Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2334
  • Last Modified:

Site-To-Site VPN with Cisco 887

I have a client with Cisco 887 router on each site, and I need to create a vpn between sites, I have added this to my config, but no VPN works:

crypto isakmp key *VPNpsk#1 address XXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to XXX.XXX.XXX.XXX
 set peer XXX.XXX.XXX.XXX
 set transform-set ESP-3DES-SHA
 match address 100
!
bridge irb

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

any ideas, or working configs??
0
fns-netsys
Asked:
fns-netsys
1 Solution
 
Jody LemoineNetwork ArchitectCommented:
It's hard to say without seeing the entire configuration. Depending on how the rest of your configuration looks, you may be running into problems with NAT, external ACLs, &c.

If you're connecting a pair of IOS routers, you can simplify things a bit by using a virtual tunnel interface. This eliminates complexities with NAT and allows you to use standard routing.

Router 1:

crypto isakmp key *VPNpsk#1 address x.x.x.x no-xauth
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile crypto-ipsec-pr-vti
 set transform-set ESP-3DES-SHA
!
interface Tunnel0
 ip address 192.168.255.0 255.255.255.254
 tunnel source Dialer1 (or whatever your outside interface is)
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.x
 tunnel protection ipsec profile crypto-ipsec-pr-vti
!
ip route 192.168.2.0 255.255.255.0 Tunnel0

Router 2:

crypto isakmp key *VPNpsk#1 address x.x.x.x no-xauth
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile crypto-ipsec-pr-vti
 set transform-set ESP-3DES-SHA
!
interface Tunnel0
 ip address 192.168.255.1 255.255.255.254
 tunnel source Dialer1 (or whatever your outside interface is)
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.x
 tunnel protection ipsec profile crypto-ipsec-pr-vti
!
ip route 192.168.1.0 255.255.255.0 Tunnel0

Also, make sure that your access lists are allowing ISAKMP (500/udp) and ESP to reach the router.
0
 
fns-netsysAuthor Commented:
Awesome, thank you so much! this worked flawlessly.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now