cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2385
Views
0
Helpful
18
Replies

configuring site-site vpn configuration between cisco router 1941 and 4300 model

raffi.shaik
Level 1
Level 1

Hi Mates,

 

I need to configured site to site VPN between 1941 router and 4300 router.

 

Please help on is VPN can support those both models or need to purchase new model router.

 

 

Regards

Rafi

18 Replies 18

Hello,

 

with the right license (SEC) this shouldn't be a problem. Do you already have the routers ? If so, post the configs so we can fill in the necessary bits and pieces...

Hi georg,

 

Thanks for reply. please find attached config file.

 

Regards

Rafi

Hi ,

Any help.

Regards
Rafi

Sorry for the delay, I'll have a look...

Hi,

Thank you for your time.

Hello,

 

there are different ways to do this. Below is a sample configuration for a static VTI (which is easier to configure than crypto maps). See if you can get this to work:

 

1941

 

ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0

 

4331

 

ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN2
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0

 

 

Hi ,

Thanks for above.

Sorry, I forgot to mentioned there is point to point connection between two routers live.
On 1941 router we need to add 3rd interface VPN connection.
Is this router compatible to add the interface and is interface card available on market present.

Hello,

 

you don't need a different physical interface, you can use the existing point to point connection and configure the tunnel as an overlay...

Hi Georg,

I have one more question.

If point to point link down , then VPN also get down right.

Because there is no internet connection on VPN.

Regards
Rafi

Hello,

 

exactly, of the point to point goes down, the VPN goes down as well.

 

Can you post the output of 'show ver' ?

Hi Georg,

Our requirement is when point to point link down then VPN will play backup line role.

 

Please advise based on this .

 

Kindly find the show ver output

 

Regards

Rafi

Hello,

 

an IP SLA would probably work best. I'll have a look and send a config over...

Hi,

Thanks for your valuable time. i m waiting.

Hello,

 

here are the configs. This is assuming that you are using different physical interfaces for the point to point link and the VPN backup link.

You need to use static routes instead of EIGRP. Also, I have added an IP SLA on both routers to automate the backup.

 

1941

 

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-toPoint to 4331
ip address 100.100.100.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.2 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now


4331

 

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 4331
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-to-Point Link to 1941
ip address 100.100.100.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.1 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now

Review Cisco Networking for a $25 gift card