dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
35
share rss forum feed

Lea Massiot

join:2012-09-03
reply to Lea Massiot

Re: VPN between two Cisco 887VA devices

Hello. Below are the two routers running configuration.

-- "Router 1" running configuration:

===============================================================
Current configuration : 1924 bytes
!
! Last configuration change at 10:04:33 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
! NVRAM config last updated at 09:36:06 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.2 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.2
set transform-set STRONGEST
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
ip address 192.168.15.1 255.255.255.0
crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 192.168.0.0 255.255.255.0 Vlan2
!
access-list 100 permit udp host 192.168.15.2 host 192.168.15.1 eq isakmp
access-list 100 permit ahp host 192.168.15.2 host 192.168.15.1
access-list 100 permit esp host 192.168.15.2 host 192.168.15.1
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
===============================================================


-- "Router 2" running configuration:

===============================================================
Current configuration : 2353 bytes
!
! Last configuration change at 12:12:05 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
! NVRAM config last updated at 11:39:54 UTC Thu Oct 4 2012
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn serial_number
!
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key azertyuiop address 192.168.15.1 255.255.255.0
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set STRONGEST esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 192.168.15.1
set transform-set STRONGEST
match address 101
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
no fair-queue
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan2
ip address 192.168.15.2 255.255.255.0
crypto map VPN
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname hostname
ppp chap password 0 password
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Vlan2
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit udp host 192.168.15.1 host 192.168.15.2 eq isakmp
access-list 100 permit ahp host 192.168.15.1 host 192.168.15.2
access-list 100 permit esp host 192.168.15.1 host 192.168.15.2
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
end
===============================================================


Thank you for your help.
Best regards.

aryoba
Premium,MVM
join:2002-08-22
kudos:4
Several things I noticed on the router configurations

* You shouldn't need to put subnet mask on the crypto isakmp key command
* On the Router 2's NAT ACL, you need to replace the ACL 1 with extended ACL (i.e. ACL 100) to deny NAT to take place for traffic between 192.168.1.0/24 and 192.168.0.0/24; and to allow NAT to take place only for the Internet traffic (Split Tunnel issue). Otherwise both encrypted and clear-text traffic (VPN and the Internet traffic) will be NAT-ed
* I never like the idea of having interface as default gateway since it potentially creates unnecessary ARP broadcast which may slow down your connection. Why can't you just use IP address as default gateway?

aryoba
Premium,MVM
join:2002-08-22
kudos:4
reply to Lea Massiot
As a side note, I would not call 3DES as "strongest" encryption level since there is stronger one such as AES 256. In fact, in today's world the 3DES is considered the minimum encryption level accepted in most organizations for establishing IPSec VPN tunnel between business partners.