03-17-2021 10:05 PM
Hello Everyone,
we have plan to connect broadband Internet connection to Cisco router 1900 series.
it will give either dynamic or static with LAN segments like 10.0.0.0 or 192.168.0.0.
so my couple question here:
1. 1900 series router will support IPSEC site to site VPN?
2. if IPSEC is supported, how can we configure when the internet link don’t have public IP.
3. if my above two questions are possible, could you please share the basic whole configuration steps for reference,
Really much appreciated!!!
Regards,
Chandhuru
03-17-2021 10:37 PM
@Chandhuru sekaran marimuthu wrote:
we have plan to connect broadband Internet connection to Cisco router 1900 series.
1. What is the WAN speed?
2. Is the router running crypto firmware? (Not sure? Post the complete output to the command "sh version".)
03-17-2021 11:04 PM
Thanks for prompt reply Leo!!!
To be honest, we haven’t implemented yet. Planning to implement.
1. Planning for 100Mbps WAN SPEED
2. Yes it is crypto supported firmware
03-18-2021 01:46 AM
Chandhuru
You ask several questions. Here are my responses
1) If the 1900 has appropriate feature set/license for the software then 1900 does support site to site vpn.
2) when the internet link don’t have public IP then you need the device that does have Public IP to have either a static address translation of a Public IP to your 1900 address or to have port forwarding to provide forwarding of any isakmp and esp packets to your 1900.
03-21-2021 01:39 AM
Thanks Richard,
for 2 point, what would be the sample config if we are doing based on port forwarding???
03-21-2021 10:39 PM
Chandhuru
If the device providing access to the Internet does forward any isakmp and esp packets to your 1900 then the config could be a pretty standard site to site vpn config and would include
- appropriate isakmp parameters specifying encryption and authentication, including a key to enable the peers to authenticate
- an access list which would identify the traffic to be encrypted (typically your local lan to the remote lan)
- a crypto map which would specify the remote peer, would use the configured access list to identify traffic for the vpn and other appropriate parameters
- the crypto map applied to the outbound interface
03-18-2021 03:38 AM
@Chandhuru sekaran marimuthu wrote:
Planning for 100Mbps WAN SPEED
100 Mbps? With Crypto? I don't think so.
If memory serves me correctly, I do not believe the 1941 can push beyond 65 Mbps without any encryption. With encryption, 1941 will not be able to push above 40 Mbps.
03-21-2021 01:38 AM
Thanks Leo!!!
ok if we are limiting or ok to 40Mbps speed.
What would be the config and is it possible if WAN link terminate with Dynamic Lan IP segment?? I mean to say there is a Modem and terminating LAN segment in router with LAN segment???
03-22-2021 04:28 AM
Dear Chandhuru,,
does your isp provide static public IP or dynamic one?? if dynamic, is there anyway to ask them for providing a static public IP as I know some ISPs provide a fixed public for broadband users.
Anyhow, it's better to have static IP on both ends and your connections will be like this:
LAN >> router <<>> broadband modem <<>> remote router << LAN
you will assign IP address from the local subnet of the modem on the ethernet port connected to the modem. and then create static route to forward traffic to the modem as it's the GW. so when you have two static on both ends and they are pingable. just set the peer of the remote and follow the steps Richard mentioned..
Best Regards
Asem
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide