cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7084
Views
0
Helpful
17
Replies

CONFIGURING SITE TO SITE IPSEC VPN BETWEEN TWO OFFICES

tomocisco
Level 1
Level 1

Hi All,

Thanks for a forum like this that has continued to help individuals like me in my career as a network administrator.

I am presently configuring a VPN connection between two of our offices so that we can have data/voice/video connectivity between the two sites. We want users to be able to access internet, while the vpn tunnel will be mainly for data/voice/video connectivity.

I am using Cisco 1812 for this configuration.

Attached is a 'show running configuration' from the local Router. My questions are:

1. Will the configuration shown give me the desired vpn connection as well as give users access to internet?

2. Is there a way to delegate bandwith (say 2mbps) just for internet use while the rest of the bandwidth will be for vpn data traffic?

The 'sho run' is pasted below

Router#sho run

Building configuration...

Current configuration : 2179 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$UOub$z7fLtnBI.El8lsWrFr6v/0

enable password 7 130816011F091639

!

no aaa new-model

!

!

dot11 syslog

!

!

ip cef

!

!

no ip domain lookup

ip name-server 41.198.x.y

ip name-server 41.198.x.z

!

multilink bundle-name authenticated

!

!

!

!

crypto isakmp policy 1

encr aes 256

hash md5

authentication pre-share

group 2

crypto isakmp key SeCRetKey address 41.200.t.y (PUBLIC IP ADDRESS OF REMOTE ROUTER FROM ISP)

!

!

crypto ipsec transform-set MY-VPN esp-aes 256 esp-md5-hmac

!

crypto map VPN-LG 10 ipsec-isakmp

set peer 192.168.1.1

set transform-set MY-VPN

match address VPN-TRAFFIC

!

archive

log config

  hidekeys

!

!

!

!

!

interface Loopback0

ip address 192.100.100.1 255.255.255.255

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

ip address 41.198.X.Y 255.255.255.248 (PUBLIC IP ADDRESS OF LOCAL ROUTER FROM ISP)

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN-LG

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

no ip address

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 41.198.T.K (DEFAULT GATEWAY OF ISP)

!

!

no ip http server

no ip http secure-server

ip nat inside source list 100 interface FastEthernet1 overload (NAT FOR INTERNET ACCESS)

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 100 remark EXCLUDED FROM NAT

access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 remark

!

!

!

!

!

!

control-plane

!

!

line con 0

password 7 00091215105E1915

login

line aux 0

line vty 0 4

password 7 082C4D5D1D1C1704

login

line vty 5 193

password 7 082C4D5D1D1C1704

login

!

end

Thanks for your help.

Tom

17 Replies 17

Hi Giuseppe,

Thanks once more for your precious time.

Referring to the your post above where you said

"

I would check if these servers have two default gateways configured and  they are load balancing over them, with one being the correct gateway  and one being a device that is not able to route over the VPN."

Only one default gateway is configured on all the systems. What more do you think could be responsible for this kind of behavior?

As to what I did to bring up the VPN tunnel. I found out that I had a static NAT statement point to a particular system that needed to be accessed from the internet, once I removed that NAT statement, my VPN came up. I will still return to it later when I am through with the Vpn configuration.

Thanks for your inputs, you helped me a lot. (Of course I'll rate you at d end of this configuration bcos i'm sure success is just by the corner). Thanks

Tom

Hello Tom,

mine was just a suggestion of a possible cause. It is not clearly the case.

I wonder if there are other static NAT statements that may cause problems.

However, I would suggest also to try to perform tests from a different system just to check if the behaviour changes.

What if you use extended ping on the router of one site with source address = internal LAN address  and you try to ping systems on the remote internal Vlan?

Are the results the same?

You told in a previous post that a specific end system on the remote site is pingable, is it still true?

Hope to help

Giuseppe

Hi Giuseppe,

Thanks for your time in responding to my posts.

Any idea on how to resolve the issue above? VPN is up but having issues reaching resources in LAN. Ping to router LAN interfaces replies without breaking but ping to systems breaks.

Thanks

Review Cisco Networking for a $25 gift card