We help IT Professionals succeed at work.

Configuring a Virtual Tunnel Interface with IP Security between two Cisco 1811's

jrhundsr
jrhundsr asked
on
Ok I have two Ciso 1811's configured for Internet access at two different locations.  I am looking to set up a VPN between them and have some questions.

Router 1 info:
WAN IP: 67.53.189.178
Local IP: 192.168.2.1

Router 2 info:
WAN IP: 192.168.2.199
Local IP: 192.168.2.1

I will post both configs below.  
Router 1 Config

show runnin
Building configuration...

Current configuration : 2850 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BeyondAbilities-GB
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$DIEZ$RaKhFvakIbvJ6QCYtYOjg1
!
username beyondabilities privilege 15 secret 5 $1$wz9D$0af3EsqVngrQv1r0CGRlD0
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip cef
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool LAN
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 209.18.47.61 209.18.47.62 
!
!
ip ips po max-events 100
no ftp-server write-enable
!
!
!
! 
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip 
 !
 ssid BeyondAbilities-GB
    vlan 1
    authentication open 
    authentication key-management wpa 
    guest-mode
    wpa-psk ascii 0 **********
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface FastEthernet0
 description RoadRunnerConnection
 ip address 67.53.189.178 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 no ip address
 shutdown
!
interface FastEthernet5
 no ip address
 shutdown
!
interface FastEthernet6
 no ip address
 shutdown
!
interface FastEthernet7
 no ip address
 shutdown
!
interface FastEthernet8
 no ip address
!
interface FastEthernet9
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
!
interface Async1
 no ip address
!
interface BVI1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.53.189.177
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 67.53.189.178 67.53.189.178 prefix-length 16
ip nat inside source list 1 pool ovrld overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password **********
 login
line 1
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 password **********
 login
line vty 5 15
 privilege level 15
 login local
!
no scheduler allocate
end

Open in new window

Comment
Watch Question

Author

Commented:
Router 2 Config:
The WAN IP is actually 206.40.119.63
show run
Building configuration...

Current configuration : 6236 bytes
!
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname BeyondAbilities
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
!
! 
!
!
dot11 ssid beyondabilities
   authentication open 
   guest-mode
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
!
ip dhcp pool sdm-pool1
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server 192.168.2.215 
   domain-name beyondabilities
!
!
ip domain name beyondabilities.com
ip name-server 192.168.2.215
!
multilink bundle-name authenticated
vpdn enable
!
!
!
username beyondabilities privilege 15 secret 5 $1$XV6B$8OvYiUeblWr9RdRge8/B./
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
bridge irb
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet1
 description $ES_WAN$
 no ip address
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 xxxxxxxxxxxxxxxx transmit-key
 encryption key 2 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption key 3 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption key 4 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption mode wep mandatory 
 !
 ssid beyondabilities
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root access-point
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption key 1 size 128bit 0 xxxxxxxxxxxxxxxx transmit-key
 encryption key 2 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption key 3 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption key 4 size 128bit 0 xxxxxxxxxxxxxxxx
 encryption mode wep mandatory 
 !
 ssid beyondabilities
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Async1
 no ip address
 encapsulation slip
!
interface Dialer0
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname beyond_abilities@bayland
 ppp chap password 0 PbWT4e6
 ppp pap sent-username beyond_abilities@bayland password 0 xxxxxx
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 199 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.212 80 206.40.119.63 80 extendable
ip nat inside source static tcp 192.168.2.212 443 206.40.119.63 443 extendable
ip nat inside source static tcp 192.168.2.119 3389 206.40.119.63 3389 extendable
ip nat inside source static tcp 192.168.2.1 80 206.40.119.63 8080 extendable
ip nat inside source static tcp 192.168.2.215 25 206.40.126.109 25 extendable
ip nat inside source static tcp 192.168.2.215 80 206.40.126.109 80 extendable
ip nat inside source static tcp 192.168.2.215 443 206.40.126.109 443 extendable
ip nat inside source static tcp 192.168.2.215 3389 206.40.126.109 3389 extendable
!
logging trap debugging
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 199 remark SDM_ACL Category=18
access-list 199 deny   tcp 192.168.2.0 0.0.0.255 eq www any
access-list 199 deny   tcp 192.168.2.0 0.0.0.255 eq 443 any
access-list 199 permit ip 192.168.2.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

!
line con 0
 login local
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500

!
webvpn cef
end

Open in new window

Commented:
If I ran the following commands would it work?

Router 1
-------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key MYKEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
interface Tunnel0
ip address 192.168.2.1 255.255.255.0
tunnel source 67.53.189.178
tunnel destination 206.40.119.63
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
service-policy output FOO
---------------------------
Router 2
-------------------
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key MYKEY address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
interface Tunnel0
ip address 192.168.10.2 255.255.255.0
tunnel source 206.40.119.63
tunnel destination 67.53.189.178
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
service-policy output FOO