Re: Vpn site to site in Packet Tracer

nexusrouter · ‎02-09-2013

Hello Experts,

I have been pulling my hair out "literally" trying to solve this VPN site to site issues, no matter what changes are make in regards to the crypto map, access list and static routes used. I am unable to route traffic via interesting traffic between sites in packet tracer.

Can anyone please take a look at this simulation and point me in the right direction ?

I have attached the packet tracer file to this discussion for you experts to have a look at

Thank you

Jouni Forss · ‎02-09-2013

Hi,

My wireshark identifiend the file extension belonging to it but cant open it. What exactly is there supposed to be in the file?

Generally I think "packet-tracer" refers to the command on the CLI and the ASDM side to test what ASA would do to certain traffic entering one of its interfaces. Or are we even talking about an ASA/PIX?

If you have such a output you could simply copy/paste it to this discussion.

- Jouni

nexusrouter · ‎02-09-2013

Hi

This file is to be used with packet tracer...

I Have copied and pasted all configures for all routers...

The set-up is simple point to point with another router acting as the internet router to bridge both sites...

Site A configuration:

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp key soggynappie address 210.10.10.4

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 210.10.10.4

set transform-set myset

match address 101

interface FastEthernet0/0

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 209.10.10.4 255.255.255.0

duplex auto

speed auto

ipv6 ospf cost 1

crypto map mymap

!

interface Serial0/1/0

no ip address

shutdown

!

interface Serial0/1/1

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.20.0 255.255.255.0 209.10.10.10

ip route 0.0.0.0 0.0.0.0 210.20.20.4

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

!

line con 0

line vty 0 4

login

!

end

--------

INTERMEDIATORY ROUTER ACTING AS THE INTERNET BRIDGE

interface FastEthernet0/0

no ip address

duplex auto

speed auto

shutdown

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

shutdown

!

interface Ethernet0/0/0

ip address 209.10.10.10 255.255.255.0

duplex auto

speed auto

!

interface Ethernet0/1/0

ip address 210.20.20.10 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

--------------

SITE B ROUTER "Peer site"

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp key soggynappie address 209.10.10.4

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

set peer 209.10.10.4

set transform-set myset

match address 101

!

interface FastEthernet0/0

ip address 192.168.20.1 255.255.255.0

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address 210.20.20.4 255.255.255.0

duplex auto

speed auto

ipv6 ospf cost 1

no cdp enable

crypto map mymap

!

interface Serial0/1/0

no ip address

shutdown

!

interface Serial0/1/1

no ip address

shutdown

!

interface Vlan1

no ip address

shutdown

!

ip classless

ip route 192.168.10.0 255.255.255.0 210.20.20.10

ip route 0.0.0.0 0.0.0.0 209.10.10.4

!

access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

!

line con 0

line vty 0 4

login

!

end

----------------------------------

There you go....

I can get this working with using static routers directly pointing towards the next hop interface however this defeats the object of building a vpn tunnel...,.,

Any help would be great !!!!

Thank you

Greg Maaaag · ‎02-09-2013

1.i can't see acl for traffic over internet

Site A:

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 100 interface FastEthernet0/1 overload

Site B:

access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 100 permit ip 192.168.20.0 0.0.0.255 any

ip nat inside source list 100 interface FastEthernet0/1 overload

2. make route-map "vpn" and match acl 100 and outbound interface

Both sites:

route-map vpn permit 10

match ip address 102

set interface FastEthernet0/1

3. Delete static rotes, it's not jadi's way:)

nexusrouter · ‎02-16-2013

Sorry for the delay,...

I have sorted this out myself... I did not add the static routes in for the next hop address....

I corrected the issues by utilizing a IGR protocol on all routers to advertise their networks... and hey presto it worked.

Thank you for your help

NR

Greg Maaaag · ‎02-16-2013

you are welcome