09-29-2013 11:09 PM - edited 03-07-2019 03:44 PM
Hello Network Admins,
I need your help here configuring additional Site to Site VPN on Cisco router.
Note: Site-A = Head office
Site-B= Branch office -----------> Public IP : 87.101.54.74
Site-C= Branch office -----------> Public IP : 87.101.80.94
Site to Site VPN is configured between Site A to B and Site A to C. However, I am trying to configure Site to Site VPN from Branch office to Branch office Site-B to Site-C. Here is my existing Site to Site VPN running configuration which is connected to head office. Please let me know what can be done to configure branch office to Branch office? Thank you.
Site B#show run
Building configuration...
Current configuration : 2672 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SIT
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-15.T9.bin
boot system flash flash:c2800nm-ipbase-mz.124-15.T10.bin
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$UC784zH75YQO..fhY6S.ar0
enable password asdf
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DSL
network 10.11.4.0 255.255.255.0
default-router 10.11.4.1
dns-server 208.67.222.222
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
username admin privilege 15 secret 5 $ghjikhggfffd
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ijklmnopq address 87.101.158.218 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address 135
!
!
!
!
class-map match-any Servers-List
match access-group 190
!
!
policy-map Servers
class Servers-List
bandwidth percent 50
!
!
!
!
interface FastEthernet0/0
description WAN ITC
bandwidth 2048
ip address 87.101.54.74 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_ITC
service-policy output Servers
!
interface FastEthernet0/1
description LAN ITC
ip address 10.11.4.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.101.54.73
ip route 87.101.158.216 255.255.255.252 87.101.54.73
ip route 192.168.0.0 255.255.0.0 87.101.54.73
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 138 interface FastEthernet0/0 overload
!
access-list 135 permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 permit ip 10.11.4.0 0.0.0.255 any
access-list 190 remark List of Servers to be assigned QOS
access-list 190 permit ip any host 192.168.50.1
access-list 190 permit ip any host 192.168.50.13
access-list 190 permit ip any host 192.168.50.15
access-list 190 permit ip any host 192.168.50.21
access-list 190 permit ip any host 192.168.50.22
access-list 190 permit ip any host 192.168.50.24
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Site-C configuration: -
Current configuration : 2859 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SIT
!
boot-start-marker
boot system flash flash:c2800nm-advsecurityk9-mz.124-15.T9.bin
boot system flash flash:c2800nm-ipbase-mz.124-15.T10.bin
boot-end-marker
!
logging buffered 51200 warnings
enable password 7 0101565446764F1E2837253221
!
no aaa new-model
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool DSL
network 10.11.10.0 255.255.255.0
default-router 10.11.10.1
dns-server 208.67.222.222
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
!
!
!
username awalnet privilege 15 secret 5 $1$O9C6$hGhgghd4.L7ULalS7Wt/
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 5O15B67n address 87.101.158.218 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address 135
!
!
!
!
class-map match-any Servers-List
match access-group 190
!
!
policy-map Servers
class Servers-List
bandwidth percent 50
!
!
!
!
interface FastEthernet0/0
description WAN Link to ITC
bandwidth 2048
ip address 87.101.80.94 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_ITC
service-policy output Servers
!
interface FastEthernet0/1
description LAN
ip address 10.11.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 87.101.80.93
ip route 87.101.158.216 255.255.255.252 87.101.80.93
ip route 192.168.0.0 255.255.0.0 87.101.80.93
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 138 interface FastEthernet0/0 overload
!
access-list 135 permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 138 permit ip 10.11.10.0 0.0.0.255 any
access-list 190 remark List of Servers to be assigned QOS
access-list 190 permit ip any host 192.168.50.1
access-list 190 permit ip any host 192.168.50.13
access-list 190 permit ip any host 192.168.50.15
access-list 190 permit ip any host 192.168.50.21
access-list 190 permit ip any host 192.168.50.22
access-list 190 permit ip any host 192.168.50.24
!
!
!
!
control-plane
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000
!
end
Note: IPs and passwords are edited just for understanding. Thank you.
Solved! Go to Solution.
10-01-2013 11:42 PM
Good News Lili, Iam realy sorry, I couldn't to send you the solution in a time. currently you should have an (QM_IDEL / Active) tunnel from both ends.
many thanks and Kidest regards,
Hardi
10-01-2013 01:54 PM
Here is the working configuration for 2 site to site VPN on a single router.
SIte B Configuration :-
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ijklmnopq address 87.101.158.218 no-xauth
crypto isakmp key l24554bY55L address 87.101.80.94 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
!
ip access-list extended NATWH
deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255
permit ip 10.11.4.0 0.0.0.255 any
ip access-list extended SITEA
permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended SITEC
permit ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255
!
!
!
ip nat inside source list NATWH interface Fastethernet 0/0 overload
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address SITEA
crypto map VPN_ITC 20 ipsec-isakmp
set peer 87.101.80.94
set transform-set VPN_ITC_TS
match address SITEC
Site C configuration :
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 5O15B67n address 87.101.158.218 no-xauth
crypto isakmp key l24554bY55L address 87.101.54.74 no-xauth
!
!
crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac
!
!
ip access-list extended NATWH
deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 10.11.10.0 0.0.0.255 10.11.4.0 0.0.0.255
permit ip 10.11.10.0 0.0.0.255 any
ip access-list extended SITEA
permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended SITEC
permit ip 10.11.10.0 0.0.0.255 10.11.4.0 0.0.0.255
!
!
ip nat source list NATWH interface FastEthernet0/0 overload
!
crypto map VPN_ITC 10 ipsec-isakmp
set peer 87.101.158.218
set transform-set VPN_ITC_TS
match address SITEA
crypto map VPN_ITC 20 ipsec-isakmp
set peer 87.101.54.74
set transform-set VPN_ITC_TS
match address SITEC
Note: Please mark it as Correct answer. It will be helpful to others in future. Thank you.
12-20-2020 01:55 PM
Hello guys, im sorry if i am in a wrong place to post. Since this thread is regarding the IPSEC configuration, I really hope I could also seek some advice
Here is the topology that Ive been working on whereby I need to create GRE over IPSEC tunnel between:
HQ --> Branches routers
Where each branch have 2 WAN Links, Primary & secondary
I managed to established the gre over ipsec tunnels between HQ to Branches Primary Link... but unfortunately, I failed for the second link.
I think I already spent alot of time searching, troubleshooting..what did I missed? Did my method is wrong or maybe there's some special standards for it
I have lost already and I hope this sites will be able to advice me
Branch secondary WAN link failed when activate the GRE over IPSEC tunnel
Thank you and very much appreciated in advance
I pray for your happiness and god bless
12-20-2020 03:16 PM
Hello,
what kind of IPSec GRE tunnels are we talking about ? Post the full running config of the HQ and the branch sites...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide