Hello Paul,

thanks alot for your prompt advice! much appreciate it.

so far so good,  I have one more question; currently I sm using one of the physical interface for the VPN map, and for the next step Iwant to use Tunnel interfaces instead of the physical interface and for both (OLD & NEW) VPNs.

can you help me on this Migration please?

moreover Paul, when i do show run I can find three Tunnel (0, 1 & 10) interfaces.

much appreciate your support.

Best Regards,

Hardi      

Hi Hardi-

Are you saying that you already have three tunnel interfaces configured, but they are not being used? If so, you can just delete them.

Everything above stays the same -- you just need to add two tunnel interfaces, which I'll call 100 and 200 in the example below. The only interesting thing to note is the private IP addresses that I used in the example below for the tunnel interfaces. The other end of the tunnel will need to have corresponding addresses

crypto isakmp key peeronepassword address aaa.bbb.ccc.ddd
crypto isakmp key peertwopassword address www.xxx.yyy.zzz
!
!
crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
!
crypto map MYMAP 100 ipsec-isakmp
description To Peer One
set peer aaa.bbb.ccc.ddd
set transform-set MYSET
match address PEER_ONE_ACL

crypto map CRX_MAP 200 ipsec-isakmp
description To Peer Two
set peer www.xxx.yyy.zzz
set transform-set MYSET
match address PEER_TWO_ACL

interface Tunnel100
description Tunnel to Peer One
ip address 10.0.0.1 255.255.255.252
ip mtu 1440
keepalive 2 3
tunnel source GigabitEthernet0/2
tunnel destination aaa.bbb.ccc.ddd
!
interface Tunnel200
description Tunnel to Peer Two
ip address 10.0.0.5 255.255.255.252
ip mtu 1440
keepalive 2 3
tunnel source GigabitEthernet0/2
tunnel destination www.xxx.yyy.zzz

interface GigabitEthernet0/2
  description Outboud Interface
  ip address bbb.ccc.ddd.eee 255.255.255.252
  crypto map MYMAP

Let me know if that helps,

Paul

Hello Paul,

thanks alot for your prompt reply.

I will apply your above configuration in a few coming days, and I will let you know about the result.

1 question please; i wonder to know if the end-users have the ability to get access to both VPNs simultaneously?

many thanks,

Harid

Hardi-

I should have mentioned that in this setup, you are running your encryption through GRE tunnels, and as such you will need to have routing in place to access the nodes at the ends of the tunnels.

The ACLs allow for GRE to set up the tunnels. So, the ACL's would look like this:

access-list extended PEER_ONE_ACL permit gre host bbb.ccc.ddd.eee host aaa.bbb.ccc.ddd

access-list extended PEER_TWO_ACL permit gre host bbb.ccc.ddd.eee host www.xxx.yyy.zzz

Once the tunnels are up, you can either put static routes in place on both sides - your router and the peer router, to reach the networks that you require, or you can run a dynamic routing protocol such as BGP or OSPF through the tunnel.

If you need help with this, please respond with a list the subnets on both sides or preferably a diagram that includes this info, and I will be happy to help you.

To answer your question above, yes, your users will be able to access nodes through both tunnel simultaneously. If you have a requirement that nodes on the far ends of both tunnels be able to talk to eachother, it is not as straightforward, and we need to add some additional configuration.

Paul

Hello paul,

thanks alot for your support.

I send you  my topology of my network as well as the subnets of both ends.

God bless you. much appreciate your support.

Best Regards,

Hardi

Hello Paul,

currently I am facing some issue in my current VPN can you help me please in resolving?

below are some messages:

- %CRYPTO-4-IKMP_NO_SA: IKE message from (Pub IP address) has no SA and is not an initialization offer.

- %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=MY PUB IP ADDRESS, prot=50, spi=0xE8798B55(3900279637), srcaddr=PEER PUB IP ADDRESS, input interface=GigabitEthernet0/0.

if it is posible to help me in improving and optiimazing security 7 VPN configuration on my route 2921 ISR.

regarding the above information I will caome back to you soon.

Much appreciate your support and dedicated effort.

Many thnaks,

Hardi

Hardi-

Please post your entire config, with any sensitive information removed. I will try to help.

thanks,

Paul

hello Paul,

I attached a ocopy of my router configuration please have a reivew and please let me know about the weak points in the configuration.

Many thnkas,

Hardi

2921_router#show running-config

Building configuration...

Current configuration : 9178 bytes

!

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 2921_router

!

boot-start-marker

boot config usbflash1:ZTD-BOOT.CFG

boot-end-marker

!

!

logging buffered 51200

logging console critical

!

no aaa new-model

!

clock timezone PCTime 3 0

!

no ipv6 cef

no ip source-route

ip cef

!

!

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool ccp-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

!

ip dhcp pool data-pool

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 4.2.2.2 8.8.8.8

lease 0 2

!

!

no ip bootp server

no ip domain lookup

ip domain name hts.com

login block-for 120 attempts 2 within 60

!

multilink bundle-name authenticated

!

!

!

!

username user privelge 15 secret password

!

voice-card 0

!

!

!

!

!

!

!

hw-module pvdm 0/0

!

!

redundancy

!

!

!

!

ip tcp synwait-time 10

ip ssh version 2

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

lifetime 3600

crypto isakmp key KEY123 address (PEER Pub.IP)

!

crypto ipsec security-association idle-time 28800

!

crypto ipsec transform-set VPN1 esp-3des esp-sha-hmac

!

crypto map KK 1 ipsec-isakmp

description "FOR HQ SERVER CONNECTION"

set peer (PEER Pub.IP)

set security-association lifetime seconds 28800

set transform-set VPN1

match address 100

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

2921_router shutdown

!

interface GigabitEthernet0/0

description "ES_WAN_FW_OUTSIDE"

no ip dhcp client request tftp-server-address

ip address (My PUb. IP ADDRESS)

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

no mop enabled

crypto map KK

!

interface GigabitEthernet0/1

description description "ETH-SW-LAUNCH_INTF-Gig0/0-HWIC NMCSW1"

ip address 192.168.1.1 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/0/0

ip address 10.10.10.1 255.255.255.248

2921_router no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface FastEthernet0/0/1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

!ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 int gig 0/0

!

ip access-list extended NAT

deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

!

logging trap debugging

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit tcp any any eq 443

access-list 101 permit tcp any any eq www

access-list 101 permit ip any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 permit udp any any eq isakmp

access-list 102 permit udp any eq isakmp any

access-list 102 permit esp any any

access-list 102 permit icmp any any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit tcp any any

access-list 102 permit udp any any

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit tcp any eq 443 any

access-list 102 permit ip any any

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

!

no cdp run

!

!

!

!

!

control-plane

!

!

voice-port 0/1/0

!

2921_routervoice-port 0/1/1

!

voice-port 0/1/2

!

voice-port 0/1/3

!

voice-port 0/2/0

!

voice-port 0/2/1

!

voice-port 0/2/2

!

voice-port 0/2/3

!

!

!

mgcp profile default

!

!

!

!

!

gatekeeper

shutdown

!

!

!

line con 0

exec-timeout 3 0

privilege level 15

logging synchronous

login local

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

Hardi-

I apologize for my absence - I was away for a few days.

Looking quickly at the above config, I see no major problems. Is your tunnel up and passing traffic right now?

Also, what is your reason for converting this config to use GRE tunnels? Do you have the requirement to run a routing protocol between sites?

Paul

by the way, this is a good link for securing your router: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

Hello Paul,

sorry for my absens, too.

currently the tunnel is UP. but most of the time there is no ISAKMP SA state, in the meantime I have a VPN connection between the two peers, and passing traffic.

now I want to make another VPN Site to site connection and I mentioned perviously, by then my router will have a VPN connection to two dofferent routers and in different location.

regarding the above configuration I think it is not quite strong depending in my opinion. and I 'd like to add more security option to it.

many thanks in advance,

Hardi