Site-Site VPN 2600 routers

enikk · ‎06-05-2002

I'm planning on setting up a site to site VPN between 2 2600 routers utilizing Ipsec which are both running the firewall feature set and NAT utilizing PAT. Does anyone have a similar configuration that they can post their config files? I need to get an idea on how this can be accomplished .

From the other posts i've seen it looks like NAT is going to be a problem and i've attempted it already and failed. Any info or Config files would be great!

Tony

<A HREF="mailto:tkusina@hydra-flex.com">tkusina@hydra-flex.com</A>

gbeaty · ‎06-10-2002

tony,

I am assuming that you are going to use pre-shared keys? I have the exact same setup at a couple of locations. NAT sucks for me, but you can try if you like. You need to define crytpo settings e.g. Policy, authentication, lifetime. You then need to create the keys :

crypto isakmp key TONY address 1.1.1.1 255.255.255.255

Then you need to create a transform set:

crytpo ipsec transform-set TONY esp-des esp-sha-hmac (or whatever alg you want)

Then you need to create an access-list:

access-list 101 permit 1.1.0.0 0.0.255.255 2.2.2.0 0.0.0.255

Then you need to create maps:

crypto map TONY 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set TONY

match address 101

Then you need to bind the map to the interface you are using. What type of WAN are you using?

You need to match the key and ip address of the other router. You do it backwards, it is a little funky!

I set static routes for my tunnels, I only have 13 so it is not too much.

e-mail me if you have any questions

Geoff

gbeaty@reico.com