Improve company productivity with a Business Account.Sign Up

x
?
Solved

Configuring a Cisco router-to-router IPSec VPN

Posted on 2011-03-15
3
Medium Priority
?
453 Views
Last Modified: 2013-11-05
Hi,
I have to remote sites that i need to establish a gateway-to-gateway VPN that uses a preshared
secret for authentication. Both sites uses Cisco routers one is Cisco 2811 and other is Cisco 871 as following:

172.18.11.0/24                                                                                 172.18.74.0/24
            |                                                                                                   |
         --|      Cisco 2811                                                  Cisco 871          |--
           |         +-----------+                /-^-^-^-^--\                  +-----------+    |
          |-----| Gateway A |=======|    ISP          |========|  Gateway B  |-----|
          |   AL+-----------+AW           \--v-v-v-v-/                 BW+-----------+BL  |
  --| 172.18.11.10       172.17.10.2                      172.17.1.62              172.18.74.1

Gateway A connects the internal LAN 172.18.11.0/24 to the Internet. Gateway A's
LAN interface has the address 172.18.11.10, and its WAN (Internet) interface has
the address 172.17.10.2.

Gateway B connects the internal LAN 172.18.74.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 172.17.1.62. Gateway B's LAN
interface address, 172.18.74.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario is:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "ILikeIkeButElvisIsKing"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

Then here is the configuration for Gateway A:

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.1.62
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.1.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0/0
 ip address 172.17.10.2 255.255.255.252
 speed auto
 crypto map CISCO
!
interface FastEthernet0/1
 ip address 172.18.11.10 255.255.255.0
!
access-list 101 permit ip 172.18.11.0 0.0.0.255 172.18.74.0 0.0.0.255
!

--------Here is the configuration of Gateway B----------------

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.10.2
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.10.2
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet4
 ip address 172.17.1.62 255.255.255.252
 speed auto
 crypto map CISCO
!
interface VLAN1
 ip address 172.18.74.1 255.255.255.0
!
access-list 101 permit ip 172.18.74.0 0.0.0.255 172.18.11.0 0.0.0.255
!
------------------------ My Problem -------------------------------
There is no VPN connection stablished why?
0
Comment
Question by:mtarabay
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35142275
The configs look OK to me, is there any interesting traffic?  The VPN connection won't launch itself, there has to be traffic that triggers it.
0
 

Author Comment

by:mtarabay
ID: 35146499
Dear jmeggers:
Did you mean that must be at least one PC must be connected to each Router into both sites?
0
 
LVL 3

Accepted Solution

by:
vervenetworks earned 2000 total points
ID: 35162935
You will also need to make sure that you have deny statements in your nat policy on either side, otherwise the traffic will try to go out that way.
0

Featured Post

NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

595 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question