Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
814
Views
3
Helpful
4
Replies

Router(IPsec)->INTERNET->Router(IPsec) Where to put the TUNNEL IP POOL ?

Go to solution
Didier1966
Level 1
Level 1

‎02-06-2011 04:57 AM - edited ‎02-21-2020 05:09 PM

Hello,

I am still learning the VPN(IPsec) , I was able to create a tunnel between my PC and my router , but now I would like to connect both routers :

F0/1=192.168.0.1 ROUTER A ->INTERNET->ROUTER B F0/1=192.168.10.1

Both routers receive a IP address from my ISP, I am able to ping from ONE site the other site , I mean by this I am able to PING ROUTER A from ROUTER B with the ISP addresses and opposite.

Both ROUTERS have the same configuration , except for the IP addresses and ACL , they are opposite.

I think I know what I do wrong , but I do not know how to solve it : The TUNNEL need also a IP address from a POOL , where do I have to set this up , on ROUTER A or ROUTER B ?

ROUTER A

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip cef

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 81.83.201.BB

!

!

crypto ipsec transform-set MYSET esp-3des

!

crypto map router_A_to_router_B 1000 ipsec-isakmp

set peer 81.83.201.BB

set transform-set MYSET

match address 101

!

interface FastEthernet0/0

ip address dhcp

speed auto

full-duplex

crypto map router_A_to_router_B

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

speed auto

full-duplex

!

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255

!

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

!

end

ROUTER B

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no aaa new-model

ip cef

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco address 81.83.201.AA

!

!

crypto ipsec transform-set MYSET esp-3des

!

crypto map router_B_to_router_A 1000 ipsec-isakmp

set peer 81.83.201.AA

set transform-set MYSET

match address 101

!

interface FastEthernet0/0

ip address dhcp

speed auto

full-duplex

crypto map router_B_to_router_A

!

interface FastEthernet0/1

ip address 192.168.10.1 255.255.255.0

speed auto

full-duplex

!

!

no ip http server

no ip http secure-server

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

!

!

control-plane

!

line con 0

speed 115200

line aux 0

line vty 0 4

!

!

end

!

!

!

!

!

!

Best Regards,

Didier

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sam Smiley
Level 3
Level 3
In response to Didier1966

‎02-06-2011 08:06 AM

Didier, there are a number of things missing in your config to make it work, from what I can tell fa0/1 is inside and fa0/0 are outside. There is no NAT translation to enable the PCs on the inside of the network allowing Internet access. You will also have to exclude the EIGRP routes from NAT in order to reach the remote network. Each router will have to have a default gateway to the Internet, this should be done with the following command:

ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

This will use the default gateway of from the DHCP server that assigns the IP to fa0/0. Once each router has a path to the other and the tunnel connects EIGRP will take care of the rest given the information in router 90, here is the show route from one of my spoke routers:

RNT-2620XM#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     65.0.0.0/32 is subnetted, 1 subnets
C       65.14.24.190 is directly connected, Dialer0
     172.16.0.0/32 is subnetted, 1 subnets
D EX    172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
     172.19.0.0/24 is subnetted, 1 subnets
C       172.19.8.0 is directly connected, Tunnel0
     10.0.0.0/8 is variably subnetted, 14 subnets, 6 masks
D EX    10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX    10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D       10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C       10.19.9.0/27 is directly connected, Vlan200
C       10.19.8.0/24 is directly connected, Vlan100
C       10.19.10.0/28 is directly connected, Vlan900
D EX    10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D       10.22.7.0/24 [90/3097600] via 172.19.8.1, 17:34:52, Tunnel0
D       10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D       10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX    10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D       10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C       10.19.9.192/26 is directly connected, Vlan500
D EX    10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
     74.0.0.0/32 is subnetted, 1 subnets
C       74.23.201.24 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

All of the routes designated D are dynamic routes pulled from other routers on the DMVPN by EIGRP. It will propagate the route table and point them to the appropriate hub/spoke. If you follow the example that I gave you you'll have a functional DMVPN.

Cheers,

Sam

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Sam Smiley
Level 3
Level 3

‎02-06-2011 05:26 AM

There are a number of things missing from your config, the best example config that I've found is here:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml

This example works and explains each addition to the config, hope this helps.

Cheers,

Sam

Go to solution
Didier1966
Level 1
Level 1
In response to Sam Smiley

‎02-06-2011 07:40 AM

Hello Sam,

IT WORKS THANK YOU !!!

But :

I just have to remove the IP ROUTE 0.0.0.0 0.0.0.0 81.83.202.XX (IP of the first router)

If I keep this , I have a LAN on both side but no INTERNET.

router eigrp 90

network 172.16.0.0

network 192.168.10.0

no auto-summary

!        

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 81.83.202.xx

no ip http server

ip http authentication local

ip http secure-server

Best Regards,
Didier

0 Helpful

Go to solution
Sam Smiley
Level 3
Level 3
In response to Didier1966

‎02-06-2011 08:06 AM

Didier, there are a number of things missing in your config to make it work, from what I can tell fa0/1 is inside and fa0/0 are outside. There is no NAT translation to enable the PCs on the inside of the network allowing Internet access. You will also have to exclude the EIGRP routes from NAT in order to reach the remote network. Each router will have to have a default gateway to the Internet, this should be done with the following command:

ip route 0.0.0.0 0.0.0.0 fa0/0 dhcp

This will use the default gateway of from the DHCP server that assigns the IP to fa0/0. Once each router has a path to the other and the tunnel connects EIGRP will take care of the rest given the information in router 90, here is the show route from one of my spoke routers:

RNT-2620XM#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     65.0.0.0/32 is subnetted, 1 subnets
C       65.14.24.190 is directly connected, Dialer0
     172.16.0.0/32 is subnetted, 1 subnets
D EX    172.16.50.31 [170/3074560] via 172.19.8.1, 20:04:58, Tunnel0
     172.19.0.0/24 is subnetted, 1 subnets
C       172.19.8.0 is directly connected, Tunnel0
     10.0.0.0/8 is variably subnetted, 14 subnets, 6 masks
D EX    10.13.13.8/29 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D EX    10.11.7.0/28 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D       10.13.13.0/29 [90/2818560] via 172.19.8.1, 20:04:58, Tunnel0
C       10.19.9.0/27 is directly connected, Vlan200
C       10.19.8.0/24 is directly connected, Vlan100
C       10.19.10.0/28 is directly connected, Vlan900
D EX    10.20.7.0/24 [170/2818560] via 172.19.8.1, 20:04:58, Tunnel0
D       10.22.7.0/24 [90/3097600] via 172.19.8.1, 17:34:52, Tunnel0
D       10.37.4.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D       10.15.50.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
D EX    10.24.40.0/24 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
D       10.12.85.0/24 [90/3074560] via 172.19.8.1, 20:04:59, Tunnel0
C       10.19.9.192/26 is directly connected, Vlan500
D EX    10.244.0.0/22 [170/2818560] via 172.19.8.1, 20:04:59, Tunnel0
     74.0.0.0/32 is subnetted, 1 subnets
C       74.23.201.24 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

All of the routes designated D are dynamic routes pulled from other routers on the DMVPN by EIGRP. It will propagate the route table and point them to the appropriate hub/spoke. If you follow the example that I gave you you'll have a functional DMVPN.

Cheers,

Sam

0 Helpful

Go to solution
Didier1966
Level 1
Level 1
In response to Sam Smiley

‎02-07-2011 04:37 AM

Hi Sam,

Thank you for all your information, the bellow configuration work well on one of my SPOKE

In this example we use a FIX IP , I do not have a fix IP , can I use something like DYNDNS ?

Router#sh run

Building configuration...

Current configuration : 1454 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable password cisco

!

no aaa new-model

ip cef

!

!

!

!

no ip domain lookup

!

!

!

!

!

!

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto ipsec profile cisco

set security-association lifetime seconds 120

set transform-set strong

!

!

!

!

interface Tunnel0

ip address 172.16.0.2 255.255.255.0

no ip redirects

ip mtu 1440

ip nhrp authentication cisco123

ip nhrp map 172.16.0.1 81.83.201.xx

ip nhrp map multicast 81.83.201.xx

ip nhrp network-id 1

ip nhrp nhs 172.16.0.1

tunnel source FastEthernet0/0

tunnel mode gre multipoint

tunnel key 0

tunnel protection ipsec profile cisco

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

router eigrp 90

network 172.16.0.0

network 192.168.0.0

no auto-summary

!

ip route 0.0.0.0 0.0.0.0 81.83.201.xx

!

no ip http server

no ip http secure-server

!

!

!

control-plane

!

!

!

!

line con 0

speed 115200

line aux 0

line vty 0 4

privilege level 15

login

line vty 5 15

privilege level 15

login

!

!

end

Best Regards,

Didier

0 Helpful
Customers Also Viewed These Support Documents