Solved: Configuring Router Site to Site VPN + Internet for users

egyptology · ‎01-06-2015

Topology:

L2 Switch ---- Router ---- CSU-DSU

Objectives:

Internet Access
Site to Site VPN with branch office

Hereunder my configuration please correct me if needed:

Switch is connected to Router with a trunk port

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.20

encapsulation dot1Q 20

ip address 192.168.3.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1.30

encapsulation dot1Q 30

ip address 192.168.2.1 255.255.255.0

ip nat inside

!

interface Serial0/3/0

no ip address

encapsulation frame-relay

clock rate 2000000

!

interface Serial0/3/0.16 point-to-point

ip address 172.18.1.1 255.255.255.252

frame-relay interface-dlci 16

clock rate 2000000

ip nat outside

ip route 0.0.0.0 0.0.0.0 Serial0/3/0.16

ip nat inside source list 10 interface serial 0/3/0.16 overload

crypto ipsec transform-set Tunnel esp-3des esp-md5-hmac

!

crypto map VPN-Map 1 ipsec-isakmp

set peer X.X.X.X

set transform-set Tunnel

match address 101

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

crypto isakmp key secret address X.X.X.X (global address )

crypto ipsec transform-set Tunnel esp-3des esp-md5-hmac

!

crypto map VPN-Map 1 ipsec-isakmp

set peer X.X.X.X

set transform-set Tunnel

match address 101

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 10 permit 192.168.2.0 0.0.0.255

access-list 10 permit 192.168.3.0 0.0.0.255

For VPN termination how can I assign my global ip address to apply crypto map on?
Regarding NAT configuration, ip nat outside is configured on serial interface facing the isp modem with private address , isn't nat need to be done on a global ip address or not?

Please correct me as I’m confused

Richard Burts · ‎01-06-2015

While it is frequently configured to have crypto map applied to an interface with a public IP for VPN it is certainly not a requirement to have a public IP for the VPN to work. A VPN tunnel can work quite well when configured on an interface with a private address. I have seen this work very well in customer networks where they want to give extra protection to some data passing through their networks. When the VPN is going over the Interenet it is more problematic (but not impossible) to configure a VPN using private addressing.

Whether this VPN is likely to work or not depends on some things that you have not told us. You give us only X.X.X.X as the peer address. So we have no way to know whether you can really get to that address from this router. And we do not know whether that peer address can get to your routers address. Both of those things must work for the VPN to be able to work.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎01-06-2015

I do not understand your question about VPN and global IP address. I will observe that you have not applied the crypto map to any interface and VPN can not work until crypto map is assigned to the interface. Also crypto map references access list 101 which you have not shown us, so we can not tell if it is correctly configured.

As far as NAT is concerned when you are doing NAT there frequently is a public IP used to allow traffic to the Internet. In the configuration that you have shown us there is not a public IP so NAT must use a private IP if no public IP is available.

You have not told us why you are doing NAT here. Since there is no public IP it can not be NAT to enable Internet access. If the traffic from this router does eventually get to the Internet then some up stream device must be doing address translation. Since there is not a question of Internet access we might wonder if it would work without NAT. Could you just route your private addresses over the serial link?

HTH

Rick

HTH

Rick

egyptology · ‎01-06-2015

Thanks Richard

My understanding that site to site vpn must terminate on an interface with a public ip address, in this design i only have the router no other upstream devices, and my connection to ISP with private IP addresses. ( i do have public ip address but i don't know how to assign it) for example can i assign it to a loopback interface or not and then i will append crypto map to it.

I need nat only to enable inside users to access internet, and at the same time to be tunneled if the traffic is going to the other side of vpn .

Sorry if i can't clarify more

access-list 101 permit 192.168.1.0 0.0.0.255 ( inside subnet "vpn config" )

Richard Burts · ‎01-06-2015

While it is frequently configured to have crypto map applied to an interface with a public IP for VPN it is certainly not a requirement to have a public IP for the VPN to work. A VPN tunnel can work quite well when configured on an interface with a private address. I have seen this work very well in customer networks where they want to give extra protection to some data passing through their networks. When the VPN is going over the Interenet it is more problematic (but not impossible) to configure a VPN using private addressing.

Whether this VPN is likely to work or not depends on some things that you have not told us. You give us only X.X.X.X as the peer address. So we have no way to know whether you can really get to that address from this router. And we do not know whether that peer address can get to your routers address. Both of those things must work for the VPN to be able to work.

HTH

Rick

HTH

Rick

Richard Burts · ‎01-06-2015

I am glad that my response was helpful. Thank you for using the rating system to mark this question as answered. This will help other readers in the forum to identify discussions which have helpful information.

HTH

Rick

HTH

Rick