configuring site-site vpn configuration between cisco router 1941 and 4300 model

raffi.shaik · ‎04-26-2018

Hi Mates,

I need to configured site to site VPN between 1941 router and 4300 router.

Please help on is VPN can support those both models or need to purchase new model router.

Regards

Rafi

Georg Pauwen · ‎04-26-2018

Hello,

with the right license (SEC) this shouldn't be a problem. Do you already have the routers ? If so, post the configs so we can fill in the necessary bits and pieces...

raffi.shaik · ‎04-26-2018

Hi georg,

Thanks for reply. please find attached config file.

Regards

Rafi

raffi.shaik · ‎04-27-2018

Hi ,

Any help.

Regards
Rafi

Georg Pauwen · ‎04-27-2018

Sorry for the delay, I'll have a look...

raffi.shaik · ‎04-27-2018

Hi,

Thank you for your time.

Georg Pauwen · ‎04-27-2018

Hello,

there are different ways to do this. Below is a sample configuration for a static VTI (which is easier to configure than crypto maps). See if you can get this to work:

1941

ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0

4331

ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN2
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0

raffi.shaik · ‎04-27-2018

Hi ,

Thanks for above.

Sorry, I forgot to mentioned there is point to point connection between two routers live.
On 1941 router we need to add 3rd interface VPN connection.
Is this router compatible to add the interface and is interface card available on market present.

Georg Pauwen · ‎04-27-2018

Hello,

you don't need a different physical interface, you can use the existing point to point connection and configure the tunnel as an overlay...

raffi.shaik · ‎04-27-2018

Hi Georg,

I have one more question.

If point to point link down , then VPN also get down right.

Because there is no internet connection on VPN.

Regards
Rafi

Georg Pauwen · ‎04-27-2018

Hello,

exactly, of the point to point goes down, the VPN goes down as well.

Can you post the output of 'show ver' ?

raffi.shaik · ‎04-30-2018

Hi Georg,

Our requirement is when point to point link down then VPN will play backup line role.

Please advise based on this .

Kindly find the show ver output

Regards

Rafi

Georg Pauwen · ‎04-30-2018

Hello,

an IP SLA would probably work best. I'll have a look and send a config over...

raffi.shaik · ‎04-30-2018

Hi,

Thanks for your valuable time. i m waiting.

Georg Pauwen · ‎04-30-2018

Hello,

here are the configs. This is assuming that you are using different physical interfaces for the point to point link and the VPN backup link.

You need to use static routes instead of EIGRP. Also, I have added an IP SLA on both routers to automate the backup.

1941

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-toPoint to 4331
ip address 100.100.100.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.2 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now

4331

version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 4331
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-to-Point Link to 1941
ip address 100.100.100.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.1 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now