Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
0
Helpful
5
Replies

VPN(Site-to-site)

dibyam-baral
Level 1
Level 1

‎12-19-2013 07:36 AM

Someone please help me to built site to site vpn between 3 routers.I have tried alot but i failed.Its over me, you guys please help....

This is my topology.

Labels:
Preview file
35 KB
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎12-19-2013 07:44 AM

You probably struggeld with the crypto-maps?

Best to use VTIs where you build tunnel-interfaces between each pair of routers:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnips/configuration/15-mt/sec-ipsec-virt-tunnl.html

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

dibyam-baral
Level 1
Level 1

‎12-19-2013 07:45 AM

This configuration is from router1

hostname R1

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.2

crypto isakmp key dibyam address 10.10.10.3

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.2

set peer 10.10.10.3

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 1.1.1.1 255.255.255.255

!

interface FastEthernet0/0

description connected to/form s1

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.1.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 1.0.0.0

network 10.0.0.0

network 192.168.1.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

This configuration is from router2

hostname R2

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.1

crypto isakmp key dibyam address 10.10.10.3

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.1

set peer 10.10.10.3

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 2.2.2.2 255.255.255.255

!

interface FastEthernet0/0

description connected to/from s1

ip address 10.10.10.2 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.2.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 2.0.0.0

network 10.0.0.0

network 192.168.2.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255


This configuration is from router3

hostname R3

!

!

!

!

!

!

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp key dibyam address 10.10.10.1

crypto isakmp key dibyam address 10.10.10.2

!

!

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.1

set peer 10.10.10.2

set transform-set vpnset

match address 100

!

!

!

!

!

spanning-tree mode pvst

!

!

!

!

interface Loopback0

ip address 3.3.3.3 255.255.255.255

!

interface FastEthernet0/0

description connected to/from s1

ip address 10.10.10.3 255.255.255.0

duplex auto

speed auto

crypto map vpnmap

!

interface FastEthernet0/1

description connected to/from lan

ip address 192.168.3.100 255.255.255.0

duplex auto

speed auto

!

interface Vlan1

no ip address

shutdown

!

router rip

version 2

network 3.0.0.0

network 10.0.0.0

network 192.168.3.0

no auto-summary

!

ip classless

!

!

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255


This configuration is from switch

VLAN Name                             Status    Ports

---- -------------------------------- --------- -------------------------------

1    default                          active    Fa0/4, Fa0/5, Fa0/6, Fa0/7

                                                Fa0/8, Fa0/9, Fa0/10, Fa0/11

                                                Fa0/12, Fa0/13, Fa0/14, Fa0/15

                                                Fa0/16, Fa0/17, Fa0/18, Fa0/19

                                                Fa0/20, Fa0/21, Fa0/22, Fa0/23

                                                Fa0/24

100  VPN                              active    Fa0/1, Fa0/2, Fa0/3

1002 fddi-default                     active   

1003 token-ring-default               active   

1004 fddinet-default                  active   

1005 trnet-default                    active   


0 Helpful

Karsten Iwen
VIP
VIP
In response to dibyam-baral

‎12-19-2013 07:56 AM

Your crypto-maps are wrong. You need two sequences, one for each peer. Each sequence has hits own ACL and peer-setting. If it's for learning, continue with crypto-maps. If it's for production, go for virtual tunnel interfaces.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

dibyam-baral
Level 1
Level 1
In response to Karsten Iwen

‎12-19-2013 08:03 AM

like what,this!!!

crypto map vpnmap 10 ipsec-isakmp

set peer 10.10.10.2

set transform-set vpnset

match address 100

!

crypto map vpnmap 11 ipsec-isakmp

set peer 10.10.10.3

set transform-set vpnset

match address 100

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

Trust me, i have done but still no result.

Let me explain one thing,,,R1 can ping to R2 and R3 but R2 cant ping R3 and similarly R2 and R3 can ping R1.

There is no icmp connection between R2 and R3.

0 Helpful

Karsten Iwen
VIP
VIP
In response to dibyam-baral

‎12-19-2013 09:10 AM 

Let me explain one thing,,,R1 can ping to R2 and R3 but R2 cant ping R3 and similarly R2 and R3 can ping R1.

so you don't even have reachability between yopur routers? How should the VPNs work then. Troubleshoot that first.

For the crypto-maps: You also need dedicated ACLs per peer:

crypto map vpnmap 12 ipsec-isakmp

  set peer 10.10.10.2

  set transform-set vpnset

  match address 102

!

crypto map vpnmap 13 ipsec-isakmp

  set peer 10.10.10.3

  set transform-set vpnset

  match address 103

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents