Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3078
Views
0
Helpful
8
Replies

VPN Between two CISCO 877 Routers

simonsellen
Level 1
Level 1

‎12-14-2012 10:27 AM - edited ‎03-04-2019 06:25 PM

Hi,

Trying to set up a very simply IPSec VPN connection from my Head Office to a couple of remote sites. I want to use CISCO 877 Routers both at head office and at each remote location. This means the head office 877 needs to be set up for multiple VPNs. I already have the CISCO 877 at both ends working as ADSL routers. Does anyone have  a simple configuration that works or can point me in the right direction? I did look at the CISCO manuals and there is mostly good stuff in there but a few things I think are not very clear and therefore confusing.

Thanks very much,

Simon

Labels:
0 Helpful
8 Replies 8

Jeff Van Houten
Level 5
Level 5

‎12-14-2012 08:18 PM

Doc Id 41940 is a good reference for DMVPN.

Sent from Cisco Technical Support iPad App

0 Helpful

johnlloyd_13
Level 9
Level 9

‎12-15-2012 01:31 AM

Hi,

I've encountered this article about DVTI while studying for my CCNP SECURE. I was able to labbed it flawlessly using couple of our 877s and ran OSPF.

You can use a hub-and-spoke topology and run dynamic routing protocols. Make sure you've got a K9 IOS image.


Sent from Cisco Technical Support iPhone App

0 Helpful

Syed Siraj Uddin
Level 1
Level 1

‎12-16-2012 01:51 AM

Hello, Below is the sample configuration for Head Office and Branch Office (Hub and spoke).

Head Office:

hostname HEADOFFICE-RTR

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key xyz@key address X.X.X.X no-xauth

!

!

crypto ipsec transform-set encrypt-des esp-des

!

crypto map vpn 10 ipsec-isakmp

set peer X.X.X.X

set transform-set encrypt-des

match address 100

!

interface ATM0

description ADSL Connected to ISP

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface Vlan1

description Head Office LAN

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

crypto map vpn

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip nat inside source list 101 interface Dialer0 overload

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Branch Office:

hostname BRANCH-RTR

!

crypto isakmp policy 10

encr aes

hash md5

authentication pre-share

group 2

crypto isakmp key xyz@key address Y.Y.Y.Y no-xauth

!

!

crypto ipsec transform-set encrypt-des esp-des

!

crypto map vpn 10 ipsec-isakmp

set peer Y.Y.Y.Y

set transform-set encrypt-des

match address 100

!

interface ATM0

description ADSL Connected to ISP

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface Vlan1

description Head Office LAN

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

crypto map vpn

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip nat inside source list 101 interface Dialer0 overload

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

HTH

0 Helpful

adnane dakna
Level 1
Level 1
In response to Syed Siraj Uddin

‎12-16-2012 04:18 AM

Hello ,

You will found the toplogy of DMVPN in attached .zip file  using GNS3  with two Spokes and Hub .

140007-DMVPN.rar.zip
0 Helpful

simonsellen
Level 1
Level 1
In response to Syed Siraj Uddin

‎12-16-2012 08:54 AM

Thank you very much for your replies, most helpful even though it is not working yet.

I don't understnad this line:

crypto isakmp key xyz@key address X.X.X.X no-xauth

What do I set for the IP address? in the recommended article, Doc Id 41940, it has it as 0.0.0.0 as ip address.

Also, what would I have to do to add more than one spoke on the hub?

Thanks,

Simon

Here is the configuration for the SPOKE:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SPOKE

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxx

!

no aaa new-model

!

!

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.2.254

!

ip dhcp pool DHCP_POOL

   import all

   network 192.168.2.0 255.255.255.0

   dns-server 87.194.255.154 87.194.255.155 8.8.8.8

   default-router 192.168.2.254

!

!

ip name-server 87.194.255.154

ip name-server 87.194.255.155

ip name-server 8.8.8.8

!

!

!

username xxxxx

!

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key xxxxx address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set trans2 esp-des esp-md5-hmac

mode transport

!

crypto map vpnmap1 local-address ATM0.1

crypto map vpnmap1 10 ipsec-isakmp

set peer 94.193.xx.xxx

set transform-set trans2

match address 101

!

archive

log config

  hidekeys

!

!

!

bridge irb

!

!

interface Tunnel10

bandwidth 1000

ip address 10.0.0.2 255.255.255.0

ip mtu 1400

delay 1000

tunnel source ATM0.1

tunnel destination 94.193.xx.xxx

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode adsl2+

!

interface ATM0.1 point-to-point

description Link to BE

ip address 188.220.xx.xx 255.255.248.0

ip nat outside

ip virtual-reassembly

atm route-bridged ip

pvc 0/101

  encapsulation aal5snap

!

crypto map vpnmap1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

no ip address

bridge-group 1

!

interface BVI1

description Local LAN

ip address 192.168.2.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 188.220.xx.xx

ip route 192.168.1.0 255.255.255.0 Tunnel10

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface ATM0.1 overload

ip nat inside source static tcp 192.168.2.250 22 interface ATM0.1 22

ip nat inside source static tcp 192.168.2.250 21 interface ATM0.1 21

ip nat inside source static tcp 192.168.2.250 20 interface ATM0.1 20

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 101 permit gre host 188.200.xx.xx host 94.193.xx.xxx

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0

password xxx

login

line vty 1 4

login

!

scheduler max-task-time 5000

end

Can anyone see what the problem is?

0 Helpful

Jeff Van Houten
Level 5
Level 5
In response to simonsellen

‎12-16-2012 01:51 PM

On the hub the 0.0.0.0 address indicates that you will accept connections from any external DMVPN client that presents the proper authentication credentials.

Sent from Cisco Technical Support iPad App

0 Helpful

simonsellen
Level 1
Level 1
In response to Jeff Van Houten

‎12-16-2012 01:56 PM

oh ok, thanks for this, makes sense. On the hub I now have this configuration:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname HUB

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-3208576596

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3208576596

revocation-check none

rsakeypair TP-self-signed-3208576596

!

!

crypto pki certificate chain TP-self-signed-3208576596

certificate self-signed 01 nvram:IOS-Self-Sig#3.cer

dot11 syslog

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool sdm-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

ip dhcp pool DHCP_POOL

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 87.194.255.154 87.194.255.155 8.8.8.8

   default-router 192.168.1.254

!

!

ip domain name yourdomain.com

ip name-server 87.194.255.154

ip name-server 87.194.255.155

ip name-server 8.8.8.8

!

!

!

username xxxx privilege 15 secret xxxxx

!

!

crypto isakmp policy 1

authentication pre-share

crypto isakmp key ciscotest address 188.220.xx.xx

!

!

crypto ipsec transform-set trans2 esp-des esp-md5-hmac

mode transport

!

crypto map vpnmap1 local-address ATM0.1

crypto map vpnmap1 10 ipsec-isakmp

set peer 188.220.xx.xx

set transform-set trans2

match address 101

!

archive

log config

  hidekeys

!

!

!

bridge irb

!

!

interface Tunnel1

bandwidth 1000

ip address 10.0.0.1 255.255.255.0

ip mtu 1400

delay 1000

tunnel source ATM0.1

tunnel destination 188.220.xx.xx

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode adsl2+

!

interface ATM0.1 point-to-point

description Link to BE

ip address 94.193.xx.xxx 255.255.254.0

ip nat outside

ip virtual-reassembly

atm route-bridged ip

pvc 0/101

!

crypto map vpnmap1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

shutdown

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0                                                                              54.0

station-role root

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description my local range

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 94.193.xx.xx

ip route 192.168.2.0 255.255.255.0 Tunnel1

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface ATM0.1 overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 permit gre host 94.193.xx.xxx host 188.220.xx.xx

no cdp run

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

0 Helpful

Jeff Van Houten
Level 5
Level 5
In response to simonsellen

‎12-16-2012 01:57 PM

Also, I think you need to read through the entire document. It looks like you've got old style point to point IPSec commands in there. There's no Nhrp at all, tunnel config doesn't look right, etc.

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card