05-13-2013 05:32 PM
Hello. I am still pretty new to Cisco IOS, but I think I'm getting there. Right now I am trying to configure a sort of mesh VPN setup between five routers in such a way that every router can conect to every other roughter through VPN over an emulated Internet connection I set up (NAT). Here is the configuration of one router. I am using Packet Tracer with 2811 routers.
Current configuration : 3021 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Central
!
!
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 128
authentication pre-share
group 2
!
crypto isakmp key VPNtun address 222.222.222.6
crypto isakmp key VPNtun address 222.222.222.10
crypto isakmp key VPNtun address 222.222.222.14
crypto isakmp key VPNtun address 222.222.222.18
!
!
crypto ipsec transform-set TRANS-SET-GRE-TUNNEL esp-aes 128 esp-sha-hmac
!
crypto map Central_Out 5 ipsec-isakmp
set peer 222.222.222.14
set transform-set TRANS-SET-GRE-TUNNEL
match address IPSEC-TRAFFIC
!
crypto map Central_Out 6 ipsec-isakmp
set peer 222.222.222.10
set transform-set TRANS-SET-GRE-TUNNEL
match address IPSEC-TRAFFIC
!
crypto map Central_Out 7 ipsec-isakmp
set peer 222.222.222.6
set transform-set TRANS-SET-GRE-TUNNEL
match address IPSEC-TRAFFIC
!
crypto map Central_Out 8 ipsec-isakmp
set peer 222.222.222.18
set transform-set TRANS-SET-GRE-TUNNEL
match address IPSEC-TRAFFIC
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
interface Tunnel5
ip address 10.10.20.1 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 222.222.222.18
!
!
interface Tunnel6
ip address 10.10.40.1 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 222.222.222.14
!
!
interface Tunnel7
ip address 10.10.60.1 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 222.222.222.6
!
!
interface Tunnel8
ip address 10.10.80.1 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 222.222.222.10
!
!
interface FastEthernet0/0
ip address 10.1.50.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 10.1.2.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.5
encapsulation dot1Q 5
ip address 10.1.5.1 255.255.255.0
ip nat inside
!
interface FastEthernet0/1.10
encapsulation dot1Q 10
ip address 10.1.10.1 255.255.255.0
ip nat inside
!
interface FastEthernet1/0
ip address 222.222.222.2 255.255.255.252
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
router eigrp 7
network 10.0.0.0
auto-summary
!
ip nat inside source list 199 interface FastEthernet1/0 overload
ip nat inside source static tcp 10.1.50.2 80 222.222.222.2 80
ip classless
ip route 0.0.0.0 0.0.0.0 222.222.222.1
!
!
ip access-list extended IPSEC-TRAFFIC
permit gre host 222.222.222.2 host 222.222.222.6
permit gre host 222.222.222.2 host 222.222.222.10
permit gre host 222.222.222.2 host 222.222.222.14
permit gre host 222.222.222.2 host 222.222.222.18
access-list 110 deny tcp any any eq telnet
access-list 111 deny tcp any any eq ftp
access-list 113 deny tcp any 10.1.50.0 0.0.0.255 eq 22
access-list 114 deny tcp any any eq 81
access-list 115 deny udp any any eq 82
access-list 199 permit ip 10.1.0.0 0.0.255.255 any
!
!
!
!
!
line con 0
line vty 0 4
login
!
!
!
end
Every time I try to add the crypto map to interface f1/0, packet tracer crashes on me. So, can anyone help me figure out what I'm doing wrong?
05-20-2013 08:45 AM
Okay, I believe I got it. I needed to seperate the different ACL listings for the VPNs into different extended bits. Gonna see if I can create the mesh VPN network I wanted now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide