable

ip nat inside source static tcp 192.168.143.70 80 212.145.203.130 80 extendable

ip nat inside source static tcp 192.168.143.70 110 212.145.203.130 110 extendabl

e

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip pim bidir-enable

!

!

access-list 101 deny ip 192.168.143.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 101 permit ip 192.168.143.0 0.0.0.255 any

access-list 107 permit ip 192.168.143.0 0.0.0.255 192.168.146.0 0.0.0.255

access-list 107 permit ip 192.168.145.0 0.0.0.255 192.168.146.0 0.0.0.255

access-list 109 permit ip 192.168.143.0 0.0.0.255 192.168.145.0 0.0.0.255

access-list 109 permit ip 192.168.146.0 0.0.0.255 192.168.145.0 0.0.0.255

!

route-map nonat permit 1

match ip address 101

!

!

line con 0

stopbits 1

line vty 0 4

password xxxxxxxxxxxxxxxxxxxxxxx

!

scheduler max-task-time 5000

end

CISCOADSL#

5 REPLIES
Cisco Employee

Re: Configuring IPSEC between two routers Cisco 827 and Cisco VP

The only issue I can see so far is that you have statics on the second router config, which the peer network won't reach because of the nat and the route map policy you use.

I would think the with the config, the inside interface of the routers, should be able to ping each other by extended ping. If you want the first router network to reach the host with the static on the 2nd network, you need to do something like this for you nat : http://www.cisco.com/warp/public/707/static.html .

Otherwise, you might want to consider opening a case with the tac.

Regards,

Community Member

Re: Configuring IPSEC between two routers Cisco 827 and Cisco VP

Thanks for the answer but I kwon that you say referent with static but my really problem it is the tunnel between the two router it is´nt operational and I dont kwon the reason.

Thanks, regards

Cisco Employee

Re: Configuring IPSEC between two routers Cisco 827 and Cisco VP

besides having the crypto on dialer, also apply it on the physical interface, atm.

If you still have issues, please open a case with tac.

Regards,

Community Member

Re: Configuring IPSEC between two routers Cisco 827 and Cisco VP

Besides the fact that your dialer is shutdown on both routers? With out seeing the debugs, id take a guess that CISCOADSL router is probably prompting the other router for username/password. Debugs would be more helpful though to determine that. Debug crypto ipsec and debug crypto iskamp. If thats the case you need to change your preshared key for your peer from crypto isakmp key cisco123 address 212.145.206.254 to crypto isakmp key cisco123 address 212.145.206.254 no-xauth. If your still getting problems, remove the aaa from the router, if you have too remove the client config. That should tell you where your config issue is at.

'

Kurtis Durrett

Community Member

Re: Configuring IPSEC between two routers Cisco 827 and Cisco VP

Hi everybody,

I had the same problem and this the config that worked for me.

It's a little bit redundant but from my personel experience it make things

easier to follow.

My example does include 3 private networks but no single vpn-client,

because this is one thing i did not jet realize.

TOPOLOGY:

The hosts are connected through non NATed IP-SEC tunnels,

other internet access is NATed as usual.

LAN1

|

host1

/ \

/ INET \

/ \

host2 -------- -host3

| |

LAN2 LAN3

-----------------------------------------------------------------------------------------------------

host1

-----------------------------------------------------------------------------------------------------

!

version 12.2

hostname host1

ip domain-name mydomain.name

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

! that way. The used preshared keys are then defined next.

crypto isakmp policy 1

encr 3des

authentication pre-share

!

! Preshared-Key router1 to router2

crypto isakmp key key4conn_1_2 address 220.220.220.1 no-xauth

!

! Preshared-Key router1 to router3

crypto isakmp key key4conn_1_3 address 230.230.230.1 no-xauth

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections

! as well.

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto map my-cr-map 1 ipsec-isakmp

set peer 220.220.220.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 3 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 230.230.230.1

set transform-set tfs_3DES

match address 130

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 210.210.210.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.210.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.210.0

no auto-summary

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only it fit's

! to the rule the packet get the adress of the interface Ethernet0 applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 210.210.210.2

! This list allows incomming trafic from the INET. This is where I had the

! big problem to connect my networks. I only got it to work, when I turned the

! logic in these rules around, so against all other rules the local part of the

! entry is on the back and the incomming host is named first.

!

! Router of net 2 and the private net 2 are allowed all IP inbound

access-list 101 permit ip host 220.220.220.1 host 210.210.210.1

access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Router of net 3 and the private net 3 are allowed all IP inbound

access-list 101 permit ip host 230.230.230.1 host 210.210.210.1

access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.220 or 192.168.230 are NATed and

! sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 110 deny ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

access-list 110 permit ip 192.168.210.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.220.0 to become

! encrypted and then be sent in the tunnel to router 220.220.220.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

-----------------------------------------------------------------------------------------------------

host2

-----------------------------------------------------------------------------------------------------

!

version 12.2

hostname host2

ip domain-name mydomain.name

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

! that way. The used preshared keys are then defined next.

crypto isakmp policy 1

encr 3des

authentication pre-share

!

! Preshared-Key router2 to router1 and IP-adress of peer-router

crypto isakmp key key4conn_1_2 address 210.210.210.1 no-xauth

!

! Preshared-Key router2 to router3 and IP-adress of peer-router

crypto isakmp key key4conn_2_3 address 230.230.230.1 no-xauth

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections

! as well.

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto map my-cr-map 1 ipsec-isakmp

set peer 210.210.210.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 3 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 230.230.230.1

set transform-set tfs_3DES

match address 130

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 220.220.220.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.220.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.220.0

no auto-summary

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only it fit's

! to the rule the packet get the adress of the interface Ethernet0 applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 220.220.220.2

! This list allows incomming trafic from the INET. This is where I had the

! big problem to connect my networks. I only got it to work, when I turned the

! logic in these rules around, so against all other rules the local part of the

! entry is on the back and the incomming host is named first.

!

! Router of net 1 and the private net 1 are allowed all IP inbound

access-list 101 permit ip host 210.210.210.1 host 220.220.220.1

access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.220.0 0.0.0.255

!

! Router of net 3 and the private net 3 are allowed all IP inbound

access-list 101 permit ip host 230.230.230.1 host 220.220.220.1

access-list 101 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.220 or 192.168.230 are NATed and

! sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 110 deny ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

access-list 110 permit ip 192.168.220.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.210.0 to become

! encrypted and then be sent in the tunnel to router 220.220.210.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.220.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

-----------------------------------------------------------------------------------------------------

host3

-----------------------------------------------------------------------------------------------------

!

version 12.2

hostname Host3

ip domain-name mydomain.name

! These are the rules for statefull inspection firewall

ip inspect max-incomplete high 1100

ip inspect max-incomplete low 900

ip inspect one-minute high 1100

ip inspect one-minute low 900

ip inspect name FastEthernet_0 tcp

ip inspect name FastEthernet_0 ftp

ip inspect name FastEthernet_0 udp

ip inspect name FastEthernet_0 realaudio

ip inspect name FastEthernet_0 sqlnet

crypto isakmp enable

crypto isakmp identity address

! This defines policies for the authentification of packets between the

! VPN-routers. Both routers must agree on one policy, so you need to have

! at least one matching policy on each router or they will not connect.

! I decided on a single policy for all connections, which becommes mandatory

! that way. The used preshared keys are then defined next.

crypto isakmp policy 1

encr 3des

authentication pre-share

!

! Preshared-Key router3 to router1

crypto isakmp key key4conn_1_3 address 210.210.210.1 no-xauth

!

! Preshared-Key router3 to router2

crypto isakmp key key4conn_2_3 address 220.220.220.1 no-xauth

! The Transform-Set is the policy for the encryption of packets between the

! VPN-routers. As above, both routers need to have a matching policy on each

! router or they will not connect. You may define more than one transform-set

! for different purposes, but you can use the same for many connections

! as well.

crypto ipsec transform-set tfs_3DES ah-sha-hmac esp-3des

! The Crypto-Map binds together the encryption policy with the IP-adress

! of the peer router and and the access-list (# 120 in this example)

! which defines wich packet are allowed to go to that peer

crypto map my-cr-map 1 ipsec-isakmp

set peer 210.210.210.1

set transform-set tfs_3DES

match address 120

!

! same as above for net 2 and access-list 130

crypto map my-cr-map 2 ipsec-isakmp

set peer 220.220.220.1

set transform-set tfs_3DES

match address 130

! The INET Interface gets the crypto-map aplied and has a policy for

! incoming connections, which is defined in access-list 101

interface Ethernet0

description connected to Internet

ip address 230.230.230.1 255.255.255.252

ip access-group 101 in

ip nat outside

crypto map my-cr-map

!

! LAN is allowed everything outgoing into the INET, on the way back things

! are inspected as defined in the IP INSPECT rules above

interface FastEthernet0

description connected to EthernetLAN

ip address 192.168.230.1 255.255.255.0

ip nat inside

ip inspect FastEthernet_0 in

!

router rip

version 2

passive-interface Ethernet0

network 192.168.230.0

no auto-summary

! This statement allows only those packets to be NATed which fit to

! the route-map with the name noNAT (this ist CaSe sensitive) defined

! at the end of this config file and the according rulset 110. Only it fit's

! to the rule the packet get the adress of the interface Ethernet0 applied.

ip nat inside source route-map noNAT interface Ethernet0 overload

! This is my providers DSL router, which receives all trafic to the INET

! which is not otherwise defined (this is the default route)

ip route 0.0.0.0 0.0.0.0 230.230.230.2

! This list allows incomming trafic from the INET. This is where I had the

! big problem to connect my networks. I only got it to work, when I turned the

! logic in these rules around, so against all other rules the local part of the

! entry is on the back and the incomming host is named first.

!

! Router of net 1 and the private net 1 are allowed all IP inbound

access-list 101 permit ip host 210.210.210.1 host 230.230.230.1

access-list 101 permit ip 192.168.210.0 0.0.0.255 192.168.230.0 0.0.0.255

!

! Router of net 2 and the private net 2 are allowed all IP inbound

access-list 101 permit ip host 220.220.220.1 host 230.230.230.1

access-list 101 permit ip 192.168.220.0 0.0.0.255 192.168.230.0 0.0.0.255

! This List denies NAT for connections to the 2 private networks which are

! connected through encrypted IPSEC-tunnel, so the private IPs are not seen

! outside, but only the real IP of the router, who is sending the encrypted

! packets. Any packets not sent to 192.168.210 or 192.168.220 are NATed and

! sent to the INET unencrypted.

! This list is used for the route-map statement following below.

access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

access-list 110 deny ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

access-list 110 permit ip 192.168.230.0 0.0.0.255 any

! This rule allows only packets to the private net 192.168.210.0 to become

! encrypted and then be sent in the tunnel to router 220.220.210.1, who

! decrypts them and passed them on to his local network again.

! This works together with the first crypto map statement above

access-list 120 permit ip 192.168.230.0 0.0.0.255 192.168.210.0 0.0.0.255

!

! Same as obove for the second net

! This works together with the second crypto map statement above

access-list 130 permit ip 192.168.230.0 0.0.0.255 192.168.220.0 0.0.0.255

! This route map deciedes, if a packet is NATed or not. If it is permited in

! rule 110, it gets NATed, if it's denied, then it stays as it is.

route-map noNAT permit 10

match ip address 110

-------------------------------------------------------

Hope it helps,

Christoph Sonnen

220
Views
0
Helpful
5
Replies
CreatePlease to create content