03-09-2009 11:16 AM - edited 03-11-2019 08:02 AM
Hello,
I have two sites i have configured as below:
VOIP -> Router -> Gateway (VSAT).
See config (question afterwards)
Current configuration : 2030 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname DODO
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$l1OE$DHIRTxdvpti8f1AzCosgd0
!
mmi polling-interval 60
mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip dhcp ping packets 0
!
!
ip domain name dodoeng.com
ip name-server 62.173.37.3
ip name-server 80.247.148.142
ip name-server 62.173.34.222
ip name-server 81.199.3.7
ip name-server 217.117.0.38
ip name-server 81.199.3.18
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
tunnel source "ROUTER OUTSIDE IP"
tunnel destination "2nd site OUTSIDE IP"
!
interface Loopback0
no ip address
!
interface Ethernet0
description DODO LAN
ip address 10.234.84.1 255.255.255.0
ip access-group 128 in
ip access-group 110 out
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
full-duplex
no cdp enable
!
interface FastEthernet0
description WAN link to ipNX
bandwidth 600
ip address "ouside ip" 255.255.255.248
ip accounting output-packets
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 "modem ip"
ip route 10.234.85.0 255.255.255.0 Tunnel0
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
ip dns server
!
!
access-list 1 permit 10.234.84.0 0.0.0.255
access-list 110 deny tcp any host 10.234.84.207 eq www
access-list 110 permit ip any any
access-list 128 deny tcp 10.234.84.0 0.0.0.255 host 10.234.84.214 eq www
access-list 128 permit ip any any
snmp-server enable traps tty
snmp-server manager
!
!
control-plane
!
!
line con 0
password 7 094F471A1A0A
login
line aux 0
password 7 104D000A0618
login
line vty 0 4
password 7 104D000A0618
login
line vty 5 15
password 7 060506324F41
login
!
end
i am unable to ping the network 10.234.85.0 on the other site (this is the essence of the VPN, using VOIP to make call between sites).
Is the tunnel ip relevant (i met this on the previous config). What do i use as the loopback ip?
The bottom line is, i need to get these two sites on thru VPN, while they also access the internet. Internet is accessible with this config though.
Router 1721.
Help
Thanks
Daniel
03-09-2009 01:47 PM
So you want to setup GRE tunnel between two sites.
Can you ping the remote tunnel interface -- 172.20.1.2?
If yes, make sure you have static route for the tunnel traffic configured on both sides.
03-10-2009 06:04 AM
Hi, your config should look like this:
FIRST SIDE:some output omitted
!
version 12.3
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 ******* address "other side IP add"
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
interface Tunnel0
ip address 172.20.1.1 255.255.255.252
tunnel source "ROUTER OUTSIDE IP"
tunnel destination "2nd site OUTSIDE IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
!
interface Ethernet0
description DODO LAN
ip address 10.234.84.1 255.255.255.0
ip access-group 128 in
ip access-group 110 out
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
full-duplex
no cdp enable
!
interface FastEthernet0
description WAN link to ipNX
bandwidth 600
ip address "ouside ip" 255.255.255.248
ip accounting output-packets
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
!
ip route 0.0.0.0 0.0.0.0 "modem ip"
!
ip route 10.234.85.0 255.255.255.0 172.20.1.2
!
SECOND SIDE: some output omitted
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 ******* address "other side IP add"
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
!
!
!
!
!
interface Tunnel0
ip address 172.20.1.2 255.255.255.252
tunnel source "ROUTER OUTSIDE IP"
tunnel destination "2nd site OUTSIDE IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
!
interface Loopback0
no ip address
!
interface Ethernet0
description DODO LAN
ip address 10.234.85.1 255.255.255.0
ip access-group 128 in
ip access-group 110 out
ip accounting output-packets
ip nat inside
ip virtual-reassembly
ip route-cache flow
full-duplex
no cdp enable
!
interface FastEthernet0
description WAN link to ipNX
bandwidth 600
ip address "ouside ip" 255.255.255.248
ip accounting output-packets
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
no cdp enable
ip route 0.0.0.0 0.0.0.0 "modem ip"
!
ip route 10.234.84.0 255.255.255.0 172.20.1.1
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide