11-24-2013 02:42 AM - edited 02-21-2020 07:20 PM
Hello,
i'm trying to configure an IPSec VPN tunnel between 2 Cisco routers connected to internet via ATM interface, my router is a 1841 with network address 10.200.36.0, the remote router is a Cisco 877 with network address 192.168.9.0.
I tryied to follow some tutorials, without success because i still can't ping any IP address on the remote network and also the VPN tunnel is not up!
May you please help me giving a configuration template, or maybe let me know how to configure it step by step on mine and remote router?
Thank you very much!
Regards
Riccardo
Solved! Go to Solution.
11-24-2013 03:37 AM
Here is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:
hostname Router1
!
crypto isakmp policy 10
encr aes 256
auth pre
group 5
!
crypto isakmp key cisco1234 address y.y.y.y
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
!
interface Tunnel0
ip address 10.255.255.0 255.255.255.254
tunnel source Dialer 0
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
!
interface Dialer0
ip address x.x.x.x
!
ip route 192.168.9.0 255.255.255.0 Tunnel0
hostname Router2
!
crypto isakmp policy 10
encr aes 256
auth pre
group 5
!
crypto isakmp key cisco1234 address x.x.x.x
!
crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.254
tunnel source Dialer 0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
!
interface Dialer0
ip address y.y.y.y
!
ip route 10.200.36.0 255.255.255.0 Tunnel0
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-24-2013 03:37 AM
Here is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:
hostname Router1
!
crypto isakmp policy 10
encr aes 256
auth pre
group 5
!
crypto isakmp key cisco1234 address y.y.y.y
!
crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
!
interface Tunnel0
ip address 10.255.255.0 255.255.255.254
tunnel source Dialer 0
tunnel destination y.y.y.y
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
!
interface Dialer0
ip address x.x.x.x
!
ip route 192.168.9.0 255.255.255.0 Tunnel0
hostname Router2
!
crypto isakmp policy 10
encr aes 256
auth pre
group 5
!
crypto isakmp key cisco1234 address x.x.x.x
!
crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile TunnelProfile
set transform ESP-AES256-SHA1
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.254
tunnel source Dialer 0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile TunnelProfile
!
interface Dialer0
ip address y.y.y.y
!
ip route 10.200.36.0 255.255.255.0 Tunnel0
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-25-2013 01:48 PM
Hello,
Thank you very much for your quick reply, i configured VPN site to site but i'm not able to ping the private IP of remote host.
I also tried to configure the IPSec VPN on a Draytec firewall, but i have the same problem..
Do you have any suggestion?
Thank you,
Regards
Riccardo
11-25-2013 02:21 PM
The given config is only compatible with IOS-routers (well, it could be compatible, but typically it is not).
How do you test exactly? Do your pings and post the output of "show crypto session detail" of both routers.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-25-2013 02:30 PM
Right now i can post the session detail of cisco 877 and if you need also the screenshot of Draytec...
RA1-ADVPROD-1#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: Dialer1 Virtual-Access1
Uptime: 00:07:17
Session status: UP-ACTIVE
Peer:
Phase1_id: 10.0.0.10 (IP of ADSL router: it NAT all traffic to firewall where there is the VPN configuration)
Desc: (none)
IKE SA: local
Capabilities:N connid:2017 lifetime:07:52:41
IPSEC FLOW: permit ip 192.168.9.0/255.255.255.0 192.168.16.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 32 drop 1255 life (KB/Sec) 4601636/3162
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4601646/3162
11-25-2013 10:44 PM
so you are receiving traffic through the tunnel, but you don't send anything (last two lines). A typical problem is misconfigured NAT. Make sure that the traffic from your network to the other network is not NATted.
11-30-2013 12:52 PM
Hello,
i tried to modify the configuration of NAT without success...
May i post mine 877 configuration and also 2 draytec config and also the connection diagram in order to find where is the issue?
Thanks,
Regards
Riccardo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide