Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1318
Views
0
Helpful
1
Replies

Site to Site VPN over ADSL with Static IP on both ends

etienneuae
Level 1
Level 1

‎10-27-2010 11:22 AM

Hi everyone!

I have been asked to configure the above between our office and a clients.  I have been provided with the following info from the client side:

Pre-share key: nnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

NAT ip for Perth is xxx.xxx.xxx.xxx
Remote peer IP address is yyy.yyy.yyy.yyy

encryption algorithm for (phase I/II) IKE and IPSEC => 3DES
hash algorithm for (phase I/II) IKE and IPSEC => MD5
Key exchange => pre-shared keys and the key is => nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
Diffie-Hellman Group ID => 1024 bit (2)
IKE lifetime => 86400 (1 day)
SA lifetime => 3600 (1 hour)
our peer address => 134.146.89.149
NATing IP at Remotenetwork => zzz.zzz.zzz.zzz

They tell me this is from a Cisco router - no idea which model and IOS.  From our side I will be using a "borrowed" 2821 router and I've been handed a "template" set of commands:

crypto ipsec transform-set 3Des-MD5 esp-3des esp-md5-hmac

crypto isakmp key some_big_random_key address xxx.xxx.125.251

crypto map TPA-VPN 2262 ipsec-isakmp
description ; unmannaged IPSEC to TP CONTESO
set peer xxx.xxx.125.251
set transform-set 3Des-MD5
set pfs group2
match address 2262

ip route yyy.yyy.55.148 255.255.255.255 zzz.zzz.89.158
ip route xxx.xxx.125.251 255.255.255.255 zzz.zzz.89.158

ip nat outside source static 192.168.0.199 yyy.yyy.55.148

access-list 2262 remark Crypto map connection TP CONTESO
access-list 2262 permit ip host yyy.yyy.42.20 host 192.168.0.199
access-list 2262 permit ip host yyy.yyy.42.21 host 192.168.0.199
access-list 2262 permit ip host yyy.yyy.42.23 host 192.168.0.199

Keeping in mind I'm a total noob here, do these 2 sets of config commands have anything to do with each other?  Please advise me on the commands necessary on the 2821 to match the clients side router.

Many thanks!

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-27-2010 03:30 PM

Etienne,

It looks about right ... some remarks below.

Diffie-Hellman Group ID => 1024 bit (2)

Can refer to group2 setting on isakmp policies which you have not provided. It doesn't have to mean "PFS" which in fact is another DH exchange, to make sure new keys cannot be derived from old.

When creasting any entries on crrypto ACL on your side you need to know what the other side has configured.

Generaly speaking, if NAT is done on traffic going via tunnel you have to match IP addresses post-NAT (this scenario is rare).

(under crypto map entry) set peer ----- has to refer to IP address of the peer as visible on WAN.

Marcin

0 Helpful
Customers Also Viewed These Support Documents