Cisco Support Community
Community Member

Site to Site VPN over ADSL with Static IP on both ends

Hi everyone!

I have been asked to configure the above between our office and a clients.  I have been provided with the following info from the client side:

Pre-share key: nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

NAT ip for Perth is
Remote peer IP address is yyy.yyy.yyy.yyy

encryption algorithm for (phase I/II) IKE and IPSEC => 3DES
hash algorithm for (phase I/II) IKE and IPSEC => MD5
Key exchange => pre-shared keys and the key is => nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Diffie-Hellman Group ID => 1024 bit (2)
IKE lifetime => 86400 (1 day)
SA lifetime => 3600 (1 hour)
our peer address =>
NATing IP at Remotenetwork => zzz.zzz.zzz.zzz

They tell me this is from a Cisco router - no idea which model and IOS.  From our side I will be using a "borrowed" 2821 router and I've been handed a "template" set of commands:

crypto ipsec transform-set 3Des-MD5 esp-3des esp-md5-hmac

crypto isakmp key some_big_random_key address

crypto map TPA-VPN 2262 ipsec-isakmp
description ; unmannaged IPSEC to TP CONTESO
set peer
set transform-set 3Des-MD5
set pfs group2
match address 2262

ip route yyy.yyy.55.148 zzz.zzz.89.158
ip route zzz.zzz.89.158

ip nat outside source static yyy.yyy.55.148

access-list 2262 remark Crypto map connection TP CONTESO
access-list 2262 permit ip host yyy.yyy.42.20 host
access-list 2262 permit ip host yyy.yyy.42.21 host
access-list 2262 permit ip host yyy.yyy.42.23 host

Keeping in mind I'm a total noob here, do these 2 sets of config commands have anything to do with each other?  Please advise me on the commands necessary on the 2821 to match the clients side router.

Many thanks!

Everyone's tags (3)
Cisco Employee

Re: Site to Site VPN over ADSL with Static IP on both ends


It looks about right ... some remarks below.

Diffie-Hellman Group ID => 1024 bit (2)

Can refer to group2 setting on isakmp policies which you have not provided. It doesn't have to mean "PFS" which in fact is another DH exchange, to make sure new keys cannot be derived from old.

When creasting any entries on crrypto ACL on your side you need to know what the other side has configured.

Generaly speaking, if NAT is done on traffic going via tunnel you have to match IP addresses post-NAT (this scenario is rare).

(under crypto map entry) set peer ----- has to refer to IP address of the peer as visible on WAN.


CreatePlease to create content