02-15-2024 11:27 AM
I've attached my "show run" for the 3 routers, I'm trying to establish a VPN tunnel between router1 and router3
(the internal network for Router1 is 192.168.1.0/24, and the internal network for Router3 is 192.168.3.0/24, with router2 in the middle)
ROUTER1
ROUTER1#show run
Building configuration...
Current configuration : 1313 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ROUTER1
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cyber123 address 12.1.1.1
!
!
!
crypto ipsec transform-set 50 esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 12.1.1.30
set pfs group2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 11.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0
ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/1
ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/1
ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1
ip route 11.1.1.0 255.255.255.252 11.1.1.2
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER2
ROUTER2#show run
Building configuration...
Current configuration : 1033 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ROUTER2
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cyber123 address 11.1.1.1
!
!
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 11.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/1
ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/1
ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/0
ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/0
ip route 12.1.1.0 255.255.255.252 12.1.1.30
ip route 11.1.1.0 255.255.255.252 11.1.1.1
ROUTER3
ROUTER3#show run
Building configuration...
Current configuration : 1224 bytes
!
version 15.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ROUTER3
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
!
!
!
crypto ipsec transform-set 50 esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 11.1.1.1
set pfs group2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
!
!
!
!
!
spanning-tree mode pvst
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
ip access-group 101 in
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/0/0
ip route 11.1.1.0 255.255.255.252 GigabitEthernet0/0/0
ip route 12.1.1.0 255.255.255.252 GigabitEthernet0/0/0
ip route 192.168.3.0 255.255.255.0 GigabitEthernet0/0/1
!
ip flow-export version 9
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
02-15-2024 01:51 PM
Hello @cryptoclass ,
This is how your router configs should look like:
ROUTER1
crypto isakmp key cyber123 address 12.1.1.1
crypto ipsec transform-set 50 esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 12.1.1.1
set pfs group2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 11.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
ip route 12.1.1.0 255.255.255.252 11.1.1.2
ip route 192.168.3.0 255.255.255.0 11.1.1.2
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
ROUTER2
!
interface GigabitEthernet0/0/0
ip address 12.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface GigabitEthernet0/0/1
ip address 11.1.1.2 255.255.255.252
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 11.1.1.1
ip route 192.168.3.0 255.255.255.0 12.1.1.1
ROUTER3
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key cyber123 address 11.1.1.1
crypto ipsec transform-set 50 esp-aes esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 11.1.1.1
set pfs group2
set security-association lifetime seconds 900
set transform-set 50
match address 101
!
interface GigabitEthernet0/0/0
ip address 12.1.1.1 255.255.255.252
duplex auto
speed auto
crypto map CMAP
!
interface GigabitEthernet0/0/1
ip address 192.168.3.1 255.255.255.0
duplex auto
speed auto
!
ip route 192.168.1.0 255.255.255.0 12.1.1.2
ip route 11.1.1.0 255.255.255.252 12.1.1.2
!
ip flow-export version 9
!
access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide