Link to home
Start Free TrialLog in
Avatar of emtechadmin
emtechadminFlag for United Arab Emirates

asked on

cisco site to site vpn using dyndns

Hi Experts,
i need to setup site to site vpn using cisco 2811 routers.Here am using dyndns service , other end
i have static ip.How i can configure this?
Avatar of Awinish
Awinish
Flag of India image

Hello mate,

Use below config

 Router 1  
 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2  
lifetime 28800
crypto isakmp key YOUR.1st.KEY address X.X.X.X   >>> router 2 IP
 
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-site2site 1 ipsec-isakmp
 description Tunnel to Router2
set peer X.X.X.X
set transform-set ESP-3DES-SHA
 match address 101
!
crypto map VPN-site2site 2 ipsec-isakmp
 description Tunnel to Router2
set peer z.z.z.z
set transform-set ESP-3DES-SHA
 match address 102
!
!
 
!
!
!
!
interface FastEthernet0/0 >>> WAN interface
 description VPN-Peer-Interface
ip address y.y.y.y subnetmask
crypto map VPN-site2site
!
 
access-list 101 permit ip LAN1 0.0.0.255 LAN2 0.0.0.255  
!
!
 
where:::
 
LAN1 >> local network IPs on router 1
LAN2 >> local network IPs on router 2
 
----------------------------------------------
 
Router 2
 
 
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2  
lifetime 28800
crypto isakmp key YOUR.1st.KEY address Y.Y.Y.Y   >> router 1 IP
 
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map VPN-site2site 1 ipsec-isakmp
 description Tunnel to Router1
set peer y.y.y.y
set transform-set ESP-3DES-SHA
 match address 101
 
!
!
!
!
!
interface FastEthernet0/0 >>> WAN interface
 description VPN-Peer-Interface
ip address X.X.X.X subnetmask
crypto map VPN-site2site
!
 
access-list 101 permit ip LAN2 0.0.0.255 LAN1 0.0.0.255
!
!
where:::
 
LAN1 >> local network IPs on router 1
LAN2 >> local network IPs on router 2
 
-------------------------------------------
Avatar of emtechadmin

ASKER

thanks for your support i tried this but its not working.

this is my running configurations.

first router (dyndns configured here)

!This is the running config of the router: culimerdbx.dyndns.org
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname IbroFW_UAE
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
no aaa new-model
!
resource policy
!
clock timezone Dubai 6
ip tcp synwait-time 10
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.8.1.1 10.8.1.29
ip dhcp excluded-address 10.8.1.61 10.8.1.254
!
ip dhcp pool IbroUAE
   network 10.8.1.0 255.255.255.0
   default-router 10.8.1.1
   option 150 ip 10.1.2.254
   dns-server 213.42.20.20 195.229.241.222
!
!
ip name-server 195.229.241.222
ip name-server 213.42.20.20
ip inspect name Default appfw Default
ip inspect name Default smtp alert on
ip inspect name Default tcp alert on
ip inspect name Default udp alert on
ip inspect name Default cuseeme
ip inspect name Default fragment maximum 256 timeout 1
ip inspect name Default ftp
ip inspect name Default h323
ip inspect name Default icmp
ip inspect name Default netshow
ip inspect name Default rcmd
ip inspect name Default realaudio
ip inspect name Default rtsp
ip inspect name Default sip
ip inspect name Default sqlnet
ip inspect name Default streamworks
ip inspect name Default tftp
ip inspect name Default vdolive
ip inspect name Default h323callsigalt
ip inspect name Default h323gatestat
ip inspect name Default http urlfilter
ip inspect name Default https
ip inspect name Default dns
ip ips notify SDEE
ip ips name sdm_ips_rule
ip urlfilter allow-mode on
ip urlfilter exclusive-domain deny hi5.com
ip urlfilter exclusive-domain deny www.facebook.com
ip urlfilter exclusive-domain deny new.facebook.com
ip urlfilter exclusive-domain deny friendster.com
ip urlfilter exclusive-domain deny myspace.com
ip urlfilter exclusive-domain deny login.live.com
ip urlfilter exclusive-domain deny mail.yahoo.com
ip urlfilter exclusive-domain deny www.gmail.com
ip urlfilter exclusive-domain deny www.hotmail.com
ip urlfilter exclusive-domain deny bebo.com
ip urlfilter exclusive-domain deny twitter.com
ip urlfilter exclusive-domain deny www.hyves.nl
!
appfw policy-name Default
  application im aol
    service default action reset
    service text-chat action reset
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
    audit-trail off
  application im msn
    service default action reset
    service text-chat action reset
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
    audit-trail off
  application http
    port-misuse im action reset alarm
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2977207581
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2977207581
 revocation-check none
 rsakeypair TP-self-signed-2977207581
!
!
crypto pki certificate chain TP-self-signed-2977207581
 certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32393737 32303735 3831301E 170D3130 31323231 31333031
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39373732
  30373538 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009AB9 95C59DE8 7A34484B 2004DD09 D081CF7D 19939338 FF9AA9A1 D5593D3C
  55DD7444 1C2AEF84 9BF53835 BC01D618 63A2AD7D 3CC0C9FD 37F42EFC A26FC761
  D9944660 451F1348 417C8D34 9F2654F4 C15B3963 F05AC6DB 78A3E63C BF12BAA6
  FC514784 F005C0CD EE594308 0D1AA27A 47CC9D8C 58A5F61A D04C1F1F 12160CE3
  BDC30203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A496272 6F46575F 55414530 1F060355 1D230418 30168014
  44AA65BD 3A1E0B6C 70437DA7 18431468 10E8FCDB 301D0603 551D0E04 16041444
  AA65BD3A 1E0B6C70 437DA718 43146810 E8FCDB30 0D06092A 864886F7 0D010104
  05000381 8100388E 316CAE3A 707B83DE 3ADACED4 2AE25755 B811BA6D 3F5594F8
  8114E7ED C3996B25 6276F807 DA9C0E46 3C0065A9 0EF03C62 1A22C554 5C78F28F
  3F1617EB EAAA9E45 61F737F5 463BB50D 9AEE4931 A4FC98D1 3E5AAECB 5767B1D2
  82D7DF18 7972D2D0 ED7FD171 FFF07675 D8865AA4 37349438 AD26A006 30BADEA2
  8CEFF065 B748
  quit

!
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key @ibrokey$ address 81.173.12.10 no-xauth
crypto isakmp key @ibrokey$ address 202.151.174.82 no-xauth
crypto isakmp key @ibrokey$ address 218.241.211.194 no-xauth
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
 set peer 81.173.12.10
 set transform-set strong
 match address 102
crypto map myvpn 20 ipsec-isakmp
 set peer 218.241.211.194
 set transform-set strong
 match address 103
crypto map myvpn 30 ipsec-isakmp
 set peer 202.151.174.82
 set transform-set strong
 match address 104
!
!
!
!
!
interface FastEthernet0/0
 description Inside$ETH-LAN$
 ip address 10.8.1.1 255.255.255.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description outside$ETH-WAN$
 ip ddns update hostname culimerdbx.dyndns.org
 ip ddns update DYNDNS
 ip address 192.168.100.2 255.255.255.0
 ip nat outside
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map myvpn
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
!
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
access-list 23 permit 202.151.174.82
access-list 23 permit 81.23.229.66
access-list 23 permit 81.23.229.77
access-list 23 permit 81.173.12.10
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 23 permit 172.0.0.0 0.255.255.255
access-list 23 permit any
access-list 101 remark SDM_ACL Category=16
access-list 101 deny   ip host 213.42.104.94 10.6.1.0 0.0.0.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 host 202.151.174.82
access-list 101 deny   ip host 213.42.104.94 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 host 218.241.211.194
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 10.6.1.0 0.0.0.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 deny   ip 10.8.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.8.1.0 0.0.0.255 any
access-list 102 permit ip 10.8.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 102 permit ip 10.8.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 102 permit ip 10.8.1.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 102 permit ip 10.8.1.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 102 permit ip 10.8.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 102 permit ip 10.8.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 102 deny   ip 10.8.1.0 0.0.0.255 any
access-list 102 remark IPSec Rule
access-list 103 permit ip 10.8.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.8.1.0 0.0.0.255 host 218.241.211.194
access-list 103 permit ip host 213.42.104.94 192.168.1.0 0.0.0.255
access-list 103 deny   ip 10.8.1.0 0.0.0.255 any
access-list 104 permit ip 10.8.1.0 0.0.0.255 10.6.1.0 0.0.0.255
access-list 104 permit ip 10.8.1.0 0.0.0.255 host 202.151.174.82
access-list 104 permit ip host 213.42.104.94 10.6.1.0 0.0.0.255
access-list 104 deny   ip 10.8.1.0 0.0.0.255 any
snmp-server community ibromar RO
snmp-server community ibro2005 RW
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
 


Router 2(static ip )


sh run
Building configuration...

Current configuration : 13439 bytes
!
! Last configuration change at 14:52:50 Hanoi Fri Dec 24 2010 by ibromar
! NVRAM config last updated at 16:18:36 Hanoi Thu Dec 23 2010 by emtech
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
class-map match-all Eyecatcher
 match access-group 110
!
!
policy-map QoS-Video
 class Eyecatcher
 bandwidth 384
 class Streaming-Video
  bandwidth 384
!
!
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 5
 hash md5
 group 2
!
crypto isakmp policy 9
 encr 3des
 authentication pre-share
 group 5
!
crypto isakmp policy 10
 authentication pre-share
crypto isakmp key @ibrokey$ address 81.173.12.10 no-xauth
crypto isakmp key @ibrokey$ address 213.42.104.94 no-xauth
crypto isakmp key @ibrokey$ address 218.241.211.194 no-xauth
crypto isakmp key @ibrokey$ hostname culimerdbx.dyndns.org no-xauth
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
 set peer 81.173.12.10
 set transform-set strong
 match address 102
crypto map myvpn 20 ipsec-isakmp
 set peer 218.241.211.194
 set transform-set strong
 match address 103
crypto map myvpn 30 ipsec-isakmp
 set peer 83.110.225.118
 set transform-set strong
 match address 104
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Inside$ETH-LAN$
 ip address 10.6.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect Defaults in
 ip inspect Defaults out
 ip virtual-reassembly
 ip route-cache flow
 duplex full
 speed 100
 no mop enabled
!
interface FastEthernet0/1
 description Outside$ETH-LAN$
 ip address 202.151.174.82 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect Defaults in
 ip inspect Defaults out
 ip ips sdm_ips_rule in
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map myvpn
 service-policy output QoS-Video
!
ip route 0.0.0.0 0.0.0.0 202.151.174.81
!
ip flow-top-talkers
 top 20
 sort-by bytes
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.6.1.107 3389 202.151.174.10 3389 extendable
ip nat inside source static tcp 10.6.1.107 3389 202.151.174.82 3389 extendable
ip nat inside source static 10.6.1.22 202.151.175.149
ip nat inside source static 10.6.1.206 202.151.175.150
ip nat inside source static 10.6.1.252 202.151.175.151
ip nat inside source static 10.6.1.25 202.151.175.152
ip nat inside source static 10.6.1.20 202.151.175.153 route-map eye-catcher extendable
ip nat inside source static 10.6.1.21 202.151.175.154 route-map eye-catcher extendable
!
no logging trap
access-list 23 permit 81.23.229.66
access-list 23 permit 81.23.229.77
access-list 23 permit 81.173.12.10
access-list 23 permit 10.0.0.0 0.255.255.255
access-list 23 permit 172.0.0.0 0.255.255.255
access-list 23 permit any
access-list 101 remark SDM_ACL Category=18
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.8.1.0 0.0.0.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny   ip 10.6.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 101 permit ip 10.6.1.0 0.0.0.255 any
access-list 102 permit ip 10.6.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 102 permit ip 10.6.1.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 102 permit ip 10.6.1.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 102 permit ip 10.6.1.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 102 permit ip 10.6.1.0 0.0.0.255 10.5.0.0 0.0.255.255
access-list 102 permit ip 10.6.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 102 deny   ip 10.6.1.0 0.0.0.255 any
access-list 103 permit ip 10.6.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.6.1.0 0.0.0.255 host 218.241.211.194
access-list 103 permit ip host 202.151.174.82 192.168.1.0 0.0.0.255
access-list 103 deny   ip 10.6.1.0 0.0.0.255 any
access-list 104 permit ip 10.6.1.0 0.0.0.255 10.8.1.0 0.0.0.255
access-list 104 permit ip 10.6.1.0 0.0.0.255 host 83.110.225.118
access-list 104 permit ip host 202.151.174.82 10.8.1.0 0.0.0.255
access-list 104 deny   ip 10.6.1.0 0.0.0.255 any
access-list 105 deny   ip host 10.6.1.21 10.8.1.0 0.0.0.255
access-list 105 deny   ip host 10.6.1.21 192.168.1.0 0.0.0.255
access-list 105 deny   ip host 10.6.1.21 10.1.0.0 0.0.255.255
access-list 105 permit ip host 10.6.1.21 any
access-list 106 deny   ip host 10.6.1.20 10.8.1.0 0.0.0.255
access-list 106 deny   ip host 10.6.1.20 192.168.1.0 0.0.0.255
access-list 106 deny   ip host 10.6.1.20 10.1.0.0 0.0.255.255
access-list 106 permit ip host 10.6.1.20 any
access-list 110 permit ip any any dscp af41
access-list 111 permit ip any any dscp af41
snmp-server community ibromar RO
snmp-server community ibro2005 RW
no cdp run
!
!
!
route-map eyecatcher permit 10
 match ip address 106

route-map eye-catcher permit 10
 match ip address 105
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!






Hi emtechadmin,

Have you noticed that there is public ip address and username in the log you provided. Try to remove those infos before posting.
Do you have Static IP on both Side?
Can you give Network Diagram with your Topology.
I can't help you without more detail

Can you please provide output of  sh crypto isakmp sa  & sh crypto ipsec sa


Regards

Vikrant
thanks vikrant for your support.

here am attaching the outputs.

IbroFWVN#sh crypto isa
IbroFWVN#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
202.151.174.82  81.173.12.10    QM_IDLE           4033    0 ACTIVE
81.173.12.10    202.151.174.82  QM_IDLE           4034    0 ACTIVE

IPv6 Crypto ISAKMP SA




sh-crypto-ip-sec-sa.TXT
ASKER CERTIFIED SOLUTION
Avatar of vikrantambhore
vikrantambhore
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks for your support ...

now am getting this status on router.


83.110.225.118  202.151.174.82  MM_NO_STATE          0    0 ACTIVE (deleted)

at last tunnel is up but i cant ping to the lan sub nets. SDM  showing the attached message.


vpn.png
Don't ignore My comment read carefully, otherwise ican't help you
Why u deleted your question if It's work by my comment, ?
please  remove the public ip from the question ..thanks in advance
Hi emtechadmin,

You need to create request attention to EE Moderator , They will help you