Re: Is IPSEC supported on 1900 series router???

Chandhuru sekaran marimuthu · ‎03-17-2021

Hello Everyone,

we have plan to connect broadband Internet connection to Cisco router 1900 series.

it will give either dynamic or static with LAN segments like 10.0.0.0 or 192.168.0.0.

so my couple question here:

1. 1900 series router will support IPSEC site to site VPN?

2. if IPSEC is supported, how can we configure when the internet link don’t have public IP.

3. if my above two questions are possible, could you please share the basic whole configuration steps for reference,

Really much appreciated!!!

Regards,

Chandhuru

Thanks and regards, Chandhuru.M

Leo Laohoo · ‎03-17-2021

@Chandhuru sekaran marimuthu wrote:

we have plan to connect broadband Internet connection to Cisco router 1900 series.

1. What is the WAN speed?

2. Is the router running crypto firmware? (Not sure? Post the complete output to the command "sh version".)

Chandhuru sekaran marimuthu · ‎03-17-2021

Thanks for prompt reply Leo!!!

To be honest, we haven’t implemented yet. Planning to implement.

1. Planning for 100Mbps WAN SPEED

2. Yes it is crypto supported firmware

Thanks and regards, Chandhuru.M

Richard Burts · ‎03-18-2021

Chandhuru

You ask several questions. Here are my responses

1) If the 1900 has appropriate feature set/license for the software then 1900 does support site to site vpn.

2) when the internet link don’t have public IP then you need the device that does have Public IP to have either a static address translation of a Public IP to your 1900 address or to have port forwarding to provide forwarding of any isakmp and esp packets to your 1900.

HTH

Rick

Chandhuru sekaran marimuthu · ‎03-21-2021

Thanks Richard,

for 2 point, what would be the sample config if we are doing based on port forwarding???

Thanks and regards, Chandhuru.M

Richard Burts · ‎03-21-2021

Chandhuru

If the device providing access to the Internet does forward any isakmp and esp packets to your 1900 then the config could be a pretty standard site to site vpn config and would include

- appropriate isakmp parameters specifying encryption and authentication, including a key to enable the peers to authenticate

- an access list which would identify the traffic to be encrypted (typically your local lan to the remote lan)

- a crypto map which would specify the remote peer, would use the configured access list to identify traffic for the vpn and other appropriate parameters

- the crypto map applied to the outbound interface

HTH

Rick

Leo Laohoo · ‎03-18-2021

@Chandhuru sekaran marimuthu wrote:

Planning for 100Mbps WAN SPEED

100 Mbps? With Crypto? I don't think so.

If memory serves me correctly, I do not believe the 1941 can push beyond 65 Mbps without any encryption. With encryption, 1941 will not be able to push above 40 Mbps.

Chandhuru sekaran marimuthu · ‎03-21-2021

Thanks Leo!!!

ok if we are limiting or ok to 40Mbps speed.

What would be the config and is it possible if WAN link terminate with Dynamic Lan IP segment?? I mean to say there is a Modem and terminating LAN segment in router with LAN segment???

Thanks and regards, Chandhuru.M

Asemmoqbel · ‎03-22-2021

Dear Chandhuru,,

does your isp provide static public IP or dynamic one?? if dynamic, is there anyway to ask them for providing a static public IP as I know some ISPs provide a fixed public for broadband users.

Anyhow, it's better to have static IP on both ends and your connections will be like this:

LAN >> router <<>> broadband modem <<>> remote router << LAN

you will assign IP address from the local subnet of the modem on the ethernet port connected to the modem. and then create static route to forward traffic to the modem as it's the GW. so when you have two static on both ends and they are pingable. just set the peer of the remote and follow the steps Richard mentioned..

Best Regards

Asem