Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
4
Helpful
3
Replies

My first site to site VPN

mod0108537733
Level 1
Level 1

‎12-20-2013 06:55 AM

Dear all

this is my first time to configure site to site vpn.

I have in site A (Cisco router 1801 which connected to Internet by leased line and LAN is 10.0.0.0/24)

in site B (Cisco router 887va which connected with 4Mbps ADSL connection and LAN is 10.10.10.0/24)

NOTICE **i use 887router as adsl modem do i will face any problem**

Do I need real IP in both sites?

the simplest way to configure  this vpn?

Best regard

Mahmoud

Labels:
0 Helpful
3 Replies 3

zalkurdi
Cisco Employee
Cisco Employee

‎12-20-2013 05:14 PM

Hello Mahmoud,

As to your question, do you mean by "real IP" a static public IP for the outside interfaces of the routers?

Normally, in a L2L enviroment, you enter the public IPs in the configuration in order to negotiate a VPN tunnel between the 2 peers.

However, you can configure it so that 1 side uses a static public IP (leased line) while the other side uses a changing IP (DHCP assigned for example).

For the first senario, use the router configuration in the link below

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

For the second Scenario, Use the below suggestions

For Site A, use the router configuration in the link below.

http://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b4ae61.shtml

The following commands need to be added instead of the ones in the link:

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map mydyn 10 set transform-set myset
crypto map mymap 65535 ipsec-isakmp dynamic mydyn
crypto map mymap interface outside

and

crypto isakmp key hostname

= Fully qualified domain name.

For Site B, use the same configuration as in the link but make the following changes:

crypto isakmp peer address 
 set aggressive-mode password 
 set aggressive-mode client-endpoint fqdn

mod0108537733
Level 1
Level 1
In response to zalkurdi

‎12-22-2013 02:49 AM

Thank you zaid for your reply, I appreciate that

would you please tell me more about using one single static public ip in one site while the other is dynamically assigned by isp. this method has any disadvanteges as i need to connect lan to lan.

the above link you provided talk about private ip(s) only.

0 Helpful

zalkurdi
Cisco Employee
Cisco Employee
In response to mod0108537733

‎12-22-2013 08:46 AM

In my previous post, I mentioned how you can change the configuration in the link to meet your needs. I don't believe there are any disadvantages.  Its just another way to set up L2L.

0 Helpful
Customers Also Viewed These Support Documents