Solved

Configuring a Cisco router-to-router IPSec VPN

Posted on 2011-03-15
3
441 Views
Last Modified: 2013-11-05
Hi,
I have to remote sites that i need to establish a gateway-to-gateway VPN that uses a preshared
secret for authentication. Both sites uses Cisco routers one is Cisco 2811 and other is Cisco 871 as following:

172.18.11.0/24                                                                                 172.18.74.0/24
            |                                                                                                   |
         --|      Cisco 2811                                                  Cisco 871          |--
           |         +-----------+                /-^-^-^-^--\                  +-----------+    |
          |-----| Gateway A |=======|    ISP          |========|  Gateway B  |-----|
          |   AL+-----------+AW           \--v-v-v-v-/                 BW+-----------+BL  |
  --| 172.18.11.10       172.17.10.2                      172.17.1.62              172.18.74.1

Gateway A connects the internal LAN 172.18.11.0/24 to the Internet. Gateway A's
LAN interface has the address 172.18.11.10, and its WAN (Internet) interface has
the address 172.17.10.2.

Gateway B connects the internal LAN 172.18.74.0/24 to the Internet. Gateway
B's WAN (Internet) interface has the address 172.17.1.62. Gateway B's LAN
interface address, 172.18.74.1, can be used for testing IPsec but is not
needed for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario is:
   * Main mode
   * TripleDES
   * SHA-1
   * MODP group 2 (1024 bits)
   * pre-shared secret of "ILikeIkeButElvisIsKing"
   * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

Then here is the configuration for Gateway A:

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.1.62
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.1.62
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet0/0
 ip address 172.17.10.2 255.255.255.252
 speed auto
 crypto map CISCO
!
interface FastEthernet0/1
 ip address 172.18.11.10 255.255.255.0
!
access-list 101 permit ip 172.18.11.0 0.0.0.255 172.18.74.0 0.0.0.255
!

--------Here is the configuration of Gateway B----------------

crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ILikeIkeButElvisIsKing address 172.17.10.2
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
!
crypto map CISCO 101 ipsec-isakmp
 set peer 172.17.10.2
 set transform-set STRONG
 set pfs group2
 match address 101
!
interface FastEthernet4
 ip address 172.17.1.62 255.255.255.252
 speed auto
 crypto map CISCO
!
interface VLAN1
 ip address 172.18.74.1 255.255.255.0
!
access-list 101 permit ip 172.18.74.0 0.0.0.255 172.18.11.0 0.0.0.255
!
------------------------ My Problem -------------------------------
There is no VPN connection stablished why?
0
Comment
Question by:mtarabay
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 35142275
The configs look OK to me, is there any interesting traffic?  The VPN connection won't launch itself, there has to be traffic that triggers it.
0
 

Author Comment

by:mtarabay
ID: 35146499
Dear jmeggers:
Did you mean that must be at least one PC must be connected to each Router into both sites?
0
 
LVL 3

Accepted Solution

by:
vervenetworks earned 500 total points
ID: 35162935
You will also need to make sure that you have deny statements in your nat policy on either side, otherwise the traffic will try to go out that way.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Site-to-Site VPN Cisco ASA 5505 to Cisco RV320 4 256
IT Contract Fee 17 166
ASA - RV130 VPN tunnel, cannot pass traffic 8 84
Use packet tracer to verify anyconnect VPN 11 93
When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question