Posted on 2013-11-16
Last Modified: 2014-01-01

Im trying to establish a Site to Site IPSEC VPN using a Cisco 891 3G Router and another Unknown Cisco Router from Head Office.

My Job is to configure the Cisco 891 3G Router to establish a Site to Site VPN Connection to the Head office Router and the Head office Network Engineers have provided the configurations that has to be done by me on this 891 3G Brach office router to establish a VPN Tunnel to HO. I have attached the configuration information provided by HO Enigneers for your reference.

I my self assume the below configuration to create the VPN Tunnel to the HO Router based on the details provided by HO Engineers.

crypto isakmp policy 1
authentication pre-share
hash sha1
encryption aes 256
group 5
lifetime 86400
crypto isakmp key !A8Ia<560d{hsEISR`;%!<7Wg8#{9/B08&&W9B| address X.X.X.X
crypto ipsec transform-set myset esp-aes esp-sha

access-list 101 permit ip
crypto HO 10 ipsec-isakmp
set peer X.X.X.X
match address 101
set transform-set myset
int dialer 0
crypto map HO

Could you please check and see whether the configuration provided above has all commands to establish the IPSEC VPN Tunnel to HO with the information provided by HO Engineers.

Also please provide step by step instructions to configure Site to Site VPN on cisco 891 3G Router.
Question by:nirmal_s19
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 39655649
any help on the above please, its been 2 days since i requested for help

Accepted Solution

logic2 earned 500 total points
ID: 39656154

Here is how I think the configuration should be.
Please note that you have to know the preshared key in clear text in order to configure it below.

crypto isakmp policy 1
 authentication pre-share
 encr aes 256
 group 5
 hash sha
 lifetime 86400

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
crypto isakmp key 0 <Key> address x.x.x.x
access-list 100 permit ip
crypto map HO 10 ipsec-isakmp
 set peer x.x.x.x
 set security-association lifetime seconds 86400
 set transform-set myset
 set pfs group5
 match address 100

interface dialer 0
 crypto map HO
LVL 32

Expert Comment

ID: 39674703
If you have NAT configured yo will still have problems, you also need to add a nonat rule for the VPN traffic flow.

harbor235 ;}

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question