configuring site-site vpn configuration between cisco router 1941 and 4300 model
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2018 03:51 AM - edited 03-08-2019 02:48 PM
Hi Mates,
I need to configured site to site VPN between 1941 router and 4300 router.
Please help on is VPN can support those both models or need to purchase new model router.
Regards
Rafi
- Labels:
-
Other Switching

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2018 04:35 AM
Hello,
with the right license (SEC) this shouldn't be a problem. Do you already have the routers ? If so, post the configs so we can fill in the necessary bits and pieces...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2018 04:43 AM
Hi georg,
Thanks for reply. please find attached config file.
Regards
Rafi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 01:50 AM
Any help.
Regards
Rafi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 01:52 AM
Sorry for the delay, I'll have a look...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 03:27 AM
Thank you for your time.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 05:08 AM
Hello,
there are different ways to do this. Below is a sample configuration for a static VTI (which is easier to configure than crypto maps). See if you can get this to work:
1941
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0
4331
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TRANSFORM_SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TRANSFORM_SET
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN2
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
router eigrp 1
network 0.0.0.0
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 05:25 AM
Thanks for above.
Sorry, I forgot to mentioned there is point to point connection between two routers live.
On 1941 router we need to add 3rd interface VPN connection.
Is this router compatible to add the interface and is interface card available on market present.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 05:40 AM
Hello,
you don't need a different physical interface, you can use the existing point to point connection and configure the tunnel as an overlay...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 06:25 AM
I have one more question.
If point to point link down , then VPN also get down right.
Because there is no internet connection on VPN.
Regards
Rafi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-27-2018 09:50 AM
Hello,
exactly, of the point to point goes down, the VPN goes down as well.
Can you post the output of 'show ver' ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 01:52 AM
Hi Georg,
Our requirement is when point to point link down then VPN will play backup line role.
Please advise based on this .
Kindly find the show ver output
Regards
Rafi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 02:39 AM
Hello,
an IP SLA would probably work best. I'll have a look and send a config over...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 03:47 AM
Thanks for your valuable time. i m waiting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-30-2018 06:31 AM
Hello,
here are the configs. This is assuming that you are using different physical interfaces for the point to point link and the VPN backup link.
You need to use static routes instead of EIGRP. Also, I have added an IP SLA on both routers to automate the backup.
1941
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 1941
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.10.1
!
ip dhcp pool LAN1
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.1 255.255.255.0
tunnel source 10.10.10.1
tunnel mode ipsec ipv4
tunnel destination 10.10.10.2
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-toPoint to 4331
ip address 100.100.100.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 4331
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.2 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.2 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now
4331
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 4331
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ethernet lmi ce
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
no ip icmp rate-limit unreachable
!
ip dhcp excluded-address 192.168.20.1
!
ip dhcp pool LAN2
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
lease 3
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
redundancy
!
no cdp log mismatch duplex
!
track 1 ip sla 1 reachability
!
ip tcp synwait-time 5
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key ciscovpn address 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set TS
!
interface Tunnel0
ip address 172.16.1.2 255.255.255.0
tunnel source 10.10.10.2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.1
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0
description LAN Interface
ip address 192.168.20.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
description Primary Point-to-Point Link to 1941
ip address 100.100.100.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
description Backup VPN to 1941
ip address 10.10.10.2 255.255.255.252
duplex auto
speed auto
media-type rj45
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.100.100.1 track 1
ip route 0.0.0.0 0.0.0.0 Tunnel0 200
!
ip sla auto discovery
ip sla 1
icmp-echo 100.100.100.1 source-interface GigabitEthernet0/1
ip sla schedule 1 life forever start-time now
