Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4983
Views
0
Helpful
10
Replies

Shared internet through Site to Site IPsec VPN Tunnel

tanmoy665
Level 1
Level 1

‎04-25-2013 04:01 AM - edited ‎03-04-2019 07:43 PM

Hi All,

I have configured Ipsec vpn tunnel beetween two routers (from site A to site B) over untrusted internet connection by cisco 3825 routers and i can  successfully access both of this routers. But now i need to access internet on site B router sitting on site A router. So that if i run traceroute from A site machine then the gateway by which internet passing through shows the ip of site B.

The Architecture of our both site routers :

Site A  10.1.11.0-----Router A 172.18.12.1-----VPN tunnel----Router B 172.18.12.2-----Site B 10.4.11.0

Site A

/////Create IKE policy

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.18.12.2

/////IPsec tranformation name

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

/////ACL to allow source traffic from Site A to destination Site B

access-list 101 permit ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255

access-list 101 permit ip 10.1.0.0 0.0.255.255 any

Site B

/////Create IKE policy

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 172.18.12.1

/////IPsec tranformation name

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

/////ACL to allow source traffic from Site B to destination Site A

access-list 101 permit ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

access-list 101 permit ip 10.4.0.0 0.0.255.255 any

Please give ne some suggestions on how we can do it ..

Thanking in advance

Labels:
0 Helpful
10 Replies 10

Maximilian88
Level 1
Level 1

‎04-25-2013 04:17 AM

Can you please show me your NAT configuration?

0 Helpful

tanmoy665
Level 1
Level 1
In response to Maximilian88

‎04-25-2013 05:43 AM

The following NAT configuration of site A router, After configuretion i had acees internet but i had no access of site B router (10.4.11.xx). So i not configured NAT of site B router. Please suggest me how we can configure it.

SiteA

interface GigabitEthernet0/0

ip address 172.18.12.1 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao

!        

interface GigabitEthernet0/1

ip address 10.1.11.xxx 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!        

ip default-gateway 172.18.12.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 61.16.243.129

ip http server

ip http authentication local

ip http secure-server

!        

!        

ip dns server

ip nat inside source list 101 interface GigabitEthernet0/0 overload

!        

access-list 101 permit ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255

access-list 101 permit ip 10.1.0.0 0.0.255.255 any

Thanking in advance

0 Helpful

Maximilian88
Level 1
Level 1
In response to tanmoy665

‎04-25-2013 06:11 AM

Configure your IPSec with a Virtual Tunnel Interface (VTI)

Guide:

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html

The problem is nat you have one interface for ip nat inside and ip nat outside, thats the reason to create a virtual tunnel interface, to have a specific interface for ip nat inside and ip nat outside.

(Network Address Translation on a stick)

Here i found a example with Remote Access VPN but i think its the same issue (shared internet through IPSec).

https://supportforums.cisco.com/thread/2026303

Try to create a VTI:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 10

!

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

!

crypto ipsec profile VTI

set transform-set jaikalima

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile jaikalima

!

access-list 101 deny ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255 <- No NAT

access-list 101 permit ip 10.4.11.0 0.0.0.255 any <- PAT for Network from Router B

access-list 101 permit ip 10.1.0.0 0.0.255.255 any <- <- PAT for Network from Router A

0 Helpful

tanmoy665
Level 1
Level 1
In response to Maximilian88

‎04-26-2013 01:31 AM

Hi Maximilian

The Suggestion that you give is not clear to me. You asked me to create VTI , But you have not mensioned should i create in both sites routers or  in either of site A or site B. My Ultimate goal is to access internet from site B to site A , but the guide that you had mentioned can only transfer data privately which i am already getting.

0 Helpful

Maximilian88
Level 1
Level 1
In response to tanmoy665

‎04-26-2013 01:40 AM

Yes, this is a guide which helps you to create a VTI. The Clients from site B should access the Internet from site A right? So you create on both sides a VTI with ip nat inside and a default route on site B to the VTI. Please post your configs and i will try to show you the solution for your issue.

0 Helpful

tanmoy665
Level 1
Level 1
In response to Maximilian88

‎04-26-2013 02:34 AM

ok, My requirment is the Clients from site A should access the Internet from site B.

Note -> Hostname of Site A router is "1.ciscorouter.ao"

            Hostname of Site B router is "2.ciscorouter.ao"

The following configuration of site A router :

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 1.ciscorouter.ao

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging buffered

enable secret 5 $1$nZ9o$0gXWoJ9N06wplHIEXDKYR.

!

aaa new-model

!

!

!

!

aaa session-id common

!

dot11 syslog

ip source-route

ip cef

!

!

!

!

ip domain name spalgo.com

ip name-server 208.67.222.222

ip name-server 208.67.220.220

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

voice-card 0

!        

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

crypto isakmp key cisco address 172.18.12.2

!        

!        

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

!        

crypto ipsec profile VTI

set transform-set jaikalima

!        

!        

crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao 10 ipsec-isakmp

set peer 172.18.12.2

set transform-set jaikalima

match address 101

!        

!        

!        

!        

!        

!        

!        

interface Tunnel0

ip unnumbered GigabitEthernet0/0

tunnel source GigabitEthernet0/0

tunnel destination 172.18.12.2

interface GigabitEthernet0/0

ip address 172.18.12.1 255.255.255.224

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao

!        

interface GigabitEthernet0/1

ip address 10.1.11.254 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!        

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!        

ip default-gateway 172.18.12.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 172.18.12.x

ip http server

ip http authentication local

ip http secure-server

!        

!        

ip dns server

!        

access-list 101 permit ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255

access-list 101 permit ip 10.1.0.0 0.0.255.255 any

access-list 101 deny   ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255

access-list 101 permit ip 10.4.11.0 0.0.0.255 any

!        

The following configuration of site B router :

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 2.ciscorouter.ao

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$FLoI$5nQ1ajamto8MDdRR4Wtn/.

!

aaa new-model

!

!

!

!

aaa session-id common

!

dot11 syslog

ip source-route

ip cef

!

!

!

!

ip domain name spalgo.com

ip name-server 208.67.222.222

ip name-server 208.67.220.220

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

voice-card 0

!        

!        

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

crypto isakmp key cisco address 172.18.12.1

!        

!        

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

!        

crypto ipsec profile VTI

set transform-set jaikalima

!        

!        

crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao 10 ipsec-isakmp

set peer 172.18.12.1

set transform-set jaikalima

match address 101

!        

!        

!        

!        

!        

!        

!        

interface Tunnel0

ip unnumbered GigabitEthernet0/0

tunnel source GigabitEthernet0/0

tunnel destination 172.18.12.1

!        

interface GigabitEthernet0/0

ip address 172.18.12.2 255.255.255.248

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao

!        

interface GigabitEthernet0/1

ip address 10.4.11.254 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!        

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

!        

router rip

version 2

network 10.0.0.0

network 61.0.0.0

!        

ip default-gateway 172.18.12.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 172.18.12.x

no ip http server

no ip http secure-server

!        

!        

ip dns server

!        

access-list 101 permit ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

access-list 101 permit ip 10.4.11.0 0.0.0.255 any

!        

0 Helpful

Maximilian88
Level 1
Level 1
In response to tanmoy665

‎04-26-2013 07:14 AM

I would try to configure it like this example:

Router B:

crypto isakmp policy 1

encr aes 128

authentication pre-share

group 2

!

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

!

crypto map CRYPTOMAP 10 ipsec-isakmp

set peer 172.18.12.1

set transform-set MYSET

match address 102

reverse route

!

crypto isakmp key cisco address 172.18.12.1

!

interface GigabitEthernet0/0

ip address 172.18.12.2 255.255.255.248

ip virtual-reassembly

ip nat outside

duplex auto

speed auto

media-type rj45

crypto map CRYPTOMAP

!

interface GigabitEthernet0/1

ip address 10.4.11.254 255.255.255.0

ip virtual-reassembly

ip nat inside

duplex auto

speed auto

media-type rj45

!

interface Loopback0

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

!

access-list 100 deny ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

access-list 100 permit ip 10.4.11.0 0.0.0.255 any

access-list 100 permit ip 10.1.11.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

!

route-map VPNPolicy permit 10

match ip address 101

set ip next-hop 192.168.10.1

Router A:

crypto isakmp policy 1
encr aes 128
authentication pre-share
group 2
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer 172.18.12.2
set transform-set MYSET
match address 102
reverse route
!
crypto isakmp key cisco address 172.18.12.2
!
interface GigabitEthernet0/0
ip address 172.18.12.1 255.255.255.224
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map CRYPTOMAP
!
interface GigabitEthernet0/1
ip address 10.1.11.254 255.255.255.0
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 102 permit ip any any

To verify:

show crypto isakmp sa

show crypto ipsec sa (encaps and decaps values)

0 Helpful

Maximilian88
Level 1
Level 1
In response to Maximilian88

‎04-26-2013 07:18 AM

Sorry on Router B is a mistake in ACL 101:

change:

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

to:

access-list 101 permit ip 10.1.11.0 0.0.0.255 any

0 Helpful

tanmoy665
Level 1
Level 1
In response to Maximilian88

‎04-27-2013 05:19 AM

Hi Maximilian,

My goal was Clients from site A should access the  Internet from site B (B will be providing internet to site A) and as per  your above mentions suggasion i have configured our routers and i have  mention following.

I have configured a client machine in site A and configured gateway of this client is 10.1.11.254 but dont have internet there.

Router B:

!        

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

crypto isakmp key cisco address 172.18.12.1

!        

!        

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

!        

crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao 10 ipsec-isakmp

set peer 172.18.12.1

set transform-set jaikalima

match address 102

reverse-route       

!        

!            

interface Loopback0

ip address 192.168.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!        

interface GigabitEthernet0/0

ip address 172.18.12.2 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

crypto map 2.ciscorouter.ao_to_1.ciscorouter.ao

!        

interface GigabitEthernet0/1

ip address 10.4.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!        

router rip

version 2

network 10.0.0.0

network 61.0.0.0

!        

ip default-gateway 172.18.12.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 172.18.12.x

no ip http server

no ip http secure-server

!        

!        

ip dns server

ip nat inside source list 100 interface GigabitEthernet0/0 overload

!        

!        

access-list 100 deny   ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

access-list 100 permit ip 10.4.11.0 0.0.0.255 any

access-list 100 permit ip 10.1.11.0 0.0.0.255 any

access-list 101 permit ip 10.1.11.0 0.0.0.255 any

access-list 102 permit ip 10.4.11.0 0.0.0.255 10.1.11.0 0.0.0.255

!        

!        

!        

!        

route-map VPNPolicy permit 10

match ip address 101

set ip next-hop 192.168.10.1

!        

Router A :

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

crypto isakmp key cisco address 172.18.12.2

!        

!        

crypto ipsec transform-set jaikalima esp-aes esp-sha-hmac

!        

crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao 10 ipsec-isakmp

set peer 172.18.12.2

set transform-set jaikalima

match address 102

reverse-route

!        

!        

!        

!        

!        

!        

!        

interface GigabitEthernet0/0

ip address 172.18.12.2 255.255.255.224

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

crypto map 1.ciscorouter.ao_to_2.ciscorouter.ao

!        

interface GigabitEthernet0/1

ip address 10.1.11.254 255.255.255.0

ip virtual-reassembly

duplex auto

speed auto

media-type rj45

!        

ip default-gateway 172.18.12.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 172.18.12.x

ip http server

ip http authentication local

ip http secure-server

!        

!        

ip dns server

!        

access-list 102 permit ip 10.1.11.0 0.0.0.255 10.4.11.0 0.0.0.255

access-list 102 permit ip any any

!        

!        

!        

!        

route-map nonet permit 10

match ip address 150

0 Helpful

tanmoy665
Level 1
Level 1
In response to tanmoy665

‎04-29-2013 04:26 AM

Hi Maximilian,

    Can you give me some referrence example links from which I can get some help to solve the problem that I am facing. 

     Actually I need to solve this problem as soon as possible.

Waiting for you quick reply.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card