cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1082
Views
0
Helpful
13
Replies

LAN to LAN VPN

kluchtman
Level 1
Level 1

I am a newb to cisco routing and learn as the need comes up. So the time has come for me to create a LAN to LAN VPN from my house to my mother in laws house (2 doors down). I have a 2611xm with a ADSL WIC running 12.4(25)d and my in-laws have a 2620xm with a ADSL WIC running 12.4(25)c, both router configs are identical with a few respective minor changes. Both LANs use a 10.0.x.x IP range but they do not conflict if they were joined. My purpose for this VPN is to maintain their UBNT WAP with my UBNT WAP Controller, and perform SNMP monitoring and Net-Flow statistics. So it would just be easier for me to have an all port open VPN between the two instead of having to map ports that I need as I need them. You can see my config below, I have started to create the VPN but decided to stop and get advice before I moved on. Both DSL Modems use DHCP so I can't set a static IP, however I do have them both updating a no-ip.com redirect. My router config is below, if anyone is willing to help me learn this I would greatly appreciate it.

 

Kurt

 

version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging rate-limit
no logging console
no logging monitor
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXX
!         
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate slot 1 
no network-clock-participate wic 0 
ip cef    
!         
!         
no ip dhcp use vrf connected
ip dhcp excluded-address XXXXXX 0.0.0.255
!         
ip dhcp pool insideDHCP
   network XXXXXX 0.0.0.255
   default-router XXXXXX
   dns-server XXXXXX XXXXXX
!         
!         
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip domain name XXXXXX.no-ip.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method no-ip
 HTTP     
  add http://XXXXXX@XXXXXX.xxx:XXXXXX@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 interval maximum 0 0 5 0
!         
vpdn enable
!         
vpdn-group pppoe
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
!         
crypto pki trustpoint TP-self-signed-3030517303
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3030517303
 revocation-check none
 rsakeypair TP-self-signed-3030517303
!         
!         
username kluchtman privilege 15 password 0 XXXXXX
!         
!         
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!         
!         
crypto isakmp policy 10
 hash md5 
 authentication pre-share
crypto isakmp key vpnuser address XXXXXX
!         
!         
crypto ipsec transform-set myset esp-des esp-md5-hmac 
!         
crypto map mymap 10 ipsec-isakmp 
 ! Incomplete
 set peer XXXXXX
 set transform-set myset 
 match address 100
!         
!         
!         
!         
interface ATM0/0
 no ip address
 no ip mroute-cache
 atm restart timer 300
 no atm ilmi-keepalive
 dsl operating-mode auto 
 dsl enable-training-log
 hold-queue 224 in
 pvc 8/35 
  pppoe-client dial-pool-number 1
 !        
!         
interface FastEthernet0/0
 description NOT USED
 ip address dhcp
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 duplex auto
 speed auto
!         
interface FastEthernet0/1
 description LAN
 ip address XXXXXX 0.0.0.255
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!         
interface Dialer1
 ip ddns update hostname XXXXXX.no-ip.com
 ip ddns update no-ip
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname XXXXXX@xxx.xxx
 ppp chap password 0 XXXXXX
 crypto map mymap
!         
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!         
ip flow-export source Dialer1
ip flow-export version 5
ip flow-export destination XXXXXX 9996
ip flow-top-talkers
 top 200  
 sort-by bytes
 cache-timeout 3600
!         
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!         
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server ifindex persist
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps cnpd
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server host XXXXXX public 
!         
!         
!         
control-plane
!         
!         
!         
!         
!         
!         
!         
!         

!         
line con 0
 password XXXXXX
 login    
line aux 0
 password XXXXXX
 login    
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 privilege level 15
 password XXXXXX
 login local
 transport preferred none
 transport input ssh
!         
ntp clock-period 17208416
ntp server 17.171.4.13
!         
end  

1 Accepted Solution

Accepted Solutions

Well, since you are using NO-IP you would need to configure DNS server IPs on your router so that it is able to resolve the FQDN you set as your VPN peer. 

for example:

ip name-server 4.2.2.2

Under you isakmp policy you should configure an encryption aswell, and I would change MD5 to SHA as it is more secure...but that is up to you.

crypto isakmp policy 10
 encryption aes
 hash md5
 authentication pre-share

You will also need a crypto ACL that defines interesting traffic...or traffic that is to be encrypted.

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255

the remote end will need an ACL that is the mirror image of the above (of course the ACL number can be different).

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto isakmp key vpnuser address XXX.no-ip.com

crypto map mymap 10 ipsec-isakmp
 set peer XXX.no-ip.com
 set transform-set myset 
 match address 100

interface Dialer1
 crypto map mymap

Looks like you are off to a good start

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

13 Replies 13

Well, since you are using NO-IP you would need to configure DNS server IPs on your router so that it is able to resolve the FQDN you set as your VPN peer. 

for example:

ip name-server 4.2.2.2

Under you isakmp policy you should configure an encryption aswell, and I would change MD5 to SHA as it is more secure...but that is up to you.

crypto isakmp policy 10
 encryption aes
 hash md5
 authentication pre-share

You will also need a crypto ACL that defines interesting traffic...or traffic that is to be encrypted.

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255

the remote end will need an ACL that is the mirror image of the above (of course the ACL number can be different).

access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto isakmp key vpnuser address XXX.no-ip.com

crypto map mymap 10 ipsec-isakmp
 set peer XXX.no-ip.com
 set transform-set myset 
 match address 100

interface Dialer1
 crypto map mymap

Looks like you are off to a good start

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Thanks for the reply, this has helped me get further than I expected I would be at this point.

 

I have a few problems:

When I type in set peer xxx.no-ip.com I get an error the following error:

Translating "xxx.no-ip.com"
% Unable to resolve xxx.no-ip.com -- can not set/unset peer

 

I have set IP-name server as 8.8.8.8, any ideas?

If you do an nslookup xxx.no-ip.com does it resolve to an IP?

for the set command you can try to issue the following command:

crypto map mymap 10 ipsec-isakmp
 set peer XXX.no-ip.com dynamic

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

That one appears to have gone through but with an error. Can not resolve xxx.no-ip.com now, we'll try again when negotiating ISAKMP. The URL does resolve to the correct ip.

Let us know how it goes.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

It went great on my side where I am running advanced enterprise, but I can't do almost anything on my mother in laws side, she is running ip base (with crypto). But if I type in crypto map xxxx I get invalid input detected at the word map. Does she need to be running advanced enterprise too?

You need to have the security license installed to be able to do encryption and VPN.  You will not be able to do this without the security license.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

If I haven't looked like a newb yet I should now. How do I get a security license?

You would get the security technologies package lisence from a Cisco reseller in your area. However the 2620xm was end of life/service in 2012 so i am not sure this is available any longer. Yiu would need to check with a reseller on that, or perhaps someone on here has an idea if it can still be purchased.
--
Please remember to select a correct answer and rate helpful posts

Ok, so how about this as a alternate work around. What if I created a VPN in the 2600, and put a box in her house that would automatically connect to my vpn?

That depends on what you mean by putting a box in the house?  if you mean a PC and that you configure a remote access VPN on your 2600 then that PC would need to be the one initiating the VPN connection. 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Yes, exactly. I am building a Cent OS box to put at my mother in laws house to initiate the VPN connection back to my house, I might not be able to maintain the WAP which is what I was originally wanting to do, but I should be able to monitor it and the router. Correct?

This is something I have never tried, but if it is a regular remote access VPN you are setting up from the Cent OS then I do not believe you will be able to monitor or even have access to the network...unless you are able to remote desktop to the Cent OS box...or similar.  Once you have access to the box then you should be able to monitor the network and manage it from there.

What you could do, and maybe this is what you were thinking initially, is set up the Cent Box as a logging server, and have the router send logging to the server via snmp or just plain old syslog.

When you say you might not be able to maintain the WAP what exactly do you mean...you might not be able to maintain it directly from your own network...but you should be able to maintain it from your mother's network...ie via the Cent OS box.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: