06-04-2015 12:47 PM - edited 03-05-2019 01:37 AM
Hello All,
Trying to set up Site to Site VPN using 3825 to 2801
I am a complete noob to VPN. I have some understanding of Networking and Switching (CCENT)
I am trying to set up a Site-to-Site VPN connection from one testbed gateway to another within a lab environment
Here are the configs of router 1
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 vpnkey address 172.100.100.3
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 172.100.100.3
set transform-set vpnset
match address 100
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.100.100.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
ntp broadcast client
crypto map vpnset
!
interface GigabitEthernet0/1
ip address 172.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map vpnset
!
interface GigabitEthernet0/1.1
description Data VLAN2
encapsulation dot1Q 2
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.2
description Voice VLAN3
encapsulation dot1Q 3
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.3
description Office
encapsulation dot1Q 4
ip address 20.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Integrated-Service-Engine1/0
no ip address
shutdown
no keepalive
!
ip default-gateway 172.100.100.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.100.100.1
!
!
no ip http server
no ip http secure-server
ip nat source static tcp 192.168.0.4 902 172.100.100.2 1008 extendable
ip nat inside source list NAT_ADDRESSES interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.4 22 interface GigabitEthernet0/0 1006
ip nat inside source static tcp 192.168.0.5 3389 172.100.100.2 1003 extendable
ip nat inside source static tcp 192.168.0.50 3389 172.100.100.2 1004 extendable
ip nat inside source static tcp 192.168.0.6 22 172.100.100.2 1005 extendable
ip nat inside source static tcp 192.168.0.4 443 172.100.100.2 1007 extendable
!
ip access-list standard NAT_ADDRESSES
permit 192.168.0.0 0.0.0.255
permit 10.0.0.0 0.0.0.255
permit 20.0.0.0 0.0.0.255
!
access-list 100 permit ip 172.0.0.0 0.0.0.255 172.0.1.0 0.0.0.255
==================================
Configs for router 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 vpnkey address 172.100.100.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set vpnset esp-aes 256 esp-sha-hmac
!
!
crypto map vpnset 10 ipsec-isakmp
set peer 172.100.100.2
set transform-set vpnset
match address 100
!
!
!
!
interface FastEthernet0/0
ip address 172.100.100.3 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 172.0.1.1 255.255.255.0
duplex auto
speed auto
no vrrp 1 preempt
crypto map vpnset
!
interface FastEthernet0/1.1
encapsulation dot1Q 2
ip address 1.1.1.2 255.255.255.0
ip nat inside
ip virtual-reassembly
vrrp 2 description MAIN-OFFICE
vrrp 2 ip 1.1.1.1
no vrrp 2 preempt
!
interface FastEthernet0/1.2
encapsulation dot1Q 3
ip address 2.2.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
vrrp 3 description MARKETING
vrrp 3 ip 2.2.2.1
no vrrp 3 preempt
!
interface FastEthernet0/1.3
encapsulation dot1Q 4
ip address 3.3.3.2 255.255.255.0
ip nat inside
ip virtual-reassembly
vrrp 4 description CUSTSERV
vrrp 4 ip 3.3.3.1
no vrrp 4 preempt
!
ip default-gateway 172.100.100.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.100.100.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT_ADDRESSES interface FastEthernet0/0 overload
ip nat inside source static tcp 1.1.1.20 443 172.100.100.3 1001 extendable
ip nat inside source static tcp 1.1.1.50 443 172.100.100.3 1002 extendable
!
ip access-list standard NAT_ADDRESSES
permit 1.1.1.0 0.0.0.255
permit 2.2.2.0 0.0.0.255
permit 3.3.3.0 0.0.0.255
!
access-list 100 permit ip 172.0.1.0 0.0.0.255 172.0.0.0 0.0.0.255
================================================
At this point I am stumped. The two routers share a gateway (172.100.100.1) that goes out to the internet
Routers can ping each other, but I cannot ping the subnets on the subinterfaces unless I add a specific route (1.1.1.0 255.255.255.0 172.100.100.2 for example)
Here is the "show crypto isakmp sa" output for each router:
R1
R1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
IPv6 Crypto ISAKMP SA
R2
R2#sh crypto isakmp sa
dst src state conn-id slot status
R1 is a 3825
R2 is a 2801
Any advice will be greatly appreciated. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide