cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1090
Views
0
Helpful
10
Replies

Encrytion between two Cisco 1841 Routers

Tenek85466
Level 1
Level 1

Hi @all, I have the following topology. I wish to encrypt the traffic between both router in such a way that all data that goes from one side to another through the link stays encrypted @royalblues

Topo.PNGBG

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

On the router, you are not configuring the vlan access list. You just configure each IP segment that is associated with each vlan. 

HTH

View solution in original post

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

You can use IPSEC if your IOS support security features. See link:

 

https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

HTH

Thank you very much! But how can I configure the access lists for every VLAN ?

 

On the router, you are not configuring the vlan access list. You just configure each IP segment that is associated with each vlan. 

HTH

Hello,

 

as an alternative, you could also configure VTIs. Does the local traffic just have to go to the other side, or do you also need Internet access for your local Vlans ?

Hi! The local traffic goes to the other side and the local VLAN's already have internet through NAT und ISP.

Hello,

 

what did you configure to resolve the problem of overlapping networks at each side ? Did you use policy NAT, or twice NAT ? Post the running configurations of both your 1841 routers...

Hi @Georg Pauwen! I used twice NAT on both Routers. For the VLANs I used "Router on Stick". The router interface directly connected to the switch just have sub-interfaces. Based on https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html how should I write the ACL`s in other to encrypt the traffic between both routers?

Just for reference, can you post your final, working configs ?

Topol.PNG

Router1

hostname test

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

!

crypto isakmp key 01.020r address 192.168.133.44

!

!

!

crypto ipsec transform-set 01.020r esp-des esp-md5-hmac

!

crypto map 01.020r 10 ipsec-isakmp

set peer 192.168.133.44

set transform-set 01.020r

match address 100

!

!

!

!

ip ssh time-out 60

ip domain-name test.com

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.17 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 01.020r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 01.020r 192.168.133.17 192.168.133.17 netmask 255.255.255.0

ip nat inside source list 10 pool 01.020r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

banner motd ^C

 

ex

^C

!

!


@Georg Pauwen wrote:

Just for reference, can you post your final, working configs ?


!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Router2

 

 

Current configuration : 1338 bytes

!

version 12.4

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

!

hostname Router

!

!

!

!

!

ip dhcp pool vlan30

network 192.168.30.0 255.255.255.0

default-router 192.168.30.254

dns-server 192.168.134.8

!

!

!

ip cef

no ipv6 cef

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

!

crypto isakmp key 06.010r address 192.168.133.17

!

!

!

crypto ipsec transform-set 06.010r esp-des esp-md5-hmac

!

crypto map 06.010r 10 ipsec-isakmp

set peer 192.168.133.17

set transform-set 06.010r

match address 100

!

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

duplex auto

speed auto

!

interface FastEthernet0/0.30

encapsulation dot1Q 30

ip address 192.168.30.254 255.255.255.0

ip nat inside

!

interface FastEthernet0/1

ip address 192.168.133.44 255.255.255.0

ip nat outside

duplex auto

speed auto

crypto map 06.010r

!

interface Vlan1

no ip address

shutdown

!

ip nat pool 06.010r 192.168.133.44 192.168.133.44 netmask 255.255.255.0

ip nat inside source list 10 pool 06.010r overload

ip classless

!

ip flow-export version 9

!

!

access-list 10 permit 192.168.30.0 0.0.0.255

access-list 100 permit ip 192.168.30.0 0.0.0.255 192.168.30.0 0.0.0.255

!

!

!

!

!

!

line con 0

!

line aux 0

!

line vty 0 4

login

!

!

!

end

 

Joseph W. Doherty
Hall of Fame
Hall of Fame
BTW, if you encrypt the link, your logical MTU may shrink. If it does, don't overlook the issue of possible packet fragmentation.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco