• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

Configuring a Cisco router-to-router IPSec VPN

Hi,
I have to remote sites that i need to establish a gateway-to-gateway VPN that uses a preshared
secret for authentication. Both sites uses Cisco routers one is Cisco 2811 and other is Cisco 871 as following:

172.18.11.0/24                                                                                 172.18.74.0/24
            |                                                                                                   |
         --|      Cisco 2811                                                  Cisco 871          |--
           |         +-----------+                /-^-^-^-^--\                  +-----------+    |
          |-----| Gateway A |=======|    ISP          |========|  Gateway B  |-----|
          |   AL+-----------+AW           \--v-v-v-v-/                 BW+-----------+BL  |
  --| 172.18.11.10       172.17.10.2                      172.17.1.62              172.18.74.1

Gateway A connects the internal LAN 172.18.11.0/24 to the Internet. Gateway A's
LAN interface has the address 172.18.11.10, and its WAN (Internet) interface has
the address 172.17.10.2.

Gateway B connects the internal LAN 172.18.74.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 172.17.1.62. Gateway B's LAN
interface address, 172.18.74.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario is:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "ILikeIkeButElvisIsKing"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

Then here is the configuration for Gateway A:

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.1.62
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.1.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0/0
 ip address 172.17.10.2 255.255.255.252
 speed auto
 crypto map CISCO
!
interface FastEthernet0/1
 ip address 172.18.11.10 255.255.255.0
!
access-list 101 permit ip 172.18.11.0 0.0.0.255 172.18.74.0 0.0.0.255
!

--------Here is the configuration of Gateway B----------------

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.10.2
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.10.2
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet4
 ip address 172.17.1.62 255.255.255.252
 speed auto
 crypto map CISCO
!
interface VLAN1
 ip address 172.18.74.1 255.255.255.0
!
access-list 101 permit ip 172.18.74.0 0.0.0.255 172.18.11.0 0.0.0.255
!
------------------------ My Problem -------------------------------
There is no VPN connection stablished why?
0
mtarabay
Asked:
mtarabay
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
The configs look OK to me, is there any interesting traffic?  The VPN connection won't launch itself, there has to be traffic that triggers it.
0
 
mtarabayAuthor Commented:
Dear jmeggers:
Did you mean that must be at least one PC must be connected to each Router into both sites?
0
 
vervenetworksCommented:
You will also need to make sure that you have deny statements in your nat policy on either side, otherwise the traffic will try to go out that way.
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now