Re: Routing Traffic between Two Site to Site VPN Tunnels

sohail.qadir · ‎09-30-2017

Hi there experts,

Let me tell you that my knowledge of Cisco is very limited. Here is a scenerio. I have two sites Site A and Site B. In both sites I have dsl modems that connect to Cisco 881 Routers. The vpn was working between the sites for a long time and all of a sudden it stopped working. upon investigation we found that the router on Site B had lost all of its configuration. The routers and vpn were configured by an old employee who is not with the firm anymore. I have searched on the net for weeks to come up with a solution however all the vpn scenerios we found are site to site vpn and I am not sure how that will work with the ADSL as it assigns its on ip addresses and the configuration on my Router 1 showes a dialer interface. I have pasted the configuration for Site A (which I beleive one of our employee may have changed alittle). could one of you guru's please tell me what I need to put on the router at site B or if you could guide me in the right direction I will appreciate it.

Router1>en
Password:
Router1#show run
Building configuration...

Current configuration : 6517 bytes
!
! No configuration change since last restart
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
logging userinfo
logging buffered 10000
logging console critical
enable secret 4 Hm0qZrSiGxHG1nu0XvpdKMV6iWo9kl0.V.0dgFOg/R.
!
aaa new-model
!
!
aaa authentication login default local-case
aaa authentication login VPN local-case
aaa authorization exec default local
aaa authorization network VPN local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time EST recurring
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2971515855
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2971515855
revocation-check none
rsakeypair TP-self-signed-2971515855
!
!
crypto pki certificate chain TP-self-signed-2971515855
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666994 6174652D 32393731 35313538 3535301E 170D3133 31313139 30333436
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39373135
31353835 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A4FE 5173E779 D22DF201 407E31BF A186C1FF C983B436 CF5E57A8 F98F61F7
866E6891 EE8B11C9 293B86E4 29F62CC4 A18C5B2C 265F91C5 1CDB99D9 AA259D5B
E8607C41 49A71148 4C602C2E 7C3D249B 067AF71B 9FF8DE1C AE26B134 522A72AB
04D4157F C44287A8 226348F5 55383EC5 7C0AC3F3 DBACBDB7 00BE3133 2C903F90
58C10203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14972607 139A12BC 95DFCFD6 58BD9874 00943F8F 9E301D06
03551D0E 04160414 97260713 9A12BC95 DFCFD658 BD987400 943F8F9E 300D0609
2A864886 F70D0101 05050003 81810059 C1C4172B B3CBC4EF 02E9FAAC 50C3B34D
D2B4FBE7 1E351AE7 AF6574BA FEFABD8C 6A402560 301FE4FC 39CCFA57 13961DE8
73E485FF 90CA53C5 CDE93ADF 4B30D439 36B78527 6AA2D9E9 D305D550 C96690EA
DEF01FC4 653A7CB5 55E33F15 BFB3FEA3 4E7BD2D6 BDA87222 F000B81C 5F8F43C7
04A6AE3F 767555F3 80785A33 FD4AEB
quit
no ip source-route
no ip gratuitous-arps
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.155 192.168.1.254
!
ip dhcp pool ccp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 0 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name greenwin.com
login block-for 30 attempts 3 within 10
login delay 2
login on-failure log
login on-success log
no ipv6 cef
!
!
password encryption aes
license udi pid CISCO881-K9 sn FGL174720VC
!
!
username admin privilege 15 secret 4 Hm0qZrSiGxHG1nu0XvpdKMV6iWo9kl0.V.0dgFOg/R.
username iadmin privilege 15 secret 4 6rPE0gbQ92GPn/8MQh/KTH4wRtDAHPM2K6aKYwh0mTo
username GW.30Dun privilege 0 secret 4 8eMMaGyQlky/k1SrENEG7KeUMEnPXqnzyLGx8.oDKxk
username GW.19Dun privilege 0 secret 4 YrIjnmcKGixNb9gJyZm9pJgCqB517kdByLNj5FnNZtE
!
!
!
!
ip tcp synwait-time 10
ip ftp source-interface Vlan1
ip tftp source-interface Vlan1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 3022 rotary 1
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 10 periodic
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group Gwtest.group
key 6 Payroll
save-password
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 1
set ip access-group VPN_ACC_IN in
set transform-set 3DES-SHA
reverse-route
!
!
crypto map CMAP client authentication list VPN
crypto map CMAP isakmp authorization list VPN
crypto map CMAP client configuration address respond
crypto map CMAP 65534 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ES_WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
duplex auto
speed auto
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1380
!
interface Dialer0
ip address negotiated
ip access-group OUTSIDE in
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname gree@ctl.ca
ppp chap password 7 test
ppp pap sent-username gree@ctl.ca password 7 test
no cdp enable
crypto map CMAP
!
ip forward-protocol nd
no ip forward-protocol udp bootps
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 64.233.12.14
!
ip access-list extended OUTSIDE
permit udp any any eq isakmp
permit esp any any
permit udp any any eq non500-isakmp
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any packet-too-big
permit udp any eq bootps any eq bootpc
permit tcp any gt 1023 any eq 3022
ip access-list extended VPN_ACC_IN
permit ip any 192.168.1.0 0.0.0.255
deny ip any 192.168.2.0 0.0.0.255
deny ip any 192.168.3.0 0.0.0.255
permit ip any any
!
logging trap warnings
logging facility local1
logging source-interface Vlan1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 10.80.34.0 0.0.0.255
access-list 1 permit 10.53.0.0 0.0.0.255
access-list 1 permit 10.56.10.8 0.0.0.7
access-list 1 permit 204.244.28.75 0.0.0.31
access-list 1 permit 204.244.224.0 0.0.0.31
access-list 10 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
line con 0
exec-timeout 20 0
logging synchronous
no modem enable
escape-character 27
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 20 0
privilege level 15
rotary 1
transport input ssh
escape-character 27
!
ntp source Vlan1
end

Router1#
Router1#
Router1#
Router1#

Flavio Miranda · ‎10-02-2017

Hi,

If I were you, I'd take the config from site A and run on Site B. Of course, edit file before to reflect Site B addressing.