cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
367
Views
0
Helpful
10
Replies
Highlighted
Beginner

Encrytion between two Cisco 1841 Routers

Hi @all, I have the following topology. I wish to encrypt the traffic between both router in such a way that all data that goes from one side to another through the link stays encrypted @royalblues

Topo.PNGBG

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Expert

Highlighted

On the router, you are not configuring the vlan access list. You just configure each IP segment that is associated with each vlan. 

HTH

View solution in original post

10 REPLIES 10
Highlighted
Hall of Fame Expert

Highlighted

Thank you very much! But how can I configure the access lists for every VLAN ?

 

Highlighted

On the router, you are not configuring the vlan access list. You just configure each IP segment that is associated with each vlan. 

HTH

View solution in original post

Highlighted
VIP Mentor

Hello,

 

as an alternative, you could also configure VTIs. Does the local traffic just have to go to the other side, or do you also need Internet access for your local Vlans ?

Highlighted

Hi! The local traffic goes to the other side and the local VLAN's already have internet through NAT und ISP.

Highlighted

Hello,

 

what did you configure to resolve the problem of overlapping networks at each side ? Did you use policy NAT, or twice NAT ? Post the running configurations of both your 1841 routers...

Highlighted

Hi @Georg Pauwen! I used twice NAT on both Routers. For the VLANs I used "Router on Stick". The router interface directly connected to the switch just have sub-interfaces. Based on https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html how should I write the ACL`s in other to encrypt the traffic between both routers?
Highlighted

Just for reference, can you post your final, working configs ?

Highlighted

Topol.PNG

Router1

hostname test

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

!

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

!

!

!

ip ssh time-out 60

ip domain-name test.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

 

ex

^C

!

!


@Georg Pauwen wrote:

Just for reference, can you post your final, working configs ?


!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Router2

 

 

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

!

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Highlighted
VIP Expert

BTW, if you encrypt the link, your logical MTU may shrink. If it does, don't overlook the issue of possible packet fragmentation.
Content for Community-Ad