02-06-2011 04:57 AM - edited 02-21-2020 05:09 PM
Hello,
I am still learning the VPN(IPsec) , I was able to create a tunnel between my PC and my router , but now I would like to connect both routers :
F0/1=192.168.0.1 ROUTER A ->INTERNET->ROUTER B F0/1=192.168.10.1
Both routers receive a IP address from my ISP, I am able to ping from ONE site the other site , I mean by this I am able to PING ROUTER A from ROUTER B with the ISP addresses and opposite.
Both ROUTERS have the same configuration , except for the IP addresses and ACL , they are opposite.
I think I know what I do wrong , but I do not know how to solve it : The TUNNEL need also a IP address from a POOL , where do I have to set this up , on ROUTER A or ROUTER B ?
ROUTER A
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 81.83.201.BB
!
!
crypto ipsec transform-set MYSET esp-3des
!
crypto map router_A_to_router_B 1000 ipsec-isakmp
set peer 81.83.201.BB
set transform-set MYSET
match address 101
!
interface FastEthernet0/0
ip address dhcp
speed auto
full-duplex
crypto map router_A_to_router_B
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
speed auto
full-duplex
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
control-plane
!
line con 0
speed 115200
line aux 0
line vty 0 4
!
!
end
ROUTER B
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip cef
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 81.83.201.AA
!
!
crypto ipsec transform-set MYSET esp-3des
!
crypto map router_B_to_router_A 1000 ipsec-isakmp
set peer 81.83.201.AA
set transform-set MYSET
match address 101
!
interface FastEthernet0/0
ip address dhcp
speed auto
full-duplex
crypto map router_B_to_router_A
!
interface FastEthernet0/1
ip address 192.168.10.1 255.255.255.0
speed auto
full-duplex
!
!
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
control-plane
!
line con 0
speed 115200
line aux 0
line vty 0 4
!
!
end
!
!
!
!
!
!
Best Regards,
Didier
Solved! Go to Solution.
02-06-2011 08:06 AM
Didier, there are a number of things missing in your config to make it work, from what I can tell fa0/1 is inside and fa0/0 are outside. There is no NAT translation to enable the PCs on the inside of the network allowing Internet access. You will also have to exclude the EIGRP routes from NAT in order to reach the remote network. Each router will have to have a default gateway to the Internet, this should be done with the following command:
ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp
This will use the default gateway of from the DHCP server that assigns the IP to fa0/0. Once each router has a path to the other and the tunnel connects EIGRP will take care of the rest given the information in router 90, here is the show route from one of my spoke routers:
RNT-2620XM#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
65.0.0.0/32 is subnetted, 1 subnets
C 65.14.24.190 is directly connected, Dialer0
172.16.0.0/32 is subnetted, 1 subnets
D EX 172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
172.19.0.0/24 is subnetted, 1 subnets
C 172.19.8.0 is directly connected, Tunnel0
10.0.0.0/8 is variably subnetted, 14 subnets, 6 masks
D EX 10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX 10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C 10.19.9.0/27 is directly connected, Vlan200
C 10.19.8.0/24 is directly connected, Vlan100
C 10.19.10.0/28 is directly connected, Vlan900
D EX 10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.22.7.0/24 [90/3097600] via 172.19.8.1, 17:34:52, Tunnel0
D 10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX 10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C 10.19.9.192/26 is directly connected, Vlan500
D EX 10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
74.0.0.0/32 is subnetted, 1 subnets
C 74.23.201.24 is directly connected, Dialer0
S* 0.0.0.0/0 is directly connected, Dialer0
All of the routes designated D are dynamic routes pulled from other routers on the DMVPN by EIGRP. It will propagate the route table and point them to the appropriate hub/spoke. If you follow the example that I gave you you'll have a functional DMVPN.
Cheers,
Sam
02-06-2011 05:26 AM
There are a number of things missing from your config, the best example config that I've found is here:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
This example works and explains each addition to the config, hope this helps.
Cheers,
Sam
02-06-2011 07:40 AM
Hello Sam,
IT WORKS THANK YOU !!!
But :
I just have to remove the IP ROUTE 0.0.0.0 0.0.0.0 81.83.202.XX (IP of the first router)
If I keep this , I have a LAN on both side but no INTERNET.
router eigrp 90
network 172.16.0.0
network 192.168.10.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 81.83.202.xx
no ip http server
ip http authentication local
ip http secure-server
02-06-2011 08:06 AM
Didier, there are a number of things missing in your config to make it work, from what I can tell fa0/1 is inside and fa0/0 are outside. There is no NAT translation to enable the PCs on the inside of the network allowing Internet access. You will also have to exclude the EIGRP routes from NAT in order to reach the remote network. Each router will have to have a default gateway to the Internet, this should be done with the following command:
ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp
This will use the default gateway of from the DHCP server that assigns the IP to fa0/0. Once each router has a path to the other and the tunnel connects EIGRP will take care of the rest given the information in router 90, here is the show route from one of my spoke routers:
RNT-2620XM#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
65.0.0.0/32 is subnetted, 1 subnets
C 65.14.24.190 is directly connected, Dialer0
172.16.0.0/32 is subnetted, 1 subnets
D EX 172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
172.19.0.0/24 is subnetted, 1 subnets
C 172.19.8.0 is directly connected, Tunnel0
10.0.0.0/8 is variably subnetted, 14 subnets, 6 masks
D EX 10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX 10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C 10.19.9.0/27 is directly connected, Vlan200
C 10.19.8.0/24 is directly connected, Vlan100
C 10.19.10.0/28 is directly connected, Vlan900
D EX 10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D 10.22.7.0/24 [90/3097600] via 172.19.8.1, 17:34:52, Tunnel0
D 10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX 10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D 10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C 10.19.9.192/26 is directly connected, Vlan500
D EX 10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
74.0.0.0/32 is subnetted, 1 subnets
C 74.23.201.24 is directly connected, Dialer0
S* 0.0.0.0/0 is directly connected, Dialer0
All of the routes designated D are dynamic routes pulled from other routers on the DMVPN by EIGRP. It will propagate the route table and point them to the appropriate hub/spoke. If you follow the example that I gave you you'll have a functional DMVPN.
Cheers,
Sam
02-07-2011 04:37 AM
Hi Sam,
Thank you for all your information, the bellow configuration work well on one of my SPOKE
In this example we use a FIX IP , I do not have a fix IP , can I use something like DYNDNS ?
Router#sh run
Building configuration...
Current configuration : 1454 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
!
!
!
!
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication cisco123
ip nhrp map 172.16.0.1 81.83.201.xx
ip nhrp map multicast 81.83.201.xx
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
router eigrp 90
network 172.16.0.0
network 192.168.0.0
no auto-summary
!
ip route 0.0.0.0 0.0.0.0 81.83.201.xx
!
no ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
!
line con 0
speed 115200
line aux 0
line vty 0 4
privilege level 15
login
line vty 5 15
privilege level 15
login
!
!
end
Best Regards,
Didier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide