isp uses frame relay so the

egyptology · ‎01-07-2015

Hi,

I'm a newbie and I would like to configure two Cisco routers IPSEC/IKE. Both routers are connected to the internet .

Here is a model of physical/IP setup:

LAN<->Router<-Priv IP->Modem<-Internet->modem<-Priv IP-> Router<-> LAN

no upstream device here

My objectives :

- Set up a tunnel between both lans on the two sides

- HQ users need internet access

- would you please tell me what lacks these configurations ?

- which interface can be assigned with the public ip ?

Both Routers configs:

HQ:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key key address 41.23.50.1
!
crypto ipsec transform-set set esp-aes esp-md5-hmac
!
crypto map map 1 ipsec-isakmp
set peer 41.23.50.1
set transform-set set
match address 101

!
interface FastEthernet0/0
description inside LAN
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!

interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.16 point-to-point
description CSU-DSU
ip address 172.17.50.1 255.255.255.252
frame-relay interface-dlci 16
crypto map map
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable

no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
no cdp log mismatch duplex
!
!

Branch:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key key address 197.80.22.51
crypto ipsec transform-set set esp-aes esp-md5-hmac
!
crypto map map 1 ipsec-isakmp
set peer 197.80.22.51
set transform-set set
match address 101

!
interface FastEthernet0/0
description inside LAN
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.16 point-to-point
description CSU-DSU
ip address 172.16.14.1 255.255.255.252
frame-relay interface-dlci 16
crypto map map
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable

no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
access-list 101 permit ip 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
no cdp log mismatch duplex
!
!

Thanks

Mohamed Sobair · ‎01-07-2015

You need to route traffic through a L3 interface, an interface not assigned a L3 IP doesnt process any Packets.

Your config of both routers of the default route should be corrected as follows:

ip route 0.0.0.0 0.0.0.0 Serial1/0.16

Regards,

Mohamed

egyptology · ‎01-07-2015

Thanks Mohamed you're right route must be corrected.

But I really don't know where to assign my public ip to terminate the vpn traffic as there is no upstream device just :

L2 Switch --> Router----> Modem

do I have to get L3 switch instead of current l2 one ?

Thanks for any assistance

Mohamed Sobair · ‎01-07-2015

You need to assign your Public IPs to the router WAN in order to establish the IPsec tunnel.

Regards,

Mohamed

egyptology · ‎01-08-2015

isp uses frame relay so the wan connection with private addresses, i think i have to get upstrem device right?

egyptology · ‎01-08-2015

Thanks Mohamed I configured the serial interface with Public ip address and secondary ip address with the isp private subnet

shine pothen · ‎01-07-2015

you will need to assgin public ip address to one of the interface on the Router same like Mohamed sobair said.

if you have more than two Vlans then you can use the technology called Router on Stick so that you can use the L2 switch connected to the router.

egyptology · ‎01-08-2015

I tried router on stick but crypto map can't be applied to interface with dot1q encapsulation.

Site-2-Site VPN on Cisco routers