Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
931
Views
0
Helpful
1
Replies

Cisco 800 ipsec ike tunnel

beckerola
Level 1
Level 1

‎08-29-2007 03:54 AM

Hi

I have some doubts about a work i have to make in the next few days and I'm not very fond in remote access. I will have to configure a Cisco 800 on a remote side (it`s an employee's house). The central site is already configured. The scenario is something like this.

On the central side there is Cisco (don't now what type) and has a config like this (the IPs have been hided):

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key "something" address 80.x.x.x no-xauth

!

crypto ipsec transform-set ipsec3DES esp-3des esp-md5-hmac

!

crypto map tunnel 26 ipsec-isakmp

description remote site 192.168.12.x

set peer 80.x.x.x

set transform-set ipsec3DES

match address 126

!

access-list 126 permit ip 10.5.0.0 0.0.0.255 192.168.12.0 0.0.0.255

The 80.x.x.x is the public IP of my remote router. They have in their own outside port, a termination tunnel with IP 195.x.x.x Which is where i will have to point back in the peer command.

The configuration isnt't really very difficult. In fact, the configuration in my 800 router would be something like this:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key "something" address 195.x.x.x no-xauth

!

crypto ipsec transform-set ipsec3DES esp-3des esp-md5-hmac

!

crypto map tunnel 26 ipsec-isakmp

set peer 195.x.x.x

set transform-set ipsec3DES

match address 126

!

access-list 126 permit ip 192.168.12.x 0.0.0.255 10.5.0.0 0.0.0.255

ethernet 0

ip address 192.168.12.x 255.255.255.0

serial 0 --> (It isn't a serial, first problem)

ip address 80.x.x.x mask

crypto map tunnel

Now, the person at home where the 800 will be installed, has a DSL connection with a ISP. He has another router (3COM) and uses that router to access the internet. The 800 router will only be to access resources in his office.

My question is, will it work with only that configuration? Do I need to configure adsl with the actual ISP the employee has before creating the tunnel to the office?

Like you can see in the last configuration, I applied the "crypto map tunnel" command to a serial port, but a Cisco 800 doesn`t have a serial port. Where do I configure the 80.x.x.x IP with the crypo map statement?

I was thinking about creating a "tunnel 0" interface and the applying everthing there, but i think it won't work because there's nothing to do with GRE tunnels.

Is there a real need to configure the new 800 router with dsl configuration tu access the office site?

Thanks

Labels:
0 Helpful
1 Reply 1

beckerola
Level 1
Level 1

‎08-29-2007 09:30 PM

I have been investigating and maybe the solution would be creating a ATM interface and apply there my public IP address along with the vpi/vci configuration, and also the crypt map. I think it will be enough with that and the IPSec/IKE configuration to form the tunnel.

0 Helpful
Customers Also Viewed These Support Documents