07-22-2011 02:49 AM - edited 03-11-2019 02:02 PM
Dear Experts!!!!!!!!!!
I am using two routers to configure site to site VPN.
one is Cisco 2811 and another one is Cisco 1841 router.
Is we need any license to configure IPSec VPN between these routers.
I am giving sh version output for your reference.
ISCO-2811R#sh version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(22)YB7
, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Mon 27-Sep-10 19:05 by prod_rel_team
ROM: System Bootstrap, Version 12.4(1r) [hqluong 1r], RELEASE SOFTWARE (fc1)
CISCO-2811R uptime is 16 minutes
System returned to ROM by reload at 06:55:16 UTC Fri Jul 22 2011
System image file is "flash:c2800nm-advsecurityk9-mz.124-22.YB7.bin"
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 2811 (revision 53.50) with 237568K/24576K bytes of memory.
Processor board ID FHK1114F3PQ
6 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
CISCO-2811R#
CISCO-1841R#sh ver
CISCO-1841R#sh version
Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(18c), RE
LEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 05-Sep-08 12:23 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
CISCO-1841R uptime is 18 minutes
System returned to ROM by reload at 06:49:12 UTC Fri Jul 22 2011
System image file is "flash:c1841-advsecurityk9-mz.124-18c.bin"
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 1841 (revision 7.0) with 115712K/15360K bytes of memory.
Processor board ID FHK114420AA
2 FastEthernet interfaces
2 Serial(sync/async) interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31360K bytes of ATA CompactFlash (Read/Write)
Configuration register is 0x2102
CISCO-1841R#
Please advice me to go further...
Regards,
Janardhan
07-22-2011 08:24 AM
i have checked in the feature navigator and according to that you 2811 image will support the ipsec but your 1841 image will not support ipsec.
check for an image supporting ipsec for 1841 .
07-22-2011 10:07 AM
Dear Jitendra!!!!
Thanks for your response!!!!
But i configured GRE tunneling with IPSec on both same routers and successfully packets was encrypted.
At the same time i configured IPSec VPN on both routers and tunnel came up but there was a some ping issue.
So that i asking is there any related with license or not????
Regards,
Janardhan
07-22-2011 08:21 PM
if your vpn is up and running then it will not e a license issue.
perhaps you should check the configuration. are you facing this issue only for icmp or whole traffic for that tunnel?
07-22-2011 09:56 PM
Currently i am checking only Ping between these two sites....
From Local interface of Site-A is pinging from the System is connected to Local interface of Site-B but not vice-versa...
Please advise me??
Regards,
Janardhan
07-22-2011 10:14 PM
For your reference i am attaching my two sites configuration.
I verified with
Sh crypto ipsec sa
Sh crypto isakmp
For both commands i got out put with packet encapsulated and decapsulated.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO-1841R
!
boot-start-marker
boot-end-marker
!
enable password nipun
!
no aaa new-model
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key JANNU address 192.168.15.210
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto map MYMAP 10 ipsec-isakmp
set peer 192.168.15.210
set transform-set MYSET
match address 112
!
!
!
interface FastEthernet0/0
ip address 192.168.15.220 255.255.255.0
ip access-group 113 in
ip access-group 113 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MYMAP
!
interface FastEthernet0/1
ip address 20.20.20.1 255.255.255.0
ip access-group 113 in
ip access-group 113 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
shutdown
clock rate 2000000
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.15.99
!
ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet0/0 overload
!
access-list 111 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 20.20.20.0 0.0.0.255 any
access-list 112 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 113 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
access-list 113 permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 113 permit udp host 192.168.15.210 host 192.168.15.220 eq non500-isakmp
access-list 113 permit udp host 192.168.15.220 host 192.168.15.210 eq non500-isakmp
access-list 113 permit udp host 192.168.15.210 host 192.168.15.220 eq isakmp
access-list 113 permit udp host 192.168.15.220 host 192.168.15.210 eq isakmp
access-list 113 permit esp host 192.168.15.210 host 192.168.15.220
access-list 113 permit esp host 192.168.15.220 host 192.168.15.210
access-list 113 permit ahp host 192.168.15.210 host 192.168.15.220
access-list 113 permit ahp host 192.168.15.220 host 192.168.15.210
access-list 113 permit tcp any any
access-list 113 permit udp any any
access-list 113 permit icmp any any
access-list 113 permit esp any any
access-list 113 permit ahp any any
access-list 113 permit ip any any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password nipun
login
!
scheduler allocate 20000 1000
end
07-23-2011 09:08 PM
this is only one site configuration.
is this a test router and if then have you tried to remove the nat and then try. or you can also check the debug messages.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide