Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Site-to-Site VPN links

Hi Guys,  I am currently trying to configure a VPN link between 2 sites, I have replaced some crypto maps with ipsec tunnel interfaces instead.   However I am unsure what configuration lines are still required below is snippets of the configuration, both sites have similar configurations however the documentation I found doesn't show the use of crypto isakmp policy line but when I remove it the link fails to establish.

crypto isakmp policy 3
encr
3des
hash md5
authentication pre
-share
group 2
lifetime
20000
!
!
crypto isakmp key keygoeshere address xxx
.xxx.xxx.xxx
crypto ipsec transform
-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile
Site-to-Site
set transform-set ESP-3DES-SHA1
!
!
interface Tunnel0
description
--- Connection to WA ---
ip address
192.168.250.1 255.255.255.252
tunnel source
Dialer1
tunnel destination xxx
.xxx.xxx.xxx
tunnel mode ipsec ipv4
tunnel path
-mtu-discovery
tunnel protection ipsec profile
Site-to-Site
!
router rip
version
2
passive
-interface Vlan1
network
192.168.1.0
network
192.168.250.0
!

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Site-to-Site VPN links

Andrew,

If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).

You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?

What kind of VPN are you trying to establish?

Federico.

5 REPLIES

Re: Site-to-Site VPN links

Andrew,

If you plan to use IPsec as the VPN protocol, you cannot remove the crypto isakmp policy (because it is used for phase 1 negotiation between the VPN endpoints).

You're using IPsec profiles, is this because you're establishing VTI or GRE VPN tunnels?

What kind of VPN are you trying to establish?

Federico.

Community Member

Re: Site-to-Site VPN links

That makes sense, does the number for the policy matter as its not linked anywhere?

I am using a IPSec SVTI, the main goal is to ensure the best security (well near best) possible between the 2 sites.

The final goal is to link branch offices (4) across the country to a central router, they all have Cisco 877 routers and I am looking at the possibility of replacing the central router with a higher end to handle the extra load.

PS. They all use ADSL2 as their WAN links

Re: Site-to-Site VPN links

The number in the crypto isakmp policy is just a local identifier (it does not matter which number it is).

The only role of that number is that when a VPN connection against the router is attempted, the peer will look at the crypto isakmp policies in sequential order until finding a match. (so the number is only relevant in case you have multiple crypto isakmp policies and you need to have them in certain order).

The advantage of using VTI is that it simplifies configuration and allows multicast traffic to pass through the tunnel (as opposed to regular IPsec traffic which only allows IP unicast packets).

You should not have a problem with the implementation. Let us know if you have any questions.

Federico.

Community Member

Re: Site-to-Site VPN links

Thank you for your very fast and accurate responses, I find the SVTIs much easier to wrap my head around then the crypto maps.

Do you have any recommendations of a slightly higher end router that has either a extra WIC slot or inbuilt backup link systems(3G etc)?

Once again thanks for your help

261
Views
0
Helpful
5
Replies
CreatePlease to create content