Solved

Configuring a Cisco router-to-router IPSec VPN

Posted on 2011-03-15
3
437 Views
Last Modified: 2013-11-05
Hi,
I have to remote sites that i need to establish a gateway-to-gateway VPN that uses a preshared
secret for authentication. Both sites uses Cisco routers one is Cisco 2811 and other is Cisco 871 as following:

172.18.11.0/24                                                                                 172.18.74.0/24
            |                                                                                                   |
         --|      Cisco 2811                                                  Cisco 871          |--
           |         +-----------+                /-^-^-^-^--\                  +-----------+    |
          |-----| Gateway A |=======|    ISP          |========|  Gateway B  |-----|
          |   AL+-----------+AW           \--v-v-v-v-/                 BW+-----------+BL  |
  --| 172.18.11.10       172.17.10.2                      172.17.1.62              172.18.74.1

Gateway A connects the internal LAN 172.18.11.0/24 to the Internet. Gateway A's
LAN interface has the address 172.18.11.10, and its WAN (Internet) interface has
the address 172.17.10.2.

Gateway B connects the internal LAN 172.18.74.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 172.17.1.62. Gateway B's LAN
interface address, 172.18.74.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario is:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "ILikeIkeButElvisIsKing"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

Then here is the configuration for Gateway A:

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.1.62
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.1.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0/0
 ip address 172.17.10.2 255.255.255.252
 speed auto
 crypto map CISCO
!
interface FastEthernet0/1
 ip address 172.18.11.10 255.255.255.0
!
access-list 101 permit ip 172.18.11.0 0.0.0.255 172.18.74.0 0.0.0.255
!

--------Here is the configuration of Gateway B----------------

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.10.2
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.10.2
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet4
 ip address 172.17.1.62 255.255.255.252
 speed auto
 crypto map CISCO
!
interface VLAN1
 ip address 172.18.74.1 255.255.255.0
!
access-list 101 permit ip 172.18.74.0 0.0.0.255 172.18.11.0 0.0.0.255
!
------------------------ My Problem -------------------------------
There is no VPN connection stablished why?
0
Comment
Question by:mtarabay
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35142275
The configs look OK to me, is there any interesting traffic?  The VPN connection won't launch itself, there has to be traffic that triggers it.
0
 

Author Comment

by:mtarabay
ID: 35146499
Dear jmeggers:
Did you mean that must be at least one PC must be connected to each Router into both sites?
0
 
LVL 3

Accepted Solution

by:
vervenetworks earned 500 total points
ID: 35162935
You will also need to make sure that you have deny statements in your nat policy on either side, otherwise the traffic will try to go out that way.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now