Solved: Re: Cisco router IOS IPSec VPN configuration

Difan Zhao · ‎01-31-2013

Hi experts,

I haven't configured the VPN for a long time on the routers so I want your recommendation for best practice.

I need to run OSPF on top of it so it has to be GRE over IPSec

I googled and I see old type of config that I used to do with use of crypto map. Then I see config with Ipsec profile which is applied to the tunnel interface (tunnel protection). I also see on the manual about isakmp profile...

Is there a configuration example that you can provide? This is site to site VPN with most basic PAT on the interface for the remote office to surf Internet. My routers are fairly recent. One is 2821 with newest 12.4 T code and another is 2921 router.

Thanks,

Henrik Grankvist · ‎02-01-2013

Hi!

I didn't have one that exactly matched your needs, but I made one. I configured it by hand so there might be some config-errors.

View solution in original post

Andrew Phirsov · ‎01-31-2013

I think this is what you need:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/12-4t/sec-ipsec-virt-tunnl.html

Difan Zhao · ‎02-02-2013

Thanks Andrew! I am reading the document and it is very helpful

Henrik Grankvist · ‎02-01-2013

Hi!

I didn't have one that exactly matched your needs, but I made one. I configured it by hand so there might be some config-errors.

Difan Zhao · ‎02-02-2013

Hey Henrik, you just did my work for me... Thanks a lot

One more question, MTU, TCP adjust on the tunnel interface, do you have the value handy? My Internet facing interface has MTU size of 1500 bytes

Thanks,

Henrik Grankvist · ‎02-02-2013

No problems

I'm not an expert at mtu-sizes, so I'm not the right person to ask, sorry.

Julio Carvajal · ‎02-02-2013

Hello Difan,

the GRE overhead are 24 bits, so regular MTU ( 1500 less GRE overhead)

It will give us the rigth MTU size for your tunnel interface running GRE 1476

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC