So is there anything I can do to get this working?

Good call on the IP's being in public view.  I would like to get this vpn working .  Any ideas?

Nick

Perhaps it will help if we clarify some baisc aspects of this router, starting with what it connects to. Can you clarify what things are connected to this router, starting with what it connects to for outside connectivity? (I am particularly interested in whether it has one or two connections outbound to the Internet or other public networks)

HTH

Rick

Good idea.  I will try to explain  topology for the situation as clear as I can in a nutshell.  Do you have an email I can send a pdf too?

You can look here.  I uploaded a kind of basic topology of the situation in a nutshell.  Let me know if this helps.

https://supportforums.cisco.com/docs/DOC-19059

Nick

Thanks for posting the drawing. I do have some questions about it.

- the drawing shows wan-1 and wan-2 both connecting to outside and also connecting to a switch inside. Can you explain what is going on here?

- the drawing still shows outbound connections on FastEthernet8 and on GigEthernet0. What are these interfaces connected to?

One of the things that I have been trying to figure out is what the outbound connectivity really is. This drawing does not clarify that. I believe that one of the essential questions is whether you have a single outbound connection from the router or whether there are actually two outbound connections. Can you clarify this?

HTH

Rick

The Cisco 891 series router has the FastEthernet8 and GigabitEthernet Ports each connected to a port on the Basic 5 port switch.  That 5 port basic switch is also connected to our internet router on Ethernet0/0.  The 5 port basic switch is basically acting as a dummy switch you know what I mean.  I have updated the document to show ip addressing so it is better to understand. 

https://supportforums.cisco.com/docs/DOC-19059

Nick

The updated drawing with addressing show does help clarify some things and raises questions about others. From the drawing am I correct in understanding that your Internet router connects to the Internet using 69.74.113.66 and that the Internet router interface to inside has subnet 216.255.122.56/29?

You still show FastEthernet8 with 65.51.250.140 and GigEthernet0 with 65.51.250.138. These are both part of subnet 65.51.250.136/29. So what is this subnet and where does it come from?

HTH

Rick

Sorry about the confusion.  I noticed this myself.  I just needed to check the config on that Internet Router.  That internet router also has a subinterface off of Ethernet0/0.  I have update the diagram so you can see it there:

https://supportforums.cisco.com/docs/DOC-19059

Nick

Am I correct in understanding the updated drawing that you have one subnet on the Internet router assigned by the provider for outside connectivity (69.74.113.66) and that there are additional 2 subnets of public addresses assigned to you by the ISP (216.255.122.56/29 and 65.51.250.136/29)?

In that case would it work to put FastEthernet8 into one of those subnets and to put GigEthernet0 into the other subnet? That would allow each of the tunnels to have a unique source address.

Also in re-reading this thread I notice that you say that you will be using the Verizon Wireless Private Network. Where does the Verizon Wireless Private Network fit into the drawing?

HTH

Rick

I am connecting to Verizon wireless through the internet via the tunnels.  You are correct in your understanding of the updated drawing.   Those 2 additional subnets of public addresses were assigned to us by the ISP 216.255.122.56/29 and 65.51.250.136/29.  The thing is that the 216.255.122.56/29 subnet is all utilized and we need to use the two addresses from the 65.51.250.136/29 subnet.  Any ideas on how I can accomplish this.

Nick

I would suggest configuring 2 /32 loopback interfaces from that subnet on the router which eliminates the problem with overlapping addresses in a subnet. You could source a tunnel from each loopback interface to get the two separate source addresses.

You would need to make sure that the Internet router sees those 2 addresses from the block allocated by the ISP as reachable through this router.

HTH

Rick

Ok.  Now if the primary tunnel is working now , then wouldnt that mean that the internet router does see the 2 address block.  And if I try the config that you mentioned how would it look compared to the following current config? 

crypto keyring vzwvpn

  pre-shared-key address *(destination ip of primary tunnel)* key thisisasecret#

  pre-shared-key address *(destination ip of backup tunnel)* key thisisasecret#

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp profile VZW-Crypto-Profile   <----------------Crypto Profile for Primary

   keyring vzwvpn

   self-identity address

   match identity address *(destination ip of primary tunnel)* 255.255.255.255

crypto isakmp profile VZW-Crypto-Profile-Backup   <----------------Crypto Profile for Backup

   keyring vzwvpn

   self-identity address

   match identity address *(destination ip of backup tunnel)* 255.255.255.255

!       

!

crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac

mode transport

!

crypto map VZW_VPNTUNNEL 1 ipsec-isakmp

description Verizon Wireless Primary Tunnel

set peer *(destination ip of primary tunnel)*

set transform-set VZW_TSET

set isakmp-profile VZW-Crypto-Profile

match address VZW_VPN_PRIMARY

crypto map VZW_VPNTUNNEL 2 ipsec-isakmp

description Verizon Wireless Tunnel Backup

set peer *(destination ip of backup tunnel)*

set transform-set VZW_TSET

set isakmp-profile VZW-Crypto-Profile-Backup

match address VZW_VPN_BACKUP

!

!

interface Tunnel1

description Primary GRE Tunnel to VZW

ip address 192.168.70.2 255.255.255.252

tunnel source GigabitEthernet0

tunnel destination *(destination ip of primary tunnel)*

tunnel path-mtu-discovery

crypto ipsec df-bit clear

crypto map VZW_VPNTUNNEL

!

!

interface Tunnel2

description Backup GRE Tunnel to VZW

ip address 192.168.40.1 255.255.255.252

tunnel source FastEthernet8

tunnel destination *(destination ip of backup tunnel)*

tunnel path-mtu-discovery

crypto ipsec df-bit clear

crypto map VZW_VPNTUNNEL

!

!

interface FastEthernet0

!

!

interface FastEthernet8    <--------------will not let me bring it up with no shutdown

description outside backup link to VZW

ip address *.*.*.* 255.255.255.248

shutdown               

duplex auto

speed auto

crypto ipsec df-bit clear

crypto map VZW_VPNTUNNEL

!

!

interface GigabitEthernet0  <---------------------this is up

description outside primary link to VZW

ip address *.*.*.* 255.255.255.248

duplex auto

speed auto

crypto ipsec df-bit clear

crypto map VZW_VPNTUNNEL

!

!

interface Vlan1

description LAN

ip address 192.168.12.199 255.255.255.0

ip access-group 100 in

ip tcp adjust-mss 1452

!

!

router bgp 65505

bgp log-neighbor-changes

neighbor 192.168.40.2 remote-as 6167

neighbor 192.168.70.1 remote-as 6167

!

address-family ipv4

  no synchronization

  network 192.168.12.0

  neighbor 192.168.40.2 activate

  neighbor 192.168.40.2 default-originate

  neighbor 192.168.70.1 activate

  neighbor 192.168.70.1 default-originate

  no auto-summary

exit-address-family

!

ip forward-protocol nd

ip http server

ip http access-class 1

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip route 0.0.0.0 0.0.0.0 *.*.*.*  <-------------------------Default Route

!

ip access-list extended VZW_VPN_PRIMARY    <--------------------------------Access-list for PRIMARY

permit gre host *.*.*.* host *.*.*.*

permit icmp host *.*.*.* host *.*.*.*

permit udp host *.*.*.* host *.*.*.* eq isakmp

permit esp host *.*.*.* host *.*.*.*

permit gre host *.*.*.* host *.*.*.*

permit icmp host *.*.*.* host *.*.*.*

permit udp host *.*.*.* host *.*.*.* eq isakmp

permit esp host *.*.*.* host *.*.*.*

ip access-list extended VZW_VPN_BACKUP   <------------------------------Access-list for BACKUP

permit gre host *.*.*.* host *.*.*.*

permit icmp host *.*.*.* host *.*.*.*

permit udp host *.*.*.* host *.*.*.* eq isakmp

permit esp host *.*.*.* host *.*.*.*

permit gre host *.*.*.* host *.*.*.*

permit icmp host *.*.*.* host *.*.*.*

permit udp host *.*.*.* host *.*.*.* eq isakmp

permit esp host *.*.*.* host *.*.*.*

Would using loopbacks hinder performance at all.