Re: 2621 to 2621 IPSec Tunnel over Internet

admin_2 · ‎03-04-2004

Thanks for any suggestions in advance.

I'm attempting to configure a simple VPN between two 2621s over the web. Since I'm fairly new to this, I'm thinking I've probably overlooked something obvious in my configuration.

So without further ado, here it is (IPs changed for security):

Router 1:

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key VPNtunnel address x.x.x.x

!

crypto ipsec transform-set TUNNEL0 esp-des esp-md5-hmac

!

crypto map TO-CG local-address FastEthernet0/0

crypto map TO-CG 1 ipsec-isakmp

set peer 4.1.1.164

set transform-set TUNNEL0

match address 100

!

interface FastEthernet0/0

description Connection to Internet through DSL

ip address x.1.x.x 255.255.255.248

ip nat outside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

ntp disable

no cdp enable

crypto map TO-CG

!

interface Serial0/0

no ip address

shutdown

no fair-queue

no cdp enable

!

interface FastEthernet0/1

description Connection to Internal Network 1.1.0.0

ip address x.x.x.x 255.255.255.0

ip nat inside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1

no ip address

shutdown

no cdp enable

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip classless

no ip forward-protocol udp

ip route 0.0.0.0 0.0.0.0 3.1.1.9

no ip http server

!

access-list 1 permit 1.1.0.0 0.0.0.255

access-list 100 permit ip 1.1.0.0 0.0.0.255 2.0.0.0 0.0.0.255

access-list 100 permit ip 1.1.0.0 0.0.0.255 any

no cdp run

Router 2:

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key VPNTunnel address x.x.x.x

!

crypto ipsec transform-set TUNNEL0 esp-des esp-md5-hmac

!

crypto map CG-TO local-address FastEthernet0/1

crypto map CG-TO 1 ipsec-isakmp

set peer 3.1.1.13

set transform-set TUNNEL0

match address 100

!

interface FastEthernet0/0

description Connection

ip address 2.0.0.2 255.255.0.0

ip nat inside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address x.x.x 255.255.255.240

ip nat outside

no ip route-cache

no ip mroute-cache

duplex auto

speed auto

no cdp enable

!

interface Serial0/1

no ip address

shutdown

!

ip default-gateway 4.1.1.161

ip nat inside source list 1 interface FastEthernet0/1 overload

ip classless

no ip forward-protocol udp

ip route 0.0.0.0 0.0.0.0 4.1.1.161

no ip http server

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 permit ip 2.0.0.0 0.0.255.255 1.1.0.0 0.0.0.255

access-list 100 permit ip 2.0.0.0 0.0.255.255 any

Each router can see eachs other's WAN IP and hosts on each internal network can ping the remote router's WAN port. Each router must be able to route both VPN and general Internet traffic.

Do I need a route-map policy? Or is having a standard access-list (for NAT) and an extended access-list (for IPSec) not the solution here?

Thanks!

gmiiller · ‎03-04-2004

You don't seem to have applied the crypto map to interface fast0/1 on router 2

Report Inappropriate Content · ‎03-05-2004

Sorry, my mistake, that was a copy/paste error - it actually is applied to the interface, but still no go.