02-18-2011 11:27 AM
I'm attempting to connect our main office with our remote datacenter, and I'm not exactly sure where to look for information.
Our setup looks something like:
[Office LAN: 192.168.0.0/22 (GE0/1)]->[Cisco 2821 (GE0/0)] -> Internet <- [Cisco 2911 (GE0/0)]->[DC LAN: 10.10.10.0/26 (GE0/1)]
Can anyone point me in the right direction to setup a VPN connection which routes office traffic destined for the 10.10.10.0/26 network to reach the datacenter?
Thanks!
Ben
Solved! Go to Solution.
02-19-2011 04:30 PM
You need to have a single NAT ACL, so you need a config like this:
Site 1:
LAN 192.168.0.0/22
Site 2:
LAN 10.10.10.0/26
Site 1:
ip access-list extended NAT
deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
permit ip 192.168.0.0 0.0.3.255 any
ip nat inside source list NAT interface gig 0/0 overload
int gig 0/1
ip nat inside
int gig 0/0
ip nat outside
ip access-list extended 150
permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
Site 2:
ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255
permit ip 10.10.10.0 0.0.0.63 any
ip nat inside source list NAT interface gig 0/0 overload
int gig 0/1
ip nat inside
int gig 0/0
ip nat outside
ip access-list extended 150
permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
Also, when typing the pre-shared key you need to check if they match:
crypto isakmp key 6 asdf address datacenter.external.ip.address
crypto isakmp key asdf address office.external.ip.address
The 6 in the first line shows an encrypted key will follow I believe.
Make these changes, and then let's check the debug outputs:
debug cry isa
debug cry ipsec
term mon
Federico.
02-18-2011 11:33 AM
Hi Ben,
This link shows how to configure a simple IPsec tunnel between two IOS routers:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
If all you need to pass is unicast IP traffic, then IPsec will do it for you.
If you need other traffic, you can consider IPsec/GRE.
Federico.
02-18-2011 01:04 PM
Thanks!
I'm having some issues, I've followed the guide and I still can't seem to get a connection to the remote end (from either side). Is there a way to troubleshoot a site-to-site vpn?
# DC ROUTER:
sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: remote_ip port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.192 192.168.0.0/255.255.252.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
# OFFICE ROUTER:
sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: y.y.y.y port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.0.0/255.255.252.0 10.10.10.0/255.255.255.192
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
02-18-2011 01:17 PM
Yes.
Make sure that you can PING between outside interfaces from the router.
So, from one router try to PING the outside IP of the other router (make sure you receive a response).
If it works (IP connectivity), try to PING from the inside interface to the inside interface.
ping x.x.x.x source y.y.y.y
Change x.x.x.x for the inside interface of the router (where you're doing the PING) and change y.y.y.y for the inside interface of the peer router.
This last test should negotiate and bring up the tunnel.
If it does not work enable the following on both sides:
debug cry isa
debug cry ipsec
And try the ping x.x.x.x source y.y.y.y again and post the output of the debugs to troubleshoot.
Federico.
02-18-2011 01:47 PM
Thanks again for your reply, Federico.
I'm able to ping each OUTSIDE interface without issue
Turning logging on:
# sh debugging
Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto IPSEC debugging is on
#ping 192.168.0.1 source 10.10.10.1
02-18-2011 01:49 PM
Ben,
By issuing the extended PING command should trigger the tunnel.
If there' no ouput from the debugs make sure you have term mon configured.
If there's nothing still, you can post the configs from both sides.
Federico.
02-18-2011 01:57 PM
02-19-2011 04:30 PM
You need to have a single NAT ACL, so you need a config like this:
Site 1:
LAN 192.168.0.0/22
Site 2:
LAN 10.10.10.0/26
Site 1:
ip access-list extended NAT
deny ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
permit ip 192.168.0.0 0.0.3.255 any
ip nat inside source list NAT interface gig 0/0 overload
int gig 0/1
ip nat inside
int gig 0/0
ip nat outside
ip access-list extended 150
permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
Site 2:
ip access-list extended NAT
deny ip 10.10.10.0 0.0.0.63 192.168.0.0 0.0.3.255
permit ip 10.10.10.0 0.0.0.63 any
ip nat inside source list NAT interface gig 0/0 overload
int gig 0/1
ip nat inside
int gig 0/0
ip nat outside
ip access-list extended 150
permit ip 192.168.0.0 0.0.3.255 10.10.10.0 0.0.0.63
Also, when typing the pre-shared key you need to check if they match:
crypto isakmp key 6 asdf address datacenter.external.ip.address
crypto isakmp key asdf address office.external.ip.address
The 6 in the first line shows an encrypted key will follow I believe.
Make these changes, and then let's check the debug outputs:
debug cry isa
debug cry ipsec
term mon
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide