04-15-2008 06:06 AM - edited 03-15-2019 10:04 AM
Good afternoon,
I have a cisco 2851 running IOS Version 12.4(11)T2 with CME 4.0(2).
I will be running a cisco 877w on the remote site.
What I am wondering is what are the best techniques to set this up?
Should I use a Remote access or a Site to Site type VPN solution?
What kind of tunnel setup should I configure? (PPTP, L2TP over IPSec, GRE, GRE over IPSec, pure IPSec)
I am assuming once the VPN is configured for IP connectivity between the remote site and main site that the phone setup will be the same as normal, as long as the phone has the correct TFTP ip address.
Can anyone help me with what methods are best?
04-15-2008 07:05 AM
Hi, if you don't have special security concerns, I would use GRE in first place. That is easy to encipher with a crypto profile if the need arise. With a proper VPN you don't need to worry about where devices are and everything works transparently. You don't need to make vlans or try to bring the remote phone into local voice vlan, as it will work anyway.
hope this helps, please rate post if it does!
04-15-2008 07:13 AM
At the moment my only security concerns are that the local network at one site can communicate with the local network at the other site without external people being able to...
And that's the point of VPNs isnt it?
What do you mean by special security concerns?
Just to make matters harder this is my setup at the main site.
2851router --> 3560switch --> 3560switch
The first 3560 switch has a lot of vlans on it and does l3 routing.
Ideally i'd like the VPN to connect to the 2851 and be able to connect to a vlan on the first 3560 switch.
Is that possible?
04-15-2008 07:22 AM
Hi, with a gre setup, the remote site would receive routing information for all the vlans and viceversa. So you have three (ospf or rip) routers, the 877, the 2851 where tunnel lands, and the 3560.
The security consideration is if you want the traffic to be encrypted or not, really from the router point of view doesn't make much of a difference, but encryption it's more overhead on the circuits, that's all.
04-17-2008 05:55 AM
Thanks for your advice so far p.bevilacqua!
Should I be looking at following this guide for my VPN?
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml
04-17-2008 07:07 AM
You can look at that, but you case there should be somewhat simpler (no nat and no firewall).
04-17-2008 12:20 PM
Since 12.3(7)T (nearly 4 years ago) there is absolutely NO REASON to be using the legacy crypto map configuration, particularly with GRE tunnels.
You should be using the IPSec VTI (Virtual Tunnel Interface) construct which is much simpler and supports more features and is CEF switched. See the following URLs:
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hipsctm.html
04-24-2008 06:02 AM
Thanks to both of you for your help.
This is what i've got so far for my config, which I have not quite implemented yet.
Central Router:
crypto ipsec profile p1
crypto transform set t1
int tunnel0
ip address 172.16.1.1 255.255.255.252
tunnel source 195.200.200.65
tunnel destination 78.50.50.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile p1
Hub Router:
crypto ipsec profile p1
crypto transform set t1
int tunnel0
ip address 172.16.1.2 255.255.255.252
tunnel source 78.50.50.3
tunnel destination 195.200.200.65
tunnel mode ipsec ipv4
tunnel protection ipsec profile p1
Apart from the static routes is that all that is needed to get a tunnel up between the two routers?
Many thanks once again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide