02-01-2010 07:31 AM - edited 02-21-2020 04:28 PM
Hi,
I am trying to configure two Cisco routers (1801 & 837) for a GRE IPSec VPN. One of them has static IP and other one is a DSL connection; so a dynamic IP. We have some additional static IPs assigned to us through DSL connection. So i am trying to use a static NAT to obtain the VPN connection.Unfortuantely, the VPN connection is not comming up. Can anyone help..? The config of both the routers is attached here.
R1
crypto isakmp policy 10
encr 3des
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key XXXX address 11.22.33.44
!
crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set 10
!
interface Tunnel10
ip address 192.168.100.1 255.255.255.0
tunnel source 22.33.44.55
tunnel destination 11.22.33.44
tunnel protection ipsec profile myprof
ip nat inside source static 192.168.3.1 22.33.44.55
R2
crypto isakmp policy 11
encr 3des
authentication pre-share
group 5
lifetime 3600
!
crypto isakmp key XXXX address 22.33.44.55
!
crypto ipsec transform-set 10 ah-sha-hmac esp-3des esp-sha-hmac
!
crypto ipsec profile myprof
set transform-set 10
!
interface Tunnel10
ip address 192.168.100.2 255.255.255.0
tunnel source 11.22.33.44
tunnel destination 22.33.44.55
tunnel protection ipsec profile myprof
FYI:- I try the same config with a loop back also with no luck. But, if i just change the R1's source IP address to be the Dynamic IP, it works fine. But, since this is a dynamic IP, i cant implement this.
Advance thanks to you all..
Nimal
Solved! Go to Solution.
02-23-2010 07:59 AM
Hi Nimal,
If the public IP 22,33,44,55 is routable from R2, then you can use p2p gre+ipsec vpn. You can test it by creating an loopback address on R1
int lo10
ip add 22.33.44.55 255.255.255.255
and ping 22.33.44.55 source 11.22.33.44 from R2.
If that public IP is routable, you can use your configuration.
HTH,
Lei Tian
02-22-2010 03:48 AM
Hi,
You must use DMVPN in your configuration.
You can't assign IP address to the crypto on the R2 router because you don't know what is a address.
So you must specify 0/0 IP address of the end of the IPSec tunnel.
Also, you must configure R1 router as a side that will be negotiate IPSec policy with R2.
02-22-2010 04:38 AM
Hi Nimal,
You cannot use your static IP on R1, because SP doesnt know how to route traffic to this IP. cisco has 2 VPN solutions support dynamic IP on one site, DMVPN and EZVPN. For your case, a point to point link, you can use EZVPN. Here is a configuration example.
HTH,
Lei Tian
02-23-2010 12:25 AM
Hi,
As i mentioned, i have few more public IP addresses assigned to us by our ISP with the DSL connection. Can i use on of those IPs to map it LAN interface of R1 or a Loopback interface of R1 and establish the Secure VPN connection?
Before putting my hands into DMVPN, i would like to verify whether the Static NAT in the R1 will work..?
Could you please advice.
Cheers
02-23-2010 02:06 AM
Hi,
If you have free address on the DSL connection then you can use standard site-to-site IPSec VPN tunnel instead DMVPN.
The Loopback interfaces are used if you want forward multicasts (for example: OSPF, EIGRP). The IPSec protocol are operate on Layer 3 and forward only IP traffic. If you want to forward dynamic routing protocols packets then you must configure GRE over IPSec to traverse multicasts.
Configure tunnel interface on R1 and assign to it loopback interface as a source and destination as a outside IP address of your R2. The same do it on R2. Remember that you must create ACL to permit gre on R1 and R2.
I don't understand what about static NAT on R1? Do you have mapped hosts from inside to outside on R1?
In this situation you must create ACL which traffic are not be NAT translated.
Regards Kamil
02-23-2010 03:36 AM
Hi Kamil,
I am trying to use GRE/IPSec VPN. So that i can use Dynamic Routing protocols. If you go through my config, you can see it.
I have mapped a public IP to internal interface too. I have tried mapping the IP to a Loopback also. But no luck.
I havent put any accesslist for the site-to-site vpn connection. Where di i have to apply this ACL if i configured one..?
Cheers
02-23-2010 03:43 AM
Hi,
Please read this documents, I think this may be helpful.
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/1_p2pGRE_Phase2.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/5_p2pGRE.html
02-23-2010 07:59 AM
Hi Nimal,
If the public IP 22,33,44,55 is routable from R2, then you can use p2p gre+ipsec vpn. You can test it by creating an loopback address on R1
int lo10
ip add 22.33.44.55 255.255.255.255
and ping 22.33.44.55 source 11.22.33.44 from R2.
If that public IP is routable, you can use your configuration.
HTH,
Lei Tian
02-23-2010 08:34 AM
Hello Lei,
That did the trick for me. I just add the public IP address to the loopback interfae directly and configured the Source and Destination IP address accordingly. Then i enable the dynamic routing also. Working perfectly alright.
Thanks alot guys for help. I am gonna try the DMVPN and see how can improve the connectivity from different locations.
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide