cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

IPSEC Lan to Lan to Internet

GregMc
Beginner
Beginner

Hi I have a requirement to implement an IP-Sec service like the attached pic. Due to a 3rd party LAN that carries traffic I would like a IPSec tunnel between two routers. The end users will need internet ( NAT  to say a 192.168.1.x).
Does anyone have a suitable config to suit or could point me in the right direction. The end internet users will need DHCP too.

 

NETWORK.jpg

1 ACCEPTED SOLUTION

Accepted Solutions

GregMc
Beginner
Beginner

My  final solution after days on this was to use Dynamic Multipoint IPsec VPN as described in :
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html..
I did note that there is a LOT of OLD doco out there that will not run properly on IOS 12.3 or higher for this type of stuff.

I used a mikrotik router(static) to simulate the 3rd part wan, as well as giving me an option to see the traffic live(using routeros torch!).. Thats why there are some static IP's on the interfaces(Also note the ip route statements I added to suit the testing environment )

HUB/Internet / Internal WAN Config... ( Runs on IOS v12.4 on c1841)

------------------

hostname hub

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key MYPASSWORD address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 ip virtual-reassembly
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat inside
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 600
 ip virtual-reassembly
 no ip split-horizon eigrp 1
 delay 1000
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
 description WAN - To Internet Connection
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description To 3rd party WAN
 ip address 10.130.100.37 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
!
ip route 10.100.100.2 255.255.255.255 10.130.100.1
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.255.255 any
!
!

 

 

 

**************** SPOKE SITE(router) connected to the 3rd party WAN / TO END USERS ****************

hostname Spoke

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key MYPASSWORD address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication test
 ip nhrp map 10.0.0.1 10.130.100.37
 ip nhrp network-id 100000
 ip nhrp holdtime 300
 ip nhrp nhs 10.0.0.1
 delay 1000
 tunnel source FastEthernet0/0
 tunnel destination 10.130.100.37
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
 description WAN-Network
 ip address 10.100.100.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN-Network to
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.1.0
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.130.100.37 255.255.255.255 10.100.100.1
!

ip dhcp pool EndUsers
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 4.4.4.4

 

 

 

 

View solution in original post

4 REPLIES 4

Seb Rupik
VIP Advisor VIP Advisor
VIP Advisor

Hi there,

If you are trying to secure all the clear traffic from the 'lower' site on you diagram from transiting the 3rd party LAN, then this is  perfect use case for a tunnel/ "frontdoor" VRF. I wrote a blog post about it here:

https://configif.wordpress.com/2017/12/21/tunnel-vrf/

 

cheers,

Seb.

I will further investigate the tunnel/ipsec option today. That said, as its for a production environment I need to get this exact. I haven't had to do something like this before, so its a bit of a learning curve for me !

On the basis that the external facing interface of the lower router does not have a fixed IP address (guessing due to the use of DHCP) I would tend to head for an encrypted GRE tunnel. I have done quite a few of these in the past with Internet-based hub-&-spoke solutions, where the spokes have either fixed or variable IP addresses.  I guess there could be plenty of alternative methods.

 

Hope this helps,

 

Dave

GregMc
Beginner
Beginner

My  final solution after days on this was to use Dynamic Multipoint IPsec VPN as described in :
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html..
I did note that there is a LOT of OLD doco out there that will not run properly on IOS 12.3 or higher for this type of stuff.

I used a mikrotik router(static) to simulate the 3rd part wan, as well as giving me an option to see the traffic live(using routeros torch!).. Thats why there are some static IP's on the interfaces(Also note the ip route statements I added to suit the testing environment )

HUB/Internet / Internal WAN Config... ( Runs on IOS v12.4 on c1841)

------------------

hostname hub

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key MYPASSWORD address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
 ip virtual-reassembly
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nat inside
 ip nhrp authentication test
 ip nhrp map multicast dynamic
 ip nhrp network-id 100000
 ip nhrp holdtime 600
 ip virtual-reassembly
 no ip split-horizon eigrp 1
 delay 1000
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
 description WAN - To Internet Connection
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 description To 3rd party WAN
 ip address 10.130.100.37 255.255.255.0
 duplex auto
 speed auto
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.0.0
 no auto-summary
!
ip route 10.100.100.2 255.255.255.255 10.130.100.1
!
!
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.255.255 any
!
!

 

 

 

**************** SPOKE SITE(router) connected to the 3rd party WAN / TO END USERS ****************

hostname Spoke

crypto isakmp policy 1
 authentication pre-share
crypto isakmp key MYPASSWORD address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set trans2 esp-des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set trans2
!
interface Tunnel0
 bandwidth 1000
 ip address 10.0.0.2 255.255.255.0
 ip mtu 1400
 ip nhrp authentication test
 ip nhrp map 10.0.0.1 10.130.100.37
 ip nhrp network-id 100000
 ip nhrp holdtime 300
 ip nhrp nhs 10.0.0.1
 delay 1000
 tunnel source FastEthernet0/0
 tunnel destination 10.130.100.37
 tunnel key 100000
 tunnel protection ipsec profile vpnprof
!
interface FastEthernet0/0
 description WAN-Network
 ip address 10.100.100.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description LAN-Network to
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
!
router eigrp 1
 network 10.0.0.0 0.0.0.255
 network 192.168.1.0
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route 10.130.100.37 255.255.255.255 10.100.100.1
!

ip dhcp pool EndUsers
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
 dns-server 4.4.4.4

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: