Router 1812-Nating/IPsec

kzhen · ‎01-31-2008

Hello everyone,

Try to setup two VLNANs, one 192.168.2.0/24 goes out for internet service, and 10.76.10/24 goes fro crypto map via site to site tunnel. Please help to verify the configuration:

!

crypto isakmp policy 10

encr 3des

authentication pre-share

crypto isakmp key

!

crypto ipsec transform-set lga esp-3des esp-sha-hmac

!

crypto map virginblue 10 ipsec-isakmp

set peer 66.109.80.19

set transform-set lga

match address 102

!

ip cef

!

no ip domain lookup

!

ip inspect name firewall tcp

ip inspect name firewall dns

ip inspect name firewall ftp

ip inspect name firewall h323

ip inspect name firewall http

ip inspect name firewall rtsp

ip inspect name firewall sip

ip inspect name firewall skinny

ip inspect name firewall smtp

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall udp

ip domain name Flightsafety.com

ip dhcp excluded-address 192.168.2.1 192.168.2.99

!

ip dhcp pool Savannah

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

domain-name

dns-server 192.231.203.132 192.231.203.3

lease 0 8

!

multilink bundle-name authenticated

!

username cisco privilege 7 password xxx

archive

log config

hidekeys

!

interface FastEthernet0

no ip address

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 10.76.1.254 255.255.255.0

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface vlan2

ip address 192.168.2.1 255.255.255.0

ip nat inside

full-duplex

!

interface Dialer1

ip address negotiated

ip access-group 161 in

ip inspect firewall out

encapsulation ppp

ip nat outside

dialer pool 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname 5270086@bzn

ppp chap password 7

ppp pap sent-username

crypto map virginblue

!

ip route 0.0.0.0 0.0.0.0 Dialer1

ip nat inside source list 7 interface dialer1 overload

!

no ip http server

no ip http secure-server

access-list 7 remark Access to Internet

access-list 7 permit 192.168.20 0.0.0.255

!

access-list 101 deny ip 10.76.1.0 0.0.0.255 10.253.0.0 0.0.255.255

access-list 101 deny ip 10.76.1.0 0.0.0.255 192.168.39.0 0.0.0.255

access-list 101 deny ip 10.76.1.0 0.0.0.255 192.168.32.0 0.0.0.255

access-list 101 permit ip 10.76.1.0 0.0.0.255 any

access-list 102 remark IPSec-Interesting-Traffic

access-list 102 permit ip 10.76.1.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 102 permit ip 10.76.1.0 0.0.0.255 10.253.0.0 0.0.255.255

access-list 102 permit ip 10.76.1.0 0.0.0.255 192.83.226.0 0.0.0.255

access-list 102 permit ip 10.76.1.0 0.0.0.255 192.83.227.0 0.0.0.255

access-list 102 permit ip 10.76.1.0 0.0.0.255 198.51.24.0 0.0.7.255

dongdongliu · ‎01-31-2008

I do not know what happened, but, look at the configuration about interface Dialer 1 plz:

interface Dialer1

ip address negotiated

ip access-group 161 in

where is the acl 161 ?

kzhen · ‎01-31-2008

161 acl for incoming traffci. i just took it off.

dongdongliu · ‎01-31-2008

did you try to establish IPSec vpn with 66.109.80.19 ? It was working well ?

ddykier · ‎01-31-2008

where is your command for shared key like this

(crypto isakmp key address 66.109.80.19)