05-10-2004 03:38 PM - edited 02-21-2020 01:08 PM
Hi,
I'm new to VPNs and am trying to decipher this config. It seems there is a GRE tunnel and an IPsec VPN configured. Does this config look valid? Why would there be a crypto map configured but not applied to an interface? Is all the IPsec config for the GRE tunnel? Plus there is no access-list 110 configured. Is it possible that they haven't implemented the VPN and are only using the tunnel? I'm going to be installing a PIX behind this router. We have a public .252 network for this. Will I be needing to move the VPN the PIX?
Thanks
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key alpskey5 address 122.223.42.22
!
!
crypto ipsec transform-set to_east esp-des esp-md5-hmac
!
crypto map alpsvpn 5 ipsec-isakmp
! Incomplete
set peer 122.223.42.22
set transform-set to_east
match address 110
interface Tunnel1
ip address 10.255.255.193 255.255.255.252
ip helper-address 192.168.10.255
ip directed-broadcast
tunnel source Serial0/0
tunnel destination 222.252.241.43
tunnel key 55555
interface FastEthernet0/0
ip address 204.x.x.x.255.255.0 secondary
ip address 10.255.255.190 255.255.255.252 secondary
ip address 10.0.1.1 255.255.255.0
ip access-group inside_out in
ip helper-address 10.0.1.255
ip helper-address 204.243.19.255
ip helper-address 192.168.0.255
ip directed-broadcast
ip nat inside
speed auto
full-duplex
!
interface Serial0/0
description T1 to Internet (AT&T)
ip address 12.x.x.x.x.255.252
ip access-group 105 in
ip nat outside
ip inspect outside in
ip inspect firewall out
encapsulation ppp
no fair-queue
!
interface Serial0/1
description T1 to Richmond (Sprint)
ip address 10.255.255.202 255.255.255.252
ip directed-broadcast
ip nat inside
ip route 10.255.255.200 255.255.255.252 Tunnel1
ip route 122.x.x.x.x.255.252 Serial0/1
ip route 192.168.10.0 255.255.255.0 Tunnel1
05-12-2004 08:48 AM
This config has a GRE tunnel and PART OF IPSec - but it is certainly not complete. As it stands IPSec would not work. Is this from a live config which is actually passing traffic, or perhaps from a lab environment or a plan for a config which was not actually implemented? If it is a live config then it is passing traffic over the GRE and IPSec plays no role.
05-12-2004 09:40 AM
It is a live config (IPs have been changed). That is what I kind of thought after reading up on configuring IPsec. I have couple more questions:
1 - Why is there a static route for network 10.255.255.200/30 pointing to the Tunnel1 when that network is directly connected to a s0/1?
ROUTER#sho ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
C 204.x.x.0/24 is directly connected, FastEthernet0/0
65.0.0.0/28 is subnetted, 1 subnets
S 65.173.1.0 is directly connected, Serial0/1
S 192.168.10.0/24 is directly connected, Tunnel1
122.223.0.0/30 is subnetted, 1 subnets
S 144.223.42.20 is directly connected, Serial0/1
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.0.1.0/24 is directly connected, FastEthernet0/0
C 10.255.255.188/30 is directly connected, FastEthernet0/0
C 10.255.255.200/30 is directly connected, Serial0/1
C 10.255.255.192/30 is directly connected, Tunnel1
S 192.168.0.0/24 is directly connected, Serial0/1
12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 12.x.x.5/32 is directly connected, Serial0/0
C 12.x.x.4/30 is directly connected, Serial0/0
S 192.168.16.0/24 [1/0] via 10.0.1.47
S 192.168.1.0/24 [1/0] via 10.0.1.253
S* 0.0.0.0/0 is directly connected, Serial0/0
2- The Tunnel currently terminates to the router and is assigned a private address. When I add in the PIX behind the router the router will no longer be doing NAT and the network directly behind the router is public/routable. I'm not clear on how I terminate the Tunnel to the inside network behind the firewall. It seems I would need another router to terminate the Tunnel on the private network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide