cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
926
Views
0
Helpful
5
Replies

creating ipsec tunnel

shenmaia24
Level 1
Level 1

Hi all

 

Previously im using maipu router,Now migrate to cisco 819G-LTE. 

 

how to configure below config on cisco router. Please help me someone

 

crypto ike key x.x.x.x address 192.168.24.2

 

crypto tunnel FSB43
local address 10.180.4.162
peer address 192.168.24.2
set sec-level basic
set auto-up

 

crypto policy DLSw1
flow host 20.0.0.110 host 10.123.1.2 ip tunnel FSB4 
exit

5 Replies 5

Hello,

 

You can get a configuration example on the following link under "4G-LTE Wireless WAN as a Backup with NAT and IPSec" section :- https://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/feature/guide/ehwic-4g-ltesw-book.html#con_1334957

 

Generally, here is a sample configuration example:-

 

crypto isakmp policy 1
  encr aes                              ! Make sure it matches to the other side
  authentication pre-share
  group 2                               ! Make sure it matches to the other side

!
crypto isakmp key PASSWORD address 192.168.24.2
!

!Make sure the transform-set matches to the other side

crypto ipsec transform-set TRANSFORM_FSB43 esp-aes esp-sha-hmac 
  mode tunnel
!

crypto map FSB43 10 ipsec-isakmp
  set peer 192.168.24.2
  set transform-set TRANSFORM_FSB43
  match address 101

!

access-list 101 permit ip  host 20.0.0.110 host 10.123.1.2

!

interface XXX   !! Put the correct interface number

  ip address 10.180.4.162

  crypto  map FSB43

!

 

You need to make sure that the encryption, authentication, group match on both sides of the routers. What kind of device do you have on the other side?

 

HTH,

Meheretab

HTH,
Meheretab

Hi meheretab

 

many thanks for response

 

i doing multiply connection on different router destination. do i need to configure crypto isakmp policy,crypto map multiply also? below example config on maipu router previously

 

 

crypto ike key 5cef39369b30fe3efda475722c798c9cÇ address 192.168.22.2
crypto ike key 5cef39369b30fe3efda475722c798c9cÇ address 192.168.23.2
crypto ike key 5cef39369b30fe3efda475722c798c9cÇ address 192.168.24.2
crypto ike key 5cef39369b30fe3efda475722c798c9cÇ address 192.168.25.2
crypto ike key 5cef39369b30fe3efda475722c798c9cÇ address 192.168.26.2
 
crypto tunnel FSB4
 local address 10.180.4.162
 peer address 192.168.22.2
 set sec-level basic
 set auto-up
 exit
crypto tunnel FSB42
 local address 10.180.4.162
 peer address 192.168.23.2
 set sec-level basic
 set auto-up
 exit
crypto tunnel FSB43
 local address 10.180.4.162
 peer address 192.168.24.2
 set sec-level basic
 set auto-up
 exit
crypto tunnel FSB44
 local address 10.180.4.162
 peer address 192.168.25.2
 set sec-level basic
 set auto-up
 exit
crypto tunnel FSB45
 local address 10.180.4.162
 peer address 192.168.26.2
 set sec-level basic
 set auto-up
 exit
 
crypto policy DLSw1
 flow host 20.0.0.110 host 10.123.1.2 ip tunnel FSB4 FSB42
 exit
crypto policy DLSw2
 flow host 20.0.0.110 host 30.2.2.253 ip tunnel FSB4 FSB42
 exit
crypto policy DLSw3
 flow host 20.0.0.110 host 30.2.2.251 ip tunnel FSB43 FSB44
 exit
crypto policy DLSw4
 flow host 20.0.0.110 host 30.2.2.250 ip tunnel FSB43 FSB44
 exit
crypto policy DLSw5
 flow host 20.0.0.110 host 30.2.2.254 ip tunnel FSB43 FSB44
 exit
crypto policy DLSw6
 flow host 20.0.0.110 host 30.1.1.2 ip tunnel FSB45
 exit
crypto policy DLSw7
 flow host 20.0.0.110 host 30.1.1.3 ip tunnel FSB45
 exit

You can use the same crypto isakmp policy and transform-set for all of your connections. However, you will need to create separate crypto maps as each crypto map is associated with specific peer and match specific traffic. You will need to apply the crypto maps to the respective interfaces.

 

Do you have a network diagram to share? I am not exactly sure how the different routers are connected and which network is behind which router. 

 

HTH,

Meheretab

HTH,
Meheretab

Hi Meheretab

Sorry for late reply, see attach file diagram as propose for ipsec multiply. 1 for ipsec connect to ipsec gw and another 2 ipsec for dlsw over ipsec.

 

Many thanks

this config on remote router(maipu)

 

crypto ike key 5cef39369b30fe3efda475722c798c9cÇ any

crypto tunnel DR
local address 192.168.24.2
peer any
set sec-level basic
exit

crypto policy mainDLSw1
flow host 30.2.2.254 20.0.0.0 255.255.255.0 ip tunnel DR bypass
exit
crypto policy mainDLSw2
flow host 30.2.2.250 20.0.0.0 255.255.255.0 ip tunnel DR bypass
exit
crypto policy mainDLSw3
flow host 30.2.2.251 20.0.0.0 255.255.255.0 ip tunnel DR bypass
exit