Solved: Re: Multiple Site to Site VPN on single cisco Router. - Page 3

lili Vachon · ‎09-29-2013

Hello Network Admins,

I need your help here configuring additional Site to Site VPN on Cisco router.

Note: Site-A = Head office

Site-B= Branch office -----------> Public IP : 87.101.54.74

Site-C= Branch office -----------> Public IP : 87.101.80.94

Site to Site VPN is configured between Site A to B and Site A to C. However, I am trying to configure Site to Site VPN from Branch office to Branch office Site-B to Site-C. Here is my existing Site to Site VPN running configuration which is connected to head office. Please let me know what can be done to configure branch office to Branch office? Thank you.

Site B#show run

Building configuration...

Current configuration : 2672 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SIT

!

boot-start-marker

boot system flash flash:c2800nm-advsecurityk9-mz.124-15.T9.bin

boot system flash flash:c2800nm-ipbase-mz.124-15.T10.bin

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$UC784zH75YQO..fhY6S.ar0

enable password asdf

!

no aaa new-model

dot11 syslog

!

ip cef

no ip dhcp use vrf connected

!

ip dhcp pool DSL

network 10.11.4.0 255.255.255.0

default-router 10.11.4.1

dns-server 208.67.222.222

!

ip domain name yourdomain.com

!

multilink bundle-name authenticated

!

username admin privilege 15 secret 5 $ghjikhggfffd

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 5O15B67n address 87.101.158.218 no-xauth

!

crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac

!

crypto map VPN_ITC 10 ipsec-isakmp

set peer 87.101.158.218

set transform-set VPN_ITC_TS

match address 135

!

class-map match-any Servers-List

match access-group 190

!

policy-map Servers

class Servers-List

bandwidth percent 50

!

interface FastEthernet0/0

description WAN Link to ITC

bandwidth 2048

ip address 87.101.80.94 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN_ITC

service-policy output Servers

!

interface FastEthernet0/1

description LAN

ip address 10.11.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex full

speed 100

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 87.101.80.93

ip route 87.101.158.216 255.255.255.252 87.101.80.93

ip route 192.168.0.0 255.255.0.0 87.101.80.93

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 138 interface FastEthernet0/0 overload

!

access-list 135 permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 138 deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 138 permit ip 10.11.10.0 0.0.0.255 any

access-list 190 remark List of Servers to be assigned QOS

access-list 190 permit ip any host 192.168.50.1

access-list 190 permit ip any host 192.168.50.13

access-list 190 permit ip any host 192.168.50.15

access-list 190 permit ip any host 192.168.50.21

access-list 190 permit ip any host 192.168.50.22

access-list 190 permit ip any host 192.168.50.24

!

control-plane

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

!

end

Note: IPs and passwords are edited just for understanding. Thank you.

Hardi Ahmed · ‎10-01-2013

Good News Lili, Iam realy sorry, I couldn't to send you the solution in a time. currently you should have an (QM_IDEL / Active) tunnel from both ends.

many thanks and Kidest regards,

Hardi

lili Vachon · ‎10-01-2013

Here is the working configuration for 2 site to site VPN on a single router.

SIte B Configuration :-

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ijklmnopq address 87.101.158.218 no-xauth

crypto isakmp key l24554bY55L address 87.101.80.94 no-xauth

!

crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac

!

ip access-list extended NATWH

deny ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255

permit ip 10.11.4.0 0.0.0.255 any

ip access-list extended SITEA

permit ip 10.11.4.0 0.0.0.255 192.168.0.0 0.0.255.255

ip access-list extended SITEC

permit ip 10.11.4.0 0.0.0.255 10.11.10.0 0.0.0.255

!

ip nat inside source list NATWH interface Fastethernet 0/0 overload

!

crypto map VPN_ITC 10 ipsec-isakmp

set peer 87.101.158.218

set transform-set VPN_ITC_TS

match address SITEA

crypto map VPN_ITC 20 ipsec-isakmp

set peer 87.101.80.94

set transform-set VPN_ITC_TS

match address SITEC

Site C configuration :

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key 5O15B67n address 87.101.158.218 no-xauth

crypto isakmp key l24554bY55L address 87.101.54.74 no-xauth

!

crypto ipsec transform-set VPN_ITC_TS esp-aes esp-sha-hmac

!

ip access-list extended NATWH

deny ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

deny ip 10.11.10.0 0.0.0.255 10.11.4.0 0.0.0.255

permit ip 10.11.10.0 0.0.0.255 any

ip access-list extended SITEA

permit ip 10.11.10.0 0.0.0.255 192.168.0.0 0.0.255.255

ip access-list extended SITEC

permit ip 10.11.10.0 0.0.0.255 10.11.4.0 0.0.0.255

!

ip nat source list NATWH interface FastEthernet0/0 overload

!

crypto map VPN_ITC 10 ipsec-isakmp

set peer 87.101.158.218

set transform-set VPN_ITC_TS

match address SITEA

crypto map VPN_ITC 20 ipsec-isakmp

set peer 87.101.54.74

set transform-set VPN_ITC_TS

match address SITEC

Note: Please mark it as Correct answer. It will be helpful to others in future. Thank you.

naqnaz001 · ‎12-20-2020

Hello guys, im sorry if i am in a wrong place to post. Since this thread is regarding the IPSEC configuration, I really hope I could also seek some advice

Here is the topology that Ive been working on whereby I need to create GRE over IPSEC tunnel between:

HQ --> Branches routers

Where each branch have 2 WAN Links, Primary & secondary

I managed to established the gre over ipsec tunnels between HQ to Branches Primary Link... but unfortunately, I failed for the second link.

I think I already spent alot of time searching, troubleshooting..what did I missed? Did my method is wrong or maybe there's some special standards for it

I have lost already and I hope this sites will be able to advice me

Branch secondary WAN link failed when activate the GRE over IPSEC tunnel

Thank you and very much appreciated in advance

I pray for your happiness and god bless

Georg Pauwen · ‎12-20-2020

Hello,

what kind of IPSec GRE tunnels are we talking about ? Post the full running config of the HQ and the branch sites...