suply
asked on
How can I configure a site to site VPN with 2 cisco routers
Hello Experts-exchange,
Please need a step by step to set up a tunel site to site with 2 cisco linksys routers.
Thanks so much for your help
suply
Please need a step by step to set up a tunel site to site with 2 cisco linksys routers.
Thanks so much for your help
suply
if your router doest not support SDM and you are using CLI command you can use below link; simply execute commands as per your network (LAN IP-WAN IP)
http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262
you can also take help from
http://www.routergeek.net/content/view/50/37/
http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262
you can also take help from
http://www.routergeek.net/content/view/50/37/
ASKER
Hello Syed M Usman,
Thank you for your response. Is it posible to get the information applied to Cisco Model RVS4000 routers site to site VPN Ipsec tunel set up.
Thank you for your response. Is it posible to get the information applied to Cisco Model RVS4000 routers site to site VPN Ipsec tunel set up.
the commands will remain same.
sorry my Dear, you have Linksys Router (Cisco linksys). these commands will not work, i shall send you other configration
may i know what is your existing setup> i mean how RVS3000 is connected?
ISP-------->MODEM (acting as bridge)---------RVS4000 or ISP------->ADSL--------->R VS4000
ISP-------->MODEM (acting as bridge)---------RVS4000 or ISP------->ADSL--------->R
ASKER
Ok, basically if you could send me what I have to put here below. I have put the information the same on both sites but still no conection stablishes. I change the IPs remote local but dont know whats happening.
RVS 4000 set up window below:
IPSec VPN
Select Tunnel Entry:
IPSec VPN Tunnel: Enable Disable
Tunnel Name:
Local Group Setup
Local Security Gateway Type:
Domain Name:
IP address: . . .
Local Security Group Type:
IP Address: . . .
Subnet Mask:
255.255. .
Remote Group Setup
Remote Security Gateway Type:
Domain Name:
. . .
This Gateway accepts requests from any IP address.
Remote Security Group Type:
IP Address:
. . .
This Gateway accepts requests from any IP address.
Subnet Mask:
. . .
IPSec Setup
Keying Mode:
Phase 1:
Encryption:
Authentication:
Group:
Key Lifetime:
sec
Phase 2:
Encryption:
Authentication:
Perfect Forward Secrecy:
Preshared Key:
Group:
Key Lifetime:
sec
Encryption Algorithm:
(3DES: 24 ASCII)
Encryption Key:
Authentication Algorithm:
(MD5: 16 ASCII SHA1: 20 ASCII)
Authentication Key:
Inbound SPI:
(HEX 100-FFFFFFFF)
Outbound SPI:
(HEX 100-FFFFFFFF)
Status
Down
RVS 4000 set up window below:
IPSec VPN
Select Tunnel Entry:
IPSec VPN Tunnel: Enable Disable
Tunnel Name:
Local Group Setup
Local Security Gateway Type:
Domain Name:
IP address: . . .
Local Security Group Type:
IP Address: . . .
Subnet Mask:
255.255. .
Remote Group Setup
Remote Security Gateway Type:
Domain Name:
. . .
This Gateway accepts requests from any IP address.
Remote Security Group Type:
IP Address:
. . .
This Gateway accepts requests from any IP address.
Subnet Mask:
. . .
IPSec Setup
Keying Mode:
Phase 1:
Encryption:
Authentication:
Group:
Key Lifetime:
sec
Phase 2:
Encryption:
Authentication:
Perfect Forward Secrecy:
Preshared Key:
Group:
Key Lifetime:
sec
Encryption Algorithm:
(3DES: 24 ASCII)
Encryption Key:
Authentication Algorithm:
(MD5: 16 ASCII SHA1: 20 ASCII)
Authentication Key:
Inbound SPI:
(HEX 100-FFFFFFFF)
Outbound SPI:
(HEX 100-FFFFFFFF)
Status
Down
ASKER
Set up site A
**************
ADSL Modem->RVS4000 (a)->computer win xp
Set up site B
**************
ADSL Modem->RVS4000 (b)->computer winxp
**************
ADSL Modem->RVS4000 (a)->computer win xp
Set up site B
**************
ADSL Modem->RVS4000 (b)->computer winxp
make sure you have Public IP address on your WAN interface of RVS4000, or Gateway of RVS4000 fwd traffic to RVS4000 on both sides.
Try accessing remote gateway via public ip address, if suceed thean strat below steps,
Step 1:
Access the gateway's web-based setup page.
Step 2:
When the gateway's web-based setup page opens, click Security then click VPN.
Step 3:
Ensure that the:
•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
Try accessing remote gateway via public ip address, if suceed thean strat below steps,
Step 1:
Access the gateway's web-based setup page.
Step 2:
When the gateway's web-based setup page opens, click Security then click VPN.
Step 3:
Ensure that the:
•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
have you tried accessing remote router via, https://routerip ?
ASKER
yes I can log remote to both routers from both sites ok.
have you tried
•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
if still Tunnel is down, please upload VPN logs of any site
•VPN is enable on both side
•Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
if still Tunnel is down, please upload VPN logs of any site
ASKER
One question on the remote secure WAN/gateway on status page , the wan ip address has beside it a subnet mask of 255.255.224.0 but In the router VPN pageI have typed 255.255.255.0. Is this correct?
how many Public ip address do you have, look like 255.255.224.0 is wrong subnet? are you sure
the subnet should be same, can you try
tracert -d publicip from your computer and check is there any timeout or loop?
the subnet should be same, can you try
tracert -d publicip from your computer and check is there any timeout or loop?
ASKER
I only have one public ip for each site, no timeout or loop, good ip reply.
than use the same subnet what you got on your site wan address.
ASKER
It wont let me change from 255.255.224.0 because then I get this message "Remote group and local canot be in the same network so I put 255.255.224.0
I have noticed that on the status page of the router, there is a public IP from the other site indicated on the ARP/RARP Table so I guess somehow the router has some type of conection with the other router.
I have checked all the rest of parameters and still status down and cant ping locally the other site.
I have noticed that on the status page of the router, there is a public IP from the other site indicated on the ARP/RARP Table so I guess somehow the router has some type of conection with the other router.
I have checked all the rest of parameters and still status down and cant ping locally the other site.
1)what is your local wan subnet?
check your adsl devices and pest what subnet you are getting for both sides (without wan ip)
check your adsl devices and pest what subnet you are getting for both sides (without wan ip)
Dear two things
1) if your LAN ip is 192.168.10.1 255.255.255.0 , than your remote shpold not be same you can try other ip like, 192.168.11.1 255.255.255.0
2) if wan subnet is same, this should not trouble you, the wan ip should be unique.
please send me senitized screen shot of you lan and wan (only hide wan ip)
1) if your LAN ip is 192.168.10.1 255.255.255.0 , than your remote shpold not be same you can try other ip like, 192.168.11.1 255.255.255.0
2) if wan subnet is same, this should not trouble you, the wan ip should be unique.
please send me senitized screen shot of you lan and wan (only hide wan ip)
send me screen shot of your LAN, WAN, AND VPN ( before uploading please hide WAN IP)of both devices so i can post you correct configration + send me logs of your devices so i can understand whats happening.
ASKER
Ok, this is how I have it configured, I had to type it dont know how to send you the screen shot
*** SITE A ROUTER***
Ipsec VPN tunnel: Enabled
LOCAL GROUP SETUP
************************** **
Local security gateway: IP ONLY
IP address: 186.91.10.10
Local security group type: subnet
IP address: 192.168.10.1
subnet mask: 255.255.255.0
REMOTE GROUP SETUP
************************** **
remote sesecurity gateway type: IP only
IP address: 186.91.112.45
remote security group type: subnet
IP address: 192.168.11.1
subent mask: 255.255.255.0
IPSEC SETUP
***************
Keing mode: IKE with Preshared Key
Phase1
Encryption: 3DES
Authentication: MD5
Group 768 bit
keylifetime: 28800 sec
Phase2
Encryption 3DES
Authentication MD5
Preshared key: 1234567890
group 768 bit
key lifetime 3600
encryption algorythm 3DES
Encryption key (blank)
authentication algorythm MD5
Authentication key (blank)
inbound sp 0
outbound sp 0
For site B router all is the same except I change local Ip address and Remote to match the A router.
*** SITE A ROUTER***
Ipsec VPN tunnel: Enabled
LOCAL GROUP SETUP
**************************
Local security gateway: IP ONLY
IP address: 186.91.10.10
Local security group type: subnet
IP address: 192.168.10.1
subnet mask: 255.255.255.0
REMOTE GROUP SETUP
**************************
remote sesecurity gateway type: IP only
IP address: 186.91.112.45
remote security group type: subnet
IP address: 192.168.11.1
subent mask: 255.255.255.0
IPSEC SETUP
***************
Keing mode: IKE with Preshared Key
Phase1
Encryption: 3DES
Authentication: MD5
Group 768 bit
keylifetime: 28800 sec
Phase2
Encryption 3DES
Authentication MD5
Preshared key: 1234567890
group 768 bit
key lifetime 3600
encryption algorythm 3DES
Encryption key (blank)
authentication algorythm MD5
Authentication key (blank)
inbound sp 0
outbound sp 0
For site B router all is the same except I change local Ip address and Remote to match the A router.
reset your router to factory default and do folwoing configration
Logon to RVS4000 (Site A)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)
Local Group Setup
Local Security Setup-----------IPONLY
IP Address------------------- --192.168. 10.0
Subnet Mask--------------------25 5.255.255. 0
Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)
IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800
PHASE2
ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXX XXX
GROUP-----------1024
KEY LIFE--------XXXXX
connect
-------------------------- ---------- ---------- -----
Logon to RVS4000 (Site B)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)
Local Group Setup
Local Security Setup-----------IPONLY
IP Address------------------- --192.168. 11.0
Subnet Mask--------------------25 5.255.255. 0
Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)
IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800
PHASE2
ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXX XXX
GROUP-----------1024
KEY LIFE--------XXXXX
connect
Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
Logon to RVS4000 (Site A)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)
Local Group Setup
Local Security Setup-----------IPONLY
IP Address-------------------
Subnet Mask--------------------25
Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)
IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800
PHASE2
ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX
connect
--------------------------
Logon to RVS4000 (Site B)
-------->VPN>IPSECVPN
-------->Enable
Tunnel Name (YOUR COMPANY)
Local Group Setup
Local Security Setup-----------IPONLY
IP Address-------------------
Subnet Mask--------------------25
Remote Group Setup
Remote Security Group Type---------WAN IP REMOTE SITE
Remote Sec Type-------------(slect security)
IP SEC SETUP----------------IKE WITH P
PHASE 1---------3DES
AUT-------------MD5
GROUP-----------1024
KEY life--------28800
PHASE2
ENY-------------3DES
AUT-------------SHA1
KEY-------------XXXXXXXXXX
GROUP-----------1024
KEY LIFE--------XXXXX
connect
Local Secure Group is the same as the local gateway's LAN IP segment;
•Remote Secure Group is the same as the remote gateway's LAN IP segment;
•Remote Secure Gateway is the WAN/Internet IP address of the remote gateway;
•Encryption and Authentication are the same as that of the remote gateway; and
•Pre-Shared Key and Key Life Time are the same as that of the remote gateway.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I have done all as indicated above but cant connect. Im thinking of changing routers. Could you please recomend 2 routers brand and model I could purchase that are simple to configure a VPN.
Thanks
Thanks
Since you are unable to connect, i would prefer not to assign point regardless your hardware working or not.
if you have limited budget you can go with Cisco 800 series router (Depend on availiblity), if you have little more you can order any entry level firewall (Sonicwall-TZ series)
website: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare
live demo :http://livedemo.sonicwall.com/livedemo.html#html_UTM
if you can order Sonicwall TZ210, this could be the best option,
1- in router Cost you will have Firewall,IPS,Gateway Anti Virus
2- you will have VPN + SSL + Global Vpn Client
sometimes sonicwall offer buy back, so once you think you want to upgrade you can exchange your firewall with newer model (This offer depends customer to customer, country to country).
if you have limited budget you can go with Cisco 800 series router (Depend on availiblity), if you have little more you can order any entry level firewall (Sonicwall-TZ series)
website: http://www.sonicwall.com/us/products/TZ_Series.html#tab=compare
live demo :http://livedemo.sonicwall.com/livedemo.html#html_UTM
if you can order Sonicwall TZ210, this could be the best option,
1- in router Cost you will have Firewall,IPS,Gateway Anti Virus
2- you will have VPN + SSL + Global Vpn Client
sometimes sonicwall offer buy back, so once you think you want to upgrade you can exchange your firewall with newer model (This offer depends customer to customer, country to country).
ASKER
Thanks Syed_M_Usman, I appreciate your advise.
Best regards
Best regards
if you dont mind can you logon to your Router >VPN , press print screen button and send to me please.
you are welcome :)
ASKER
site A look fine, what about Site B?
ASKER
Site B is the same I changed only the local and remote IPs to mach the A router. All firewalls are off and stil no conection. I think it has to do with hardware malfunction, I ll try with hamachi vpn and sonicwall
Thanks again.,
Thanks again.,
ok, feel free to ask.
in phase 1 you can try with SHA1 instead of MD5.
in phase 1 you can try with SHA1 instead of MD5.
http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html#wp1035810
http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_user_guide_chapter09186a0080531f28.html#wp1010262
you can also take help from
http://www.routergeek.net/content/view/50/37/