IPsec-NAT , Port UDP4500 and 500. - Page 2

eng_adel273 · ‎04-10-2016

Dear Sir

The attached router configuration block port UDP4500 and 500.

Please check it and send your response

Thanks

eng_adel273 · ‎04-19-2016

Thank you for your support

Please check the attached file about the remote IPs

Thanks

Philip D'Ath · ‎04-19-2016

The entries you have highlighted are related to each other. However all of the configuration you have given is for user to site VPNs, not site to site VPNs.

eng_adel273 · ‎04-19-2016

Thank you for your reply , how can we make it site-to-site VPNs

eng_adel273 · ‎04-20-2016

Can you help me to setup the site-to-site VPN

Philip D'Ath · ‎04-20-2016

Alright, using only the Cisco routers;

On the 192.168.10.1 router:

crypto keyring kr-site-to-site
  pre-shared-key address 78.93.247.181 key 0123456789

crypto isakmp profile ikev1-site-to-site
  keyring kr-site-to-site
  match identity address 78.93.247.181 255.255.255.255

crypto ipsec profile ipsec-profile
  set transform-set ESP-3DES-SHA
  set isakmp-profile ikev1-site-to-site

interface Tunnel 0
  ip address 192.168.255.1 255.255.255.252
  tunnel source 78.93.216.19
  tunnel destination 78.93.247.181
  tunnel protection ipsec profile ipsec-profile

ip route 192.168.20.0  255.255.255.0 Tunnel0

On the 192.168.20.1 router:

crypto keyring kr-site-to-site
  pre-shared-key address 78.93.216.19 key 0123456789

crypto isakmp profile ikev1-site-to-site
  keyring kr-site-to-site
  match identity address 78.93.216.19 255.255.255.255

crypto ipsec profile ipsec-profile
  set transform-set ESP-3DES-SHA
  set isakmp-profile ikev1-site-to-site

interface Tunnel 0
  ip address 192.168.255.2 255.255.255.252
  tunnel source 78.93.247.181
  tunnel destination 78.93.216.19
  tunnel protection ipsec profile ipsec-profile

ip route 192.168.10.0 255.255.255.0 Tunnel0

eng_adel273 · ‎04-20-2016

Dear Philip

Thank you for your support , I attached a file contains some question please check it

Thank you for your efforts and cooperation

Thanks

Philip D'Ath · ‎04-21-2016

Because we are using seperate Tunnel interfaces, and they don't have "ip nat" configured on them, the router wont apply NAT to this traffic.

Can you get rid of the Cyberoam boxes, they do complicate the solution a bit. Otherwise just add more static routes through the tunnels to get to the remote networks, and make sure the Cyberoam boxes allow the traffic through and don't NAT it.

eng_adel273 · ‎04-21-2016

Thank you for your reply

is it necessary to make ip route for remote LAN on the both router or just your ip route is enough?

Thanks

Philip D'Ath · ‎04-21-2016

Both routers need an "ip route" for each remote network that is to go over the VPN.

eng_adel273 · ‎04-22-2016

Dear Philip

Thank you for your support

I have router 1841 , when I enter a crypto line into config t i get an error.

crypto % Invalid input detected at '^' marker

waiting for your feedback

Thanks

Philip D'Ath · ‎04-23-2016

You did this is config mode right?

eng_adel273 · ‎04-23-2016

Yes , within the Config Mode

also

crypto keyring

Philip D'Ath · ‎04-24-2016

Hmm, maybe you are running an older IOS. What model Cisco routers are you using and what software version are they running?

Do they take the other crypto commands ok?

eng_adel273 · ‎04-24-2016

router 1841

Philip D'Ath · ‎04-24-2016

We are going to have to use an older way of doing this. On the 192.168.10.1 router try:

crypto isakmp key 0123456789 address 78.93.247.181 no-xauth

crypto ipsec profile ipsec-profile
  set transform-set ESP-3DES-SHA

interface Tunnel 0
  ip address 192.168.255.1 255.255.255.252
  tunnel source 78.93.216.19
  tunnel destination 78.93.247.181
  tunnel protection ipsec profile ipsec-profile

ip route 192.168.20.0  255.255.255.0 Tunnel0