[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 852
  • Last Modified:

Cisco 2811 routers - VPN tunnel & internet access

I currently have 2 Cisco 2811 routers that are placed in different cities. I want to configure them to establish a VPN tunnel between the two networks throw interface serial0/1 while interface serial0/2 will use another ISP connection to connect to the internet. Is this possible?  Any configuration help would be appreciated.
0
AchillesP
Asked:
AchillesP
  • 9
  • 7
1 Solution
 
stressedout2004Commented:
I don't see any reason why this setup is not possible. All you need to do is configure the IPSEC like you normally would,
enable the crypto map on the serial0/1 interface, then add a static routes for the VPN peer pointing it to the S0/1 gateway and then add a default gateway for the internet pointing to S0/2 gateway.

Here's a sample config on configuring two routes for IPSEC site to site. It doesn't show you the routing part that I mentioned.

Configuring IPSec Router-to-Router, Pre-shared, NAT Overload Between Private Networks
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml
0
 
AchillesPAuthor Commented:
Thank you for your quiqk response.  I use the bellow config for over one month and I have both VPN and Internet.  My problem is that every morning i have to restart the router because there is no VPN connection.  From the SDM i see that the tunnel is up but there is no response from the other side.  When i restart the router, everythink comes to normal.  I think that the problem is that during the evening there is no traffic to VPN.  I tried lifetime aslo at the past but nothing.  Do you see any proble with this config?  Any other things to change?



!This is the running config of the router: 192.168.2.11
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco2801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$B4SQ$Bc3dc8NV5nyqatpsHmJ1E0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name Philippopoulos
ip name-server 194.219.227.2
ip name-server 193.92.150.3
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-4001756307
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4001756307
 revocation-check none
 rsakeypair TP-self-signed-4001756307
!
!
crypto pki certificate chain TP-self-signed-4001756307
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303031 37353633 3037301E 170D3036 30353034 31353537
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303137
  35363330 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B86D 601AF86A 0BA1546B ECD7A7E6 E93E85A9 389F8336 509DCC54 C04668F0
  A5525FBE 76546EF6 2589A782 D83958FD 19A8FBF7 098F2194 7431BD60 869C0540
  F6BBFD58 4E36E83A 90AF1BB7 047365DD 0E823842 0AC29479 A3DEBBDD B6C5E9DD
  9BA66001 32C07A5B 43E2D2DA E4F2500D 79E07DBF 75EE6BCB 8A769156 9ACEA4E4
  EBC10203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 149521C0 55DB421A CBCDB520 580E7548 53745F21
  1E301D06 03551D0E 04160414 9521C055 DB421ACB CDB52058 0E754853 745F211E
  300D0609 2A864886 F70D0101 04050003 81810065 996A7569 F38EF13E C92BD8B2
  904D7DA9 1103EF0C 44474E5A 0CC49D63 238F3060 6CA15CE2 B159DF1F 00A12125
  D80D6F68 CC3E6051 AE49C78E C02E7CA3 59B22802 E3BBBB4B 1B826855 94B6275A
  8D4B0594 DAE8E408 A5538E0F 9C19A44E 3F3755B1 A0092867 65EA385F 02BFA424
  B94BB10E 44036932 B2FC3CD8 12B38A6A 999A62
  quit
username xxxxxxxx privilege 15 secret 5 $1$03SC$hz4cXHG4h8Lw0nODiodC2.
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxx address 193.92.43.9
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to193.92.43.9
 set peer 193.92.43.9
 set transform-set ESP-3DES-SHA
 match address 100
!
!
!
interface FastEthernet0/0
 description Athens LAN$FW_INSIDE$$ES_LAN$$ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 192.168.2.11 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
 no mop enabled
!
interface ATM0/1/0
 description Forthnet 1024 VPN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/2/0
 description Forthnet 1024 VPN
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface ATM0/3/0
 description Forthnet 1024 Internet
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp reliable-link
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 075F7815195E574B59
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx password 7 065656781B1947574B
 ppp ipcp dns request
 ppp ipcp wins request
 crypto map SDM_CMAP_1
 hold-queue 224 in
!
interface Dialer3
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 3
 dialer-group 3
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 ppp chap password 7 144640584D55787865
 ppp pap sent-username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx password 7 06575D720D1F5B4A44
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 192.168.0.0 255.255.255.0 Dialer1
ip route 193.92.43.9 255.255.255.255 Dialer1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer3 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
no cdp run
!
!
control-plane
!
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 20000 1000
end


0
 
AchillesPAuthor Commented:
The log of the router tells
IKE message from 193.92.43.9 has no SA and is not an initilazation offer.

What is my problem?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
stressedout2004Commented:
The problem is most probably Phase 2 renegotiation.

There are two time values in IPSEC express in seconds, phase 1 and phase 2. Phase 1 is by default 86400 (1 day) and phase 2 is 3600 (1 day). So naturally, phase 2 will timed out first before phase 1 and this is how it normally should be.

On a tunnel with active traffic passing, a couple of seconds or minutes before the phase 2 timer runs out, the tunnel will renegotiate phase 2 parameters so it can have new SA. If there is no traffic passing, then the renegotiation does not occur and phase 2 SA is deleted.

Now what I think is happening is that during the night, the SA expires and is deleted since there is no traffic passing the tunnel. Now in the morning, when traffic tries to pass over the tunnel from your side, it either is still using the old SA or has no SA to send the traffic  through. What should be happening is that both routers should be in sync that phase 2 SA has been deleted and when traffic is sent through the tunnel that they should renegotiate phase 2.  I can't tell you why  this is happening, it shouldn't be, it could be a bug.

When you reboot the router, you are actually clearing the tunnel. The tunnel goes down and when it comes back up, both routers will renegotiate both phase 1 and phase 2.

Here's what you can try:

1) On both routers add the following command:

crypto isakmp keepalive 60 5

Then clear tunnels on both sides:

clear crypto isa
clear crypto sa


2) If #1 does not work, change phase 2 timers. Right now the router is configured to renegotiate phase 2 every 1 hour. So what you can do is on both routers, you can increase the phase 2 timer to be 82800 (23 hours). You have to time the change so that the renegotiation will occur during the regular office hours where traffic should be actively passing over the tunnel. So for instance, if you made the change around 11 am, the next time the phase 2 tunnel renegotiates would be about a minute or so before 10 am the next day. You have to make sure  that when you do the change, you have to clear the tunnel on both sides to reset the phase 1 timer as well.

e.g.

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set security-association lifetime 82800
 exit

clear crypto isa
clear crypto sa

I won't guarantee you that it will work for you, but it did for me. I was having the same problem between a 2600 and a Nortel tunnel. They won't renegotiate phase 2 after it expires.  Good luck.


0
 
AchillesPAuthor Commented:
thanks for your response.  I tried to enter those commands.  I will tell you in two days.  But,  i am suspicious about xxcopy between one server to another every day.  The copy begins nearly the time that router tunnel stops.  Any suggestions?
0
 
stressedout2004Commented:
>>>>But,  i am suspicious about xxcopy between one server to another every day.  The copy begins nearly the time that router tunnel stops. Any suggestions?

Im sorry but I did not understand your question. What is xxcopy? Please elaborate.
0
 
AchillesPAuthor Commented:
I will change also the MTU of the servers to 1492.  It seems that will work.  Tell you tommorow. Thanks.
0
 
AchillesPAuthor Commented:
No.  It does not work.  Still ends the tunnel after no traffic pass.
0
 
stressedout2004Commented:
Which one of the workaround did you try implementing and how did you implement it?
0
 
AchillesPAuthor Commented:
You write

crypto map SDM_CMAP_1 1 ipsec-isakmp
 set security-association lifetime 82800
 exit

clear crypto isa
clear crypto sa

I won't guarantee you that it will work for you, but it did for me. I was having the same problem between a 2600 and a Nortel tunnel. They won't renegotiate phase 2 after it expires.  Good luck.

It does not work.  Still the tunnel drops after no traffic pass
0
 
stressedout2004Commented:
Did you try adding the crypto isakmp keepalive?
0
 
AchillesPAuthor Commented:
Yes. The command was crypto isakmp keepalive 60 5
Nothing happend
0
 
stressedout2004Commented:
Alright, is there traffic passing over the tunnel right now?
Can you do sh crypto map and show isakmp policy and post the output.


0
 
AchillesPAuthor Commented:
Crypto Map "SDM_CMAP_1" 1 ipsec-isakmp
        Description: Tunnel to Thessaloniki
        Peer = 193.92.43.9
        Extended IP access list 100
            access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.25
5
        Current peer: 193.92.43.9
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                ESP-3DES-SHA,
        }
        QOS pre-classification
        Interfaces using crypto map SDM_CMAP_1:
                Dialer1

                Virtual-Access2


Global IKE policy
Protection suite of priority 1
        encryption algorithm:   Three key triple DES
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
0
 
stressedout2004Commented:
Ok, make the following changes on both sides, not just one. Otherwise, it won't have any effect.

crypto ipsec security-association idle-time 82800
crypto ipsec security-association lifetime seconds 82800
crypto ipsec security-association lifetime kilobytes 110592000
crypto isakmp keepalive 60 5

Then clear tunnels on both sides:

clear crypto isa
clear crypto sa

Make sure that the changes took effect and that phase 1 and phase 2 are syncronized, meaning when you do
sh crypto isa sa detail, you should see that the lifetime is set 86400 and when you do sh crypto ipsec sa detail, you should see that the lifetime is close to 82000.

If this doesn't work, then it has something to do with the IOS. You should look into either upgrading or downgrading. If you have a Cisco service contract, it would be wise to open up a case with them as well, this seems like it is a bug.
0
 
AchillesPAuthor Commented:
It is working. Thanks
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 9
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now