04-26-2018 03:51 AM - edited 03-08-2019 02:48 PM
Hi Mates,
I need to configured site to site VPN between 1941 router and 4300 router.
Please help on is VPN can support those both models or need to purchase new model router.
Regards
Rafi
04-26-2018 04:35 AM
Hello,
with the right license (SEC) this shouldn't be a problem. Do you already have the routers ? If so, post the configs so we can fill in the necessary bits and pieces...
04-26-2018 04:43 AM
04-27-2018 01:50 AM
04-27-2018 01:52 AM
Sorry for the delay, I'll have a look...
04-27-2018 03:27 AM
04-27-2018 05:08 AM
Hello,
there are different ways to do this. Below is a sample configuration for a static VTI (which is easier to configure than crypto maps). See if you can get this to work:
1941
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0
4331
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN2
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0
04-27-2018 05:25 AM
04-27-2018 05:40 AM
Hello,
you don't need a different physical interface, you can use the existing point to point connection and configure the tunnel as an overlay...
04-27-2018 06:25 AM
04-27-2018 09:50 AM
Hello,
exactly, of the point to point goes down, the VPN goes down as well.
Can you post the output of 'show ver' ?
04-30-2018 01:52 AM
04-30-2018 02:39 AM
Hello,
an IP SLA would probably work best. I'll have a look and send a config over...
04-30-2018 03:47 AM
04-30-2018 06:31 AM
Hello,
here are the configs. This is assuming that you are using different physical interfaces for the point to point link and the VPN backup link.
You need to use static routes instead of EIGRP. Also, I have added an IP SLA on both routers to automate the backup.
1941
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-toPoint to 4331
ip address 100.100.100.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.2 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now
4331
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 4331
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-to-Point Link to 1941
ip address 100.100.100.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.1 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide