Solved

Configuring a Cisco router-to-router IPSec VPN

Posted on 2011-03-15
3
440 Views
Last Modified: 2013-11-05
Hi,
I have to remote sites that i need to establish a gateway-to-gateway VPN that uses a preshared
secret for authentication. Both sites uses Cisco routers one is Cisco 2811 and other is Cisco 871 as following:

172.18.11.0/24                                                                                 172.18.74.0/24
            |                                                                                                   |
         --|      Cisco 2811                                                  Cisco 871          |--
           |         +-----------+                /-^-^-^-^--\                  +-----------+    |
          |-----| Gateway A |=======|    ISP          |========|  Gateway B  |-----|
          |   AL+-----------+AW           \--v-v-v-v-/                 BW+-----------+BL  |
  --| 172.18.11.10       172.17.10.2                      172.17.1.62              172.18.74.1

Gateway A connects the internal LAN 172.18.11.0/24 to the Internet. Gateway A's
LAN interface has the address 172.18.11.10, and its WAN (Internet) interface has
the address 172.17.10.2.

Gateway B connects the internal LAN 172.18.74.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 172.17.1.62. Gateway B's LAN
interface address, 172.18.74.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario is:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "ILikeIkeButElvisIsKing"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

Then here is the configuration for Gateway A:

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.1.62
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.1.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0/0
 ip address 172.17.10.2 255.255.255.252
 speed auto
 crypto map CISCO
!
interface FastEthernet0/1
 ip address 172.18.11.10 255.255.255.0
!
access-list 101 permit ip 172.18.11.0 0.0.0.255 172.18.74.0 0.0.0.255
!

--------Here is the configuration of Gateway B----------------

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.10.2
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.10.2
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet4
 ip address 172.17.1.62 255.255.255.252
 speed auto
 crypto map CISCO
!
interface VLAN1
 ip address 172.18.74.1 255.255.255.0
!
access-list 101 permit ip 172.18.74.0 0.0.0.255 172.18.11.0 0.0.0.255
!
------------------------ My Problem -------------------------------
There is no VPN connection stablished why?
0
Comment
Question by:mtarabay
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35142275
The configs look OK to me, is there any interesting traffic?  The VPN connection won't launch itself, there has to be traffic that triggers it.
0
 

Author Comment

by:mtarabay
ID: 35146499
Dear jmeggers:
Did you mean that must be at least one PC must be connected to each Router into both sites?
0
 
LVL 3

Accepted Solution

by:
vervenetworks earned 500 total points
ID: 35162935
You will also need to make sure that you have deny statements in your nat policy on either side, otherwise the traffic will try to go out that way.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5506W VPN Clients not seeing local network 12 41
VPN 101 - how and which protocol? 9 120
Mobile VPN IPSEC Watchguard UTM for IOS Devices 4 105
SSIS with VPN COnnection 2 99
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question