Accepted Solutions
Hello Marcus.
Im not an expert in VPN's but I know some basics. I've done a little lab and hope that it helps you out.
Some might think I've gone OTT but i've created a VPN and inside the VPN I have a GRE tunnel to pass though my LAN traffic. I'm not too comfortable with doing LAN to LAN VPN, but maybe some else could explain. Anyway I've acheived the same thing with this method.
Makes sense - and plus, it works. I also created an OSPF adjacency within the GRE tunnel so i can learn routes etc... but you can enable RIP here if you wanted. This may help when you have DHCP server in a different address range that is not local when you specify ip helper-address command.
R1#show run
Building configuration...
Current configuration : 1287 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 100.0.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set myset
match address 101
!
interface Loopback1
ip address 10.0.0.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 0
tunnel source Loopback1
tunnel destination 20.0.0.1
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
router ospf 1
log-adjacency-changes
!
ip forward-protocol nd
ip route 20.0.0.1 255.255.255.255 100.0.0.2
!
access-list 101 permit ip any any
=======================================
R2#show run
Building configuration...
Current configuration : 1287 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 100.0.0.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set myset
match address 101
!
interface Loopback1
ip address 20.0.0.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 0
tunnel source Loopback1
tunnel destination 10.0.0.1
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!
ip forward-protocol nd
ip route 10.0.0.1 255.255.255.255 100.0.0.1
!
access-list 101 permit ip any any
=======================================================
Verification of VPN
R1#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 100.0.0.2 port 500
IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
R2#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 100.0.0.1 port 500
IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
=======================================================
Verification of Tunnel interfaces and OSPF adjacency
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
20.0.0.1 0 FULL/ - 00:00:34 192.168.1.2 Tunnel1
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 0 FULL/ - 00:00:31 192.168.1.1 Tunnel1
So I have my initial IPSEC VPN. And within that I have a GRE tunnel to provide my LAN to LAN connectivity. Therefor anything running within the VPN here is encrypted.
All you need to do here is make sure your routes are advertised, be it static routing or dynamic routing protocol via GRE tunnel interface.
i.e. ip route x.x.x.x x.x.x.x tunnel 1
or
router rip
version 2
network
network
Then you can advertise out your internal routes be it redistribution or some other method.
HQ (Servers + VLAN # + DHCP) -> Cisco 881 Router -> Internet Cloud <- Cisco 881 Router <- Cisco 2960
As long as your 881 router (in bold) knows the routes to internal network via tunnel interface it should be good.
Where your 881 router is connected to your 2960, your LAN interface should specify the ip helper address and specify the DHCP server IP. Please ensure you have routes towards this DHCP server.
Or even consider configuring a DHCP server on the 881 router local to your site office?
Hope this helps.
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
Hello Marcus.
Im not an expert in VPN's but I know some basics. I've done a little lab and hope that it helps you out.
Some might think I've gone OTT but i've created a VPN and inside the VPN I have a GRE tunnel to pass though my LAN traffic. I'm not too comfortable with doing LAN to LAN VPN, but maybe some else could explain. Anyway I've acheived the same thing with this method.
Makes sense - and plus, it works. I also created an OSPF adjacency within the GRE tunnel so i can learn routes etc... but you can enable RIP here if you wanted. This may help when you have DHCP server in a different address range that is not local when you specify ip helper-address command.
R1#show run
Building configuration...
Current configuration : 1287 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 100.0.0.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set myset
match address 101
!
interface Loopback1
ip address 10.0.0.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.1.1 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 0
tunnel source Loopback1
tunnel destination 20.0.0.1
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
router ospf 1
log-adjacency-changes
!
ip forward-protocol nd
ip route 20.0.0.1 255.255.255.255 100.0.0.2
!
access-list 101 permit ip any any
=======================================
R2#show run
Building configuration...
Current configuration : 1287 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 100.0.0.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set myset
match address 101
!
interface Loopback1
ip address 20.0.0.1 255.255.255.255
!
interface Tunnel1
ip address 192.168.1.2 255.255.255.252
ip ospf network point-to-point
ip ospf 1 area 0
tunnel source Loopback1
tunnel destination 10.0.0.1
!
interface FastEthernet0/0
ip address 100.0.0.2 255.255.255.252
duplex auto
speed auto
crypto map myvpn
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
router ospf 1
log-adjacency-changes
!
ip forward-protocol nd
ip route 10.0.0.1 255.255.255.255 100.0.0.1
!
access-list 101 permit ip any any
=======================================================
Verification of VPN
R1#show crypto sess
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 100.0.0.2 port 500
IKE SA: local 100.0.0.1/500 remote 100.0.0.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
R2#show crypto session
Crypto session current status
Interface: FastEthernet0/0
Session status: UP-ACTIVE
Peer: 100.0.0.1 port 500
IKE SA: local 100.0.0.2/500 remote 100.0.0.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
=======================================================
Verification of Tunnel interfaces and OSPF adjacency
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
20.0.0.1 0 FULL/ - 00:00:34 192.168.1.2 Tunnel1
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 0 FULL/ - 00:00:31 192.168.1.1 Tunnel1
So I have my initial IPSEC VPN. And within that I have a GRE tunnel to provide my LAN to LAN connectivity. Therefor anything running within the VPN here is encrypted.
All you need to do here is make sure your routes are advertised, be it static routing or dynamic routing protocol via GRE tunnel interface.
i.e. ip route x.x.x.x x.x.x.x tunnel 1
or
router rip
version 2
network
network
Then you can advertise out your internal routes be it redistribution or some other method.
HQ (Servers + VLAN # + DHCP) -> Cisco 881 Router -> Internet Cloud <- Cisco 881 Router <- Cisco 2960
As long as your 881 router (in bold) knows the routes to internal network via tunnel interface it should be good.
Where your 881 router is connected to your 2960, your LAN interface should specify the ip helper address and specify the DHCP server IP. Please ensure you have routes towards this DHCP server.
Or even consider configuring a DHCP server on the 881 router local to your site office?
Hope this helps.
Please rate useful posts and remember to mark any solved questions as answered. Thank you.
