Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4755
Views
5
Helpful
2
Replies

Site-to-Site VPN between ISR4331(Data Center) and 25 branch offices with RV042 and dynamic public IP

Go to solution
GM Singh
Level 1
Level 1

‎08-23-2016 05:32 PM

Hi, We have just got ISR4331 router. We will use this router at our Data Center as hub rouer .Need not to mention it will have static IP. Our purpose is to connect 30 small offices to data center through site-to-site VPN. All of our offices has RV042 routers and DSL connection, so dynamic public IP. How we could accomplish this task. So that VPN connection be stable and need not to configure tunnels frequently.

Thanks

GM

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Terence Payet
Level 1
Level 1

‎08-23-2016 10:49 PM

Hi,

Please check config below:

HUB:

crypto isakmp policy 1

 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
crypto isakmp key secretkey address 0.0.0.0 0.0.0.0 (This tells the HUB router that the remote routers have dynamic public ip address)
Define your interesting traffic. Note that i've sepcified for two tunnels but basically it will be the same for the rest apart for the destination. I've used 192.168.1.0/24 and 192.168.2.0/24 as an example. You will need to replace it with your existing setup. 
ip access-list extended TUN1  
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUN2
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Create your Phase 2 policy
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map S2STUN 1 ipsec-isakmp dynamic HUB_TUN
crypto dynamic-map HUB_TUN 10
 set security-association lifetime seconds 86400
 set transform-set TS
 match address TUN1
!
crypto dynamic-map HUB_TUN 11
 set security-association lifetime seconds 86400
 set transform-set TS
 match address TUN2
Now apply the crypto map to your WAN interface
interface gi0/1
 crypto map S2STUN
Now configuring on your remote Routers
Remote Router 1
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
!
crypto isakmp key secretkey address x.x.x.x (replace with your HUB public ip address)
!
ip access-list extended TUNNEL-TRAFFIC
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map TUN_TO_HUB 10 ipsec-isakmp
 set peer x.x.x.x (replace with your hub public ip address)
 set transform-set TS
 match address TUNNEL-TRAFFIC
!
interface gi0/1
 crypto map TUN_TO_HUB
Remote Router 2
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
!
crypto isakmp key secretkey address x.x.x.x (replace with your HUB public ip address)
!
ip access-list extended TUNNEL-TRAFFIC
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map TUN_TO_HUB 10 ipsec-isakmp
 set peer x.x.x.x (replace with your hub public ip address)
 set transform-set TS
 match address TUNNEL-TRAFFIC
!
interface gi0/1
 crypto map TUN_TO_HUB
HTH.
Please rate helpful post.
Regards,
Terence

View solution in original post

2 Replies 2

Go to solution
Terence Payet
Level 1
Level 1

‎08-23-2016 10:49 PM

Hi,

Please check config below:

HUB:

crypto isakmp policy 1

 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
crypto isakmp key secretkey address 0.0.0.0 0.0.0.0 (This tells the HUB router that the remote routers have dynamic public ip address)
Define your interesting traffic. Note that i've sepcified for two tunnels but basically it will be the same for the rest apart for the destination. I've used 192.168.1.0/24 and 192.168.2.0/24 as an example. You will need to replace it with your existing setup. 
ip access-list extended TUN1  
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended TUN2
 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
Create your Phase 2 policy
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto map S2STUN 1 ipsec-isakmp dynamic HUB_TUN
crypto dynamic-map HUB_TUN 10
 set security-association lifetime seconds 86400
 set transform-set TS
 match address TUN1
!
crypto dynamic-map HUB_TUN 11
 set security-association lifetime seconds 86400
 set transform-set TS
 match address TUN2
Now apply the crypto map to your WAN interface
interface gi0/1
 crypto map S2STUN
Now configuring on your remote Routers
Remote Router 1
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
!
crypto isakmp key secretkey address x.x.x.x (replace with your HUB public ip address)
!
ip access-list extended TUNNEL-TRAFFIC
 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map TUN_TO_HUB 10 ipsec-isakmp
 set peer x.x.x.x (replace with your hub public ip address)
 set transform-set TS
 match address TUNNEL-TRAFFIC
!
interface gi0/1
 crypto map TUN_TO_HUB
Remote Router 2
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 86400
!
crypto isakmp key secretkey address x.x.x.x (replace with your HUB public ip address)
!
ip access-list extended TUNNEL-TRAFFIC
 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  !
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map TUN_TO_HUB 10 ipsec-isakmp
 set peer x.x.x.x (replace with your hub public ip address)
 set transform-set TS
 match address TUNNEL-TRAFFIC
!
interface gi0/1
 crypto map TUN_TO_HUB
HTH.
Please rate helpful post.
Regards,
Terence

Go to solution
GM Singh
Level 1
Level 1
In response to Terence Payet

‎08-24-2016 09:55 PM

Hello Mr Terence,

Thank you so much for prompt solution. It was really informative and helpful. I appreciate your help.

GM

0 Helpful
Customers Also Viewed These Support Documents