Solved: Re: Need help configuring site-to-site VPN

Akila · ‎09-14-2019

I'm trying to connect 2 sites to the main office in the middle using VPN I already configured the left side and It works fine but I can't seem to connect the right side to the middle network, here are all the configuration commands i used,

!on router 6 (left)

hostname S

interface g0/1 ip address 10.1.18.1 255.255.255.224

no shut

interface g0/0 ip address 1.0.0.2 255.255.255.224

no shut

exit ip route 0.0.0.0 0.0.0.0 1.0.0.1

!

!on router 7(middle)

hostname B

interface g0/1

ip address 10.0.18.1 255.255.255.224

no shut

interface g0/0

ip address 2.0.0.2 255.255.255.224

no shut

exit

ip route 0.0.0.0 0.0.0.0 2.0.0.1

!

!router 8 (right)

hostname M

interface g0/1

ip address 10.2.18.1

no shut

interface g0/0

ip address 3.0.0.2

no shut

exit

ip route 0.0.0.0 0.0.0.0 3.0.0.1

!

!on router 5 (ISP, top)

hostname ISP

interface g0/0

ip address 1.0.0.1 255.255.255.224

no shut

interface g0/1

ip address 2.0.0.1 255.255.255.224

no shut

interface g0/2

ip address 3.0.0.1 255.255.255.224

no shut

exit

!

!on router M , B, S

license boot module c1900 technology-package securityk9

!

!on router 6

crypto isakmp policy 10

encryption aes 256

authentication pre-share

group 5

!

crypto isakmp key secretkey address 2.0.0.2

!

crypto ipsec transform-set S-B esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

set peer 2.0.0.2

set pfs group5

set security-association lifetime seconds 86400

set transform-set S-B

match address 100

!

interface GigabitEthernet0/0

crypto map IPSEC-MAP

!

access-list 100 permit ip 10.1.18.0 0.0.0.31 10.0.18.0 0.0.0.31

!

!on router 7(middle)

!for the 1st tunnel

crypto isakmp policy 10

encryption aes 256

authentication pre-share

group 5

!

crypto isakmp key secretkey address 1.0.0.2

!

crypto ipsec transform-set B-S esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 10 ipsec-isakmp

set peer 1.0.0.2

set pfs group5

set security-association lifetime seconds 86400

set transform-set B-S

match address 100

!

interface GigabitEthernet0/0

crypto map IPSEC-MAP

!

access-list 100 permit ip 10.0.18.0 0.0.0.31 10.1.18.0 0.0.0.31

!

!for the 2st tunnel

crypto isakmp policy 11

encryption aes 256

authentication pre-share

group 5

!

crypto isakmp key secretkey address 3.0.0.2

!

crypto ipsec transform-set B-M esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 11 ipsec-isakmp

set peer 3.0.0.2

set pfs group5

set security-association lifetime seconds 86400

set transform-set B-M

match address 110

!

interface GigabitEthernet0/0

crypto map IPSEC-MAP

!

access-list 110 permit ip 10.0.18.0 0.0.0.31 10.2.18.0 0.0.0.31

!

!on router 8(left)

crypto isakmp policy 11

encryption aes 256

authentication pre-share

group 5

!

crypto isakmp key secretkey address 2.0.0.2

!

crypto ipsec transform-set M-B esp-aes 256 esp-sha-hmac

!

crypto map IPSEC-MAP 11 ipsec-isakmp

set peer 2.0.0.2

set pfs group5

set security-association lifetime seconds 86400

set transform-set M-B

match address 110

!

interface GigabitEthernet0/0

crypto map IPSEC-MAP

!

access-list 110 permit ip 10.2.18.0 0.0.0.31 10.0.18.0 0.0.0.31

Georg Pauwen · ‎09-15-2019

Hello,

I opened the file and both VPNs are working. What exactly can you NOT do ? If I ping 10.0.18.2 from both VPN endpoints, I get a proper response, and if you check the encrypted packets on R7 with 'show crypto ipsec sa', the encrypted packet count is increasing.

I have taken out all the redundant stuff and cleaned up the configs, revised project file is attached...(use the lateste version of Packet Tracer, 7.2.2).

View solution in original post

Georg Pauwen · ‎09-15-2019

Hello,

post the Packet Tracer project (.pkt) file, zip it first, otherwise the system won't let you upload it.

Akila · ‎09-15-2019

Georg Pauwen · ‎09-15-2019

Hello,

I opened the file and both VPNs are working. What exactly can you NOT do ? If I ping 10.0.18.2 from both VPN endpoints, I get a proper response, and if you check the encrypted packets on R7 with 'show crypto ipsec sa', the encrypted packet count is increasing.

I have taken out all the redundant stuff and cleaned up the configs, revised project file is attached...(use the lateste version of Packet Tracer, 7.2.2).

Akila · ‎09-15-2019

thank you for your reply, it seems to be working on your revised lab, could it be an issue with the packt tracer version? or did you change any configurations?

thank you

Akila · ‎09-15-2019

I just restarted the application and it seems to be working fine, thank you very much for your time, good sir.

and if you have time could you please explain how can I add a remote user to connect to the 10.0.18.0 network through IP Sec VPN, thank you

Georg Pauwen · ‎09-15-2019

Hello,

if you add the lines in bold to the configuration of Router7, the router will function as PPTP VPN server for remote access users:

Current configuration : 1554 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname B
!
username vpnuser password 0 vpnpassword
!
aaa new-model
!
aaa authentication ppp default local
!
vpdn enable
!
ip cef
no ipv6 cef
!
license udi pid CISCO1941/K9 sn FTX15245NGO-
license boot module c1900 technology-package securityk9
!
vpdn-group REMOTE-VPN
accept-dialin
protocol pptp
virtual-template 1

!

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 11
encr aes 256
authentication pre-share
group 5
!
crypto isakmp key secretkey address 1.0.0.2
crypto isakmp key secretkey1 address 3.0.0.2
!
crypto ipsec transform-set B-S esp-aes 256 esp-sha-hmac
crypto ipsec transform-set B-M esp-aes 256 esp-sha-hmac
!
crypto map IPSEC-MAP 10 ipsec-isakmp
set peer 1.0.0.2
set pfs group5
set security-association lifetime seconds 86400
set transform-set B-S
match address 100
!
crypto map IPSEC-MAP 11 ipsec-isakmp
set peer 3.0.0.2
set pfs group5
set security-association lifetime seconds 86400
set transform-set B-M
match address 101
!
spanning-tree mode pvst
!
interface GigabitEthernet0/0
ip address 2.0.0.2 255.255.255.224
duplex auto
speed auto
crypto map IPSEC-MAP
!
interface GigabitEthernet0/1
ip address 10.0.18.1 255.255.255.224
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1
peer default ip address pool VPNPOOL
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
no ip address
shutdown
!
ip local pool VPNPOOL 10.0.18.20 10.0.18.30
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.0.0.1
!
ip flow-export version 9
!
!
access-list 100 permit ip 10.0.18.0 0.0.0.31 10.1.18.0 0.0.0.31
access-list 101 permit ip 10.0.18.0 0.0.0.31 10.2.18.0 0.0.0.31
!
line con 0
!
line aux 0
!
line vty 0 4
login
!
end

Akila · ‎09-15-2019

Protocol PPTP is not available,

I attached the pkt file

Thank you

Georg Pauwen · ‎09-15-2019

Hello,

the only option available as protocol appears to be pppoe, but that is not supported in Packet Tracer. EZVPN is not supported either. What is the exact requirement for the remote access ?

Keep in mind that Packet Tracer devices are not fully featured, real IOS devices. Only a subset of the commands available in IOS are available.

Akila · ‎09-15-2019

thank you for your reply,

the requirement is that the remote users should be able to access their work from the company site (10.1.18.0 network and 10.2.18.0 network) while traveling.

Georg Pauwen · ‎09-15-2019

Hello,

have a look at the video below. As said, you can only do a few things with Packet Tracer, the below might work for you:

Packet Tracer Lab 6 - Remote Access VPN

https://www.youtube.com/watch?v=lkUq6Pl6his