Solved

Site to site  VPN

Posted on 2009-05-11
3
871 Views
Last Modified: 2012-06-21
Hello,
I have 2 sites with adsl connection and 2 Cisco 877 adsl routers. i would like to establish a vpn connection between the sites. My wan ip will change frequently so i am ready to use some dynamic dns service. Any one can help me how to configure the routers? please give me a sample configuration for both ends.
Thanks
0
Comment
Question by:Achuthaprasad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24356744
Hi,

It is very Easy.
- Setup SDN to some comuter to manage the settings.
- Launch SDN. You need Java but the latest JRE6 is not compatible so downlad JRE5
- Logon to your router.
- Click Configure
- Click VPN
- You will see the options for both Site-Site and Client-To-Site. Even visual representations are there.
- For dynamic addresess. You'd like to set-up an account in www.dyndns.org. Then there's a little agent which will run on one of your PC's and it will update your dynamic address as it changes.

This is it :)

Cheers,
K.

0
 
LVL 13

Accepted Solution

by:
Quori earned 500 total points
ID: 24359300
It's SDM, FYI. :)

Here is a generic config that you will need to modify but should work for both sites if filled out properly.
Be sure to deny the VPN traffic in your NAT ACL. For example, if the local subnet is 192.168.1.0/24 and the remote is 192.168.2.0/24 then your NAT ACL would look thus:

ip access-list extended TO_NAT
 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit 192.168.1.0 0.0.0.255 any

You will need something similar for each endpoint so that the router doesn't try to NAT the traffic bound for the VPN tunnel. Also note this is a very basic Site-to-Site IPsec VPN tunnel. If you wanted to run a routing protocol or such over it you'd need to use GRE/IPsec tunnel. If this is the case, ask and this can be amended.

! Enable IP Domain Lookup and configure a name server or two
ip domain-lookup
ip name-server <ISP Name Server #1>
ip name-server <ISP Name Server #2>
ip name-server 4.2.2.2
! Configure DynDNS update service
ip ddns update method DynDNS
 HTTP
 add http://username:password@<s>/nic/update?system=dyndns&hostname=yourhost.dyndns.org&myip=<a>
 interval maximum 10 0 0 0
!
ip host members.dyndns.org 63.208.196.95
! Configure IP SLA to always keep the tunnel up
ip sla 1
 icmp-echo <REMOTE INSIDE ENDPOINT> source-interface <INSIDE INTERFACE>
 frequency 30
!
ip sla schedule 1 life forever start-time now
! Create the transform set
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
! Create a match-all isakmp pre-shared key
crypto isakmp key 0 somethingstrongerthanthis address 0.0.0.0 0.0.0.0
! Create the phase-1 details
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
!
ip access-list extended T0_VPN
 permit ip <LOCAL SUBNET> 0.0.0.255 <REMOTE SUBNET> 0.0.0.255
!
crypto map VPN 10 ipsec-isakmp
 set transform-set ESP-3DES-SHA
 set peer router1.dyndns.org
 match address TO_VPN
!
interface <OUTSIDE INTERFACE>
 ip ddns update hostname yourhost.dyndns.org
 ip ddns update DynDNS host members.dyndns.org
 crypto map VPN
!

Open in new window

0
 
LVL 30

Expert Comment

by:Kerem ERSOY
ID: 24372415
@Quori:

It's SDM, FYI. :)

Thank you :)
0

Featured Post

Prevent Ransomware with Total Security Suite

With recent ransomware attacks topping the headlines, it might seem like there'e no hope in the battle against these advanced threats. Learn more about how WatchGuard's Total Security Suite can effectively prevent ransomware attacks including Petya 2.0 and WannaCry!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question