cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1729
Views
0
Helpful
1
Replies
Highlighted
Beginner

Configure Point-to-point VPN

Dear experts, I don't know where to start with this but here it goes:

I am implementing a point-to-point VPN tunnel from HQ to site office (which is server-less). Site-office clients get IPs from DHCP server in HQ. HQ has provision a DHCP range for site office and created a new VLAN for this range. Both routers are running on IOS C881-K9 image with basic routing (RIP). Below is the generic setup:

HQ (Servers + VLAN # + DHCP) -> Cisco 881 Router -> Internet Cloud <- Cisco 881 Router <- Cisco 2960

Clients from site office wants to access server information in HQ. What are the configurations to take note of? Should I use SDM?

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Engager

Re: Configure Point-to-point VPN

Hello Marcus.

Im not an expert in VPN's but I know some basics. I've done a little lab and hope that it helps you out.

Some might think I've gone OTT but i've created a VPN and inside the VPN I have a GRE tunnel to pass though my LAN traffic. I'm not too comfortable with doing LAN to LAN VPN, but maybe some else could explain. Anyway I've acheived the same thing with this method.

Makes sense - and plus, it works. I also created an OSPF adjacency within the GRE tunnel so i can learn routes etc... but you can enable RIP here if you wanted. This may help when you have DHCP server in a different address range that is not local when you specify ip helper-address command.

R1#show run

Building configuration...

Current configuration : 1287 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.0.0.2

set transform-set myset

match address 101

!

interface Loopback1

ip address 10.0.0.1 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.1 255.255.255.252

ip ospf network point-to-point

ip ospf 1 area 0

tunnel source Loopback1

tunnel destination 20.0.0.1

!

interface FastEthernet0/0

ip address 100.0.0.1 255.255.255.252

duplex auto

speed auto

crypto map myvpn

!

router ospf 1

log-adjacency-changes

!

ip forward-protocol nd

ip route 20.0.0.1 255.255.255.255 100.0.0.2

!

access-list 101 permit ip any any

=======================================

R2#show run

Building configuration...

Current configuration : 1287 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.0.0.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.0.0.1

set transform-set myset

match address 101

!

interface Loopback1

ip address 20.0.0.1 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.252

ip ospf network point-to-point

ip ospf 1 area 0

tunnel source Loopback1

tunnel destination 10.0.0.1

!

interface FastEthernet0/0

ip address 100.0.0.2 255.255.255.252

duplex auto

speed auto

crypto map myvpn

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

router ospf 1

log-adjacency-changes

!

ip forward-protocol nd

ip route 10.0.0.1 255.255.255.255 100.0.0.1

!

access-list 101 permit ip any any

=======================================================

Verification of VPN

R1#show crypto sess

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: 100.0.0.2 port 500

  IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

R2#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: 100.0.0.1 port 500

  IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

=======================================================

Verification of Tunnel interfaces and OSPF adjacency

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

20.0.0.1          0   FULL/  -        00:00:34    192.168.1.2     Tunnel1

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.1          0   FULL/  -        00:00:31    192.168.1.1     Tunnel1

So I have my initial IPSEC VPN. And within that I have a GRE tunnel to provide my LAN to LAN connectivity. Therefor anything running within the VPN here is encrypted.

All you need to do here is make sure your routes are advertised, be it static routing or dynamic routing protocol via GRE tunnel interface.

i.e. ip route x.x.x.x x.x.x.x tunnel 1

or

router rip

version 2

network

network

Then you can advertise out your internal routes be it redistribution or some other method.

HQ (Servers + VLAN # + DHCP) -> Cisco 881 Router -> Internet Cloud <- Cisco 881 Router <- Cisco 2960

As long as your 881 router (in bold) knows the routes to internal network via tunnel interface it should be good.

Where your 881 router is connected to your 2960, your LAN interface should specify the ip helper address and specify the DHCP server IP. Please ensure you have routes towards this DHCP server.

Or even consider configuring a DHCP server on the 881 router local to your site office?

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

1 REPLY 1
Engager

Re: Configure Point-to-point VPN

Hello Marcus.

Im not an expert in VPN's but I know some basics. I've done a little lab and hope that it helps you out.

Some might think I've gone OTT but i've created a VPN and inside the VPN I have a GRE tunnel to pass though my LAN traffic. I'm not too comfortable with doing LAN to LAN VPN, but maybe some else could explain. Anyway I've acheived the same thing with this method.

Makes sense - and plus, it works. I also created an OSPF adjacency within the GRE tunnel so i can learn routes etc... but you can enable RIP here if you wanted. This may help when you have DHCP server in a different address range that is not local when you specify ip helper-address command.

R1#show run

Building configuration...

Current configuration : 1287 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.0.0.2

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.0.0.2

set transform-set myset

match address 101

!

interface Loopback1

ip address 10.0.0.1 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.1 255.255.255.252

ip ospf network point-to-point

ip ospf 1 area 0

tunnel source Loopback1

tunnel destination 20.0.0.1

!

interface FastEthernet0/0

ip address 100.0.0.1 255.255.255.252

duplex auto

speed auto

crypto map myvpn

!

router ospf 1

log-adjacency-changes

!

ip forward-protocol nd

ip route 20.0.0.1 255.255.255.255 100.0.0.2

!

access-list 101 permit ip any any

=======================================

R2#show run

Building configuration...

Current configuration : 1287 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R2

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

memory-size iomem 5

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ciscokey address 100.0.0.1

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto map myvpn 10 ipsec-isakmp

set peer 100.0.0.1

set transform-set myset

match address 101

!

interface Loopback1

ip address 20.0.0.1 255.255.255.255

!

interface Tunnel1

ip address 192.168.1.2 255.255.255.252

ip ospf network point-to-point

ip ospf 1 area 0

tunnel source Loopback1

tunnel destination 10.0.0.1

!

interface FastEthernet0/0

ip address 100.0.0.2 255.255.255.252

duplex auto

speed auto

crypto map myvpn

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

router ospf 1

log-adjacency-changes

!

ip forward-protocol nd

ip route 10.0.0.1 255.255.255.255 100.0.0.1

!

access-list 101 permit ip any any

=======================================================

Verification of VPN

R1#show crypto sess

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: 100.0.0.2 port 500

  IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

R2#show crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE    

Peer: 100.0.0.1 port 500

  IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0

        Active SAs: 2, origin: crypto map

=======================================================

Verification of Tunnel interfaces and OSPF adjacency

R1#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

20.0.0.1          0   FULL/  -        00:00:34    192.168.1.2     Tunnel1

R2#show ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface

10.0.0.1          0   FULL/  -        00:00:31    192.168.1.1     Tunnel1

So I have my initial IPSEC VPN. And within that I have a GRE tunnel to provide my LAN to LAN connectivity. Therefor anything running within the VPN here is encrypted.

All you need to do here is make sure your routes are advertised, be it static routing or dynamic routing protocol via GRE tunnel interface.

i.e. ip route x.x.x.x x.x.x.x tunnel 1

or

router rip

version 2

network

network

Then you can advertise out your internal routes be it redistribution or some other method.

HQ (Servers + VLAN # + DHCP) -> Cisco 881 Router -> Internet Cloud <- Cisco 881 Router <- Cisco 2960

As long as your 881 router (in bold) knows the routes to internal network via tunnel interface it should be good.

Where your 881 router is connected to your 2960, your LAN interface should specify the ip helper address and specify the DHCP server IP. Please ensure you have routes towards this DHCP server.

Or even consider configuring a DHCP server on the 881 router local to your site office?

Hope this helps.

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

View solution in original post

CreatePlease to create content
Content for Community-Ad