Solved: Site-to-Site VPN links

jamesitsolutions · ‎05-07-2010

Hi Guys, I am currently trying to configure a VPN link between 2 sites, I have replaced some crypto maps with ipsec tunnel interfaces instead. However I am unsure what configuration lines are still required below is snippets of the configuration, both sites have similar configurations however the documentation I found doesn't show the use of crypto isakmp policy line but when I remove it the link fails to establish.

crypto isakmp policy 3
 encr 3des
 hash md5 
 authentication pre-share
 group 2
 lifetime 20000
!
!
crypto isakmp key keygoeshere address xxx.xxx.xxx.xxx
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto ipsec profile Site-to-Site
 set transform-set ESP-3DES-SHA1 
!
!
interface Tunnel0
 description --- Connection to WA ---
 ip address 192.168.250.1 255.255.255.252
 tunnel source Dialer1
 tunnel destination xxx.xxx.xxx.xxx
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile Site-to-Site
!
router rip
 version 2
 passive-interface Vlan1
 network 192.168.1.0
 network 192.168.250.0
!

Federico Coto Fajardo · ‎05-07-2010

Andrew,

If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).

You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?

What kind of VPN are you trying to establish?

Federico.

View solution in original post

Federico Coto Fajardo · ‎05-07-2010

Andrew,

If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).

You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?

What kind of VPN are you trying to establish?

Federico.

jamesitsolutions · ‎05-07-2010

That makes sense, does the number for the policy matter as its not linked anywhere?

I am using a IPSec SVTI, the main goal is to ensure the best security (well near best) possible between the 2 sites.

The final goal is to link branch offices (4) across the country to a central router, they all have Cisco 877 routers and I am looking at the possibility of replacing the central router with a higher end to handle the extra load.

PS. They all use ADSL2 as their WAN links

Federico Coto Fajardo · ‎05-07-2010

The number in the crypto isakmp policy is just a local identifier (it does not matter which number it is).

The only role of that number is that when a VPN connection against the router is attempted, the peer will look at the crypto isakmp policies in sequential order until finding a match. (so the number is only relevant in case you have multiple crypto isakmp policies and you need to have them in certain order).

The advantage of using VTI is that it simplifies configuration and allows multicast traffic to pass through the tunnel (as opposed to regular IPsec traffic which only allows IP unicast packets).

You should not have a problem with the implementation. Let us know if you have any questions.

Federico.

jamesitsolutions · ‎05-07-2010

Thank you for your very fast and accurate responses, I find the SVTIs much easier to wrap my head around then the crypto maps.

Do you have any recommendations of a slightly higher end router that has either a extra WIC slot or inbuilt backup link systems(3G etc)?

Once again thanks for your help

Federico Coto Fajardo · ‎05-07-2010

Andrew,

You might want to look at the 1800 ISRs or the new 1900 ISRs:

http://www.cisco.com/en/US/prod/collateral/routers/ps5853/ps6184/product_data_sheet0900aecd8028a95f_ps5853_Products_Data_Sheet.html

http://www.cisco.com/en/US/prod/collateral/routers/ps10538/data_sheet_c78_556319.html

Federico.