05-18-2016 11:43 AM
Hi Guys
first i am not a security guy ...... i am a voice guy but i have a case with a some security issue
i have 2 sites and i want to make VPN through internet between them
each site has router connected to ADSL Modem, and 2 real IP`s for 2 sites
and my question is can i make a VPN on ADSL Modem or i will do this on Routers
and what is the configuration to do that on ADSL modem or on Router
sorry again if my question is simple but as i said i am a beginner
thanks
05-19-2016 08:51 AM
Hi
First of all, Public IPs are directly to this modem or it's in bridge mode and public IP are to the router?
This is important because if IP are on modem, you will need to forward VPN ports on your local router IP: port to forward UDP/500 and UDP/4500
Routers on both end will be able to detect NAT. No configuration needed.
For VPN configuration itself, it will looks like:
(Let's say that site 1 LAN is 192.168.0/24 and site 2 is 192.168.1.0/24)
crypto isakmp policy 1
encryp aes
hash sha
authenticatio pre-share
group 2
lifetime 86400
!
crypto isakmp key cisco (you can choose another pre shared key) address x.x.x.x --> this is the other end public IP
!
ip access-list extended VPN
permit ip Source-IP Wildmask-Src dest-IP wildmask-dst
--> On site 1 router it will be: permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
--> On site 2 router it will be: permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
crypto ipsec transform-set VPNTS esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer x.x.x.x --> this is the other end public IP
set transform-set VPNTS
match address VPN
!
interface g0/X
crypto map CMAP
!
Some info:
Security (hash and encryption can be tweaked depending on your router model and performance).
Some info concerning the other security parameters
Group 2 is 1024 bits
Group 5 is 1536 bits
lifetime is the time of the keys used by the tunnel. This is the default value. For more security, you can decrease this time.
This is when routers can re-negotiate their tunnels keys to encrypt data.
Hope this is more clear?
thanks
05-19-2016 09:05 AM
helo supportlan ,
As per my knowledge ,
You need to exempt traffic from LAN and DMZ and vice versa from being NATed.
05-19-2016 09:54 AM
Yes you certainly need to do some nat configuration, that's why I've asked about public IP. Depending on where is the public IP, the nat is done by the router itself or by the modem.
If this done by the router, you need to modify the NAT ACL in order to deny such traffic.If NAT is done on modem, then the VPN is mounted directly from router WAN, and nating is not done at this point. However, you'll need to forward VPN UDP ports.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide