Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN(Site-to-site)

Someone please help me to built site to site vpn between 3 routers.I have tried alot but i failed.Its over me, you guys please help....

This is my topology.

Everyone's tags (1)
5 REPLIES
VIP Purple

VPN(Site-to-site)

You probably struggeld with the crypto-maps?

Best to use VTIs where you build tunnel-interfaces between each pair of routers:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-mt/sec-ipsec-virt-tunnl.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

VPN(Site-to-site)

This configuration is from router1

hostname R1

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.2

crypto isakmp key dibyam address 10.10.10.3

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.2

set peer 10.10.10.3

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

description connected to/form s1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.1.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 1.0.0.0

network 10.0.0.0

network 192.168.1.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

This configuration is from router2

hostname R2

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.1

crypto isakmp key dibyam address 10.10.10.3

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.1

set peer 10.10.10.3

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

description connected to/from s1

ip address 10.10.10.2 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.2.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 2.0.0.0

network 10.0.0.0

network 192.168.2.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255


This configuration is from router3

hostname R3

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.1

crypto isakmp key dibyam address 10.10.10.2

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.1

set peer 10.10.10.2

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!

interface FastEthernet0/0

description connected to/from s1

ip address 10.10.10.3 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.3.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 3.0.0.0

network 10.0.0.0

network 192.168.3.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255


This configuration is from switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/4, Fa0/5, Fa0/6, Fa0/7

                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11

                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15

                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                Fa0/24

100  VPN                              active    Fa0/1, Fa0/2, Fa0/3

1002 fddi-default                     active   

1003 token-ring-default               active   

1004 fddinet-default                  active   

1005 trnet-default                    active   


VIP Purple

VPN(Site-to-site)

Your crypto-maps are wrong. You need two sequences, one for each peer. Each sequence has hits own ACL and peer-setting. If it's for learning, continue with crypto-maps. If it's for production, go for virtual tunnel interfaces.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: VPN(Site-to-site)

like what,this!!!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.2

set transform-set vpnset

match address 100

!

crypto map vpnmap 11 ipsec-isakmp

set peer 10.10.10.3

set transform-set vpnset

match address 100

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Trust me, i have done but still no result.

Let me explain one thing,,,R1 can ping to R2 and R3 but R2 cant ping R3 and similarly R2 and R3 can ping R1.

There is no icmp connection between R2 and R3.

VIP Purple

Re: VPN(Site-to-site)

Let me explain one thing,,,R1 can ping to R2 and R3 but R2 cant ping R3 and similarly R2 and R3 can ping R1.

so you don't even have reachability between yopur routers? How should the VPNs work then. Troubleshoot that first.

For the crypto-maps: You also need dedicated ACLs per peer:

crypto map vpnmap 12 ipsec-isakmp

  set peer 10.10.10.2

  set transform-set vpnset

  match address 102

!

crypto map vpnmap 13 ipsec-isakmp

  set peer 10.10.10.3

  set transform-set vpnset

  match address 103

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
178
Views
0
Helpful
5
Replies
CreatePlease login to create content