topic VPN site to site config help in Network Security

VPN site to site config help

toyinsekoni — Mon, 11 Mar 2019 15:02:22 GMT

Hello,

I have two sites i have configured as below:

VOIP -> Router -> Gateway (VSAT).

See config (question afterwards)

Current configuration : 2030 bytes

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname DODO

boot-start-marker

boot-end-marker

enable secret 5 $1$l1OE$DHIRTxdvpti8f1AzCosgd0

mmi polling-interval 60

mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

no aaa new-model

ip subnet-zero

ip dhcp ping packets 0

ip domain name dodoeng.com

ip name-server 62.173.37.3

ip name-server 80.247.148.142

ip name-server 62.173.34.222

ip name-server 81.199.3.7

ip name-server 217.117.0.38

ip name-server 81.199.3.18

ip cef

ip ips po max-events 100

no ftp-server write-enable

interface Tunnel0

ip address 172.20.1.1 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

interface Loopback0

no ip address

interface Ethernet0

description DODO LAN

ip address 10.234.84.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

ip classless

ip route 0.0.0.0 0.0.0.0 "modem ip"

ip route 10.234.85.0 255.255.255.0 Tunnel0

ip http server

ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

ip dns server

access-list 1 permit 10.234.84.0 0.0.0.255

access-list 110 deny tcp any host 10.234.84.207 eq www

access-list 110 permit ip any any

access-list 128 deny tcp 10.234.84.0 0.0.0.255 host 10.234.84.214 eq www

access-list 128 permit ip any any

snmp-server enable traps tty

snmp-server manager

control-plane

line con 0

password 7 094F471A1A0A

line aux 0

password 7 104D000A0618

line vty 0 4

password 7 104D000A0618

line vty 5 15

password 7 060506324F41

end

i am unable to ping the network 10.234.85.0 on the other site (this is the essence of the VPN, using VOIP to make call between sites).

Is the tunnel ip relevant (i met this on the previous config). What do i use as the loopback ip?

The bottom line is, i need to get these two sites on thru VPN, while they also access the internet. Internet is accessible with this config though.

Router 1721.

Help

Thanks

Daniel

Re: VPN site to site config help

Yudong Wu — Mon, 09 Mar 2009 20:47:23 GMT

So you want to setup GRE tunnel between two sites.

Can you ping the remote tunnel interface -- 172.20.1.2?

If yes, make sure you have static route for the tunnel traffic configured on both sides.

Re: VPN site to site config help

zenon_electronics — Tue, 10 Mar 2009 13:04:24 GMT

Hi, your config should look like this:

FIRST SIDE:some output omitted

version 12.3

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 ******* address "other side IP add"

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

crypto ipsec profile VTI

set transform-set TSET

interface Tunnel0

ip address 172.20.1.1 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

interface Ethernet0

description DODO LAN

ip address 10.234.84.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

ip route 0.0.0.0 0.0.0.0 "modem ip"

ip route 10.234.85.0 255.255.255.0 172.20.1.2

SECOND SIDE: some output omitted

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key 6 ******* address "other side IP add"

crypto ipsec transform-set TSET esp-3des esp-sha-hmac

crypto ipsec profile VTI

set transform-set TSET

interface Tunnel0

ip address 172.20.1.2 255.255.255.252

tunnel source "ROUTER OUTSIDE IP"

tunnel destination "2nd site OUTSIDE IP"

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

interface Loopback0

no ip address

interface Ethernet0

description DODO LAN

ip address 10.234.85.1 255.255.255.0

ip access-group 128 in

ip access-group 110 out

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

full-duplex

no cdp enable

interface FastEthernet0

description WAN link to ipNX

bandwidth 600

ip address "ouside ip" 255.255.255.248

ip accounting output-packets

ip nat outside

ip virtual-reassembly

ip route-cache flow

speed 100

full-duplex

no cdp enable

ip route 0.0.0.0 0.0.0.0 "modem ip"

ip route 10.234.84.0 255.255.255.0 172.20.1.1