Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

3 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Blue

Re: IPSec VPN

raulzulueta wrote:

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

No you don't to use GRE unless you need a routing protocol to run between the 2 sites

You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Jon

Hall of Fame Super Blue

Re: IPSec VPN

raulzulueta wrote:

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

No, the configurations should be the same for all routers ie. they don't change per router model.

Jon

Silver

Re: IPSec VPN

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

9 REPLIES
Hall of Fame Super Blue

Re: IPSec VPN

raulzulueta wrote:

Can anyone point me to the simplest way to create a IPSec VPN to allow and encrypt traffic from the corporate office and a branch location? Do I need to create a GRE tunnel for this to work?

No you don't to use GRE unless you need a routing protocol to run between the 2 sites

You don't say which devices but here is a link to a lot of IPSEC configuration examples. You should be able to find one that is relevant -

http://www.cisco.com/en/US/customer/tech/tk583/tk372/tech_configuration_examples_list.html

Jon

New Member

Re: IPSec VPN

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

Hall of Fame Super Blue

Re: IPSec VPN

raulzulueta wrote:

The branch office will have a C1941w router and the main office has a C1811 router. One branch office that will also have an IPSec VPN has a C2811 router. Are there different configurations for the different routers?

No, the configurations should be the same for all routers ie. they don't change per router model.

Jon

New Member

Re: IPSec VPN

I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.

Hall of Fame Super Blue

Re: IPSec VPN

raulzulueta wrote:

I am having a problem getting the VPN up.

My remote TOR office has an ip address of eee.fff.ggg.212 for the VPN endpoint and internal networks of 10.6.0.0 255.255.0.0

My main SF office has an ip address of aaa.bbb.ccc.67 for the VPN endpoint and internak netwoks of 192,168,0,0 255.255.0.0

I have the running-config attached. What am I missing to get these 2 endpoints up?

Thanks for all your help. I have not used Cisco IOS for creating VPNs. I thought it would be easier than this.

Couple of things -

1) make sure the acls you use in your cryto map on each router are a mirror of the other one ie. on SF you have 10.0.0.0 0.255.255.255, on TOR you have 10.6.0.0 0.0.255.255 although one includes the other so it shouldn't matter too much.

2) what is happening with NAT on SF - you don't seem to have an ip nat inside soure .... etc. statement ?

Can you run some debugging when you try the VPN ie.

debug crypto ipsec sa

debug crypto isakmp

note debugging can impact the CPU of the router so don't do this during peak usage.

Jon

Hall of Fame Super Blue

Re: IPSec VPN

Raul

One other point. How are you testing the VPN ? Ideally it should be from one of the 192.x.x.x hosts to one of the 10.6.x.x hosts (or vice-versa ) eg. a ping should do it.

Jon

New Member

Re: IPSec VPN

Here are the debug outputs from both sides.

And the NAT in SF.

Silver

Re: IPSec VPN

I'm a bit concerned because TOR and SF could be military acronyms; but hope they are not.

There are a few conflicts here.

An ISAKMP policy is defined on TOR peer but not SF peer.  The ISAKMP policies must match as there is no default policy for pre-shared keys.

There are GRE tunnel interfaces yet the config has the feel of a traditional IPSEC tunnel.  Crypto maps never go on tunnel interfaces.  I suggest deleting the tunnel interfaces to prevent confusion.

The ACL's do not match; and they must.  IPSEC ACL's must be exact mirrors of each other.  SF is matching 10/8 destioned to 192./8.  TOR is matching 192/8 destioned to 10.6/16.  This pairing will never result in a valid IPSEC SA.

NAT has been configured on SF interfaces yet there are not NAT rules configured.  Either the config is incomplete or there is no NAT occurring on this host.


Chris

New Member

Re: IPSec VPN

They are not military related. I will make the changes you recommended and let you know how it goes. Thanks for the assist. I hope I can get this tunnel up soon. Cisco VPN IOS configuration is a bit challenging.

527
Views
0
Helpful
9
Replies
CreatePlease to create content