I'm trying to set up a Site to Site VPN with two Cisco 1700 Routers. But I didn't get it to fly. When the tunnel ist setup the routing doesn't work or other things.
Here is what I want to do:
192.168.4.0/24 -- RouterA --- INTERNET --- RouterB -- 192.168.6.0/24
Router A and Router B have a static IP. Lets Say IPA and IPB. Here is my config of RouterB. RouterA locks mostly the same except it does Dialup so the interface on the outside is Dialer0. I didn't find the failer. Can someone plz help me out?
Router config from Router B ============================ ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterB ! boot system flash c1700-k9o3sy7-mz.122-11.t11.bin logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 SECPASSWORD ! username USER password 0 PASSWORD memory-size iomem 25 ip subnet-zero ! ! ip dhcp excluded-address 192.168.6.1 192.168.6.20 ! ip dhcp pool dhcpKoeln network 192.168.6.0 255.255.255.0 default-router 192.168.6.1 ! ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 4 ! ! crypto isakmp policy 110 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key KEY123 address IPA ! ! crypto ipsec transform-set mine esp-3des esp-sha-hmac ! crypto map mymap 10 ipsec-isakmp set peer IPA set transform-set mine match address 102
! interface Ethernet0 description ContactLAN-Koeln ip address 192.168.6.1 255.255.255.0 half-duplex no cdp enable ! interface FastEthernet0 ip address IPB 255.255.252.0 speed auto no cdp enable crypto map mymap ! ip classless ip route 0.0.0.0 0.0.0.0 IPB-Gateway ip route 192.168.4.0 255.255.255.0 IPA no ip http server ip pim bidir-enable ! ! access-list 102 permit ip 192.168.6.0 0.0.0.255 192.168.4.0 0.0.0.255 no cdp run ! ! end
Most probably you have private LAN ip addresses on both sides and NAT/PAT to the public interface's ip address. Then you'll need to exclude the traffic for the tunnel to the remote side from NAT.
Current configuration : 2330 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterAC ! logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 ! username password 0 memory-size iomem 20 ip subnet-zero ! ! ip domain-name ip name-server 194.8.194.60 ip name-server 213.168.112.60 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 4 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key test12345 address IPA ! ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac mode transport crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! ! crypto map s1first local-address Dialer0 crypto map s1first 1 ipsec-isakmp set peer IPA set transform-set proposal1 match address 101 ! ! ! ! interface Tunnel0 bandwidth 180 ip address 172.17.3.3 255.255.255.0 tunnel source IPB tunnel destination IPA crypto map s1first ! interface Ethernet0 description DSL-AC no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet0 description CONTACT-AC ip address 192.168.4.1 255.255.255.0 ip nat inside no keepalive speed auto full-duplex no cdp enable ! interface Dialer0 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp no ip mroute-cache dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username @netcologne.de password 7 ! ip nat inside source list 1 interface Dialer0 overload no ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 192.168.6.0 255.255.255.0 Tunnel0 no ip http server no ip pim bidir-enable ! access-list 1 permit 192.168.4.0 0.0.0.255 access-list 101 permit gre host IPB host IPA no cdp run ! banner login ^C Dies ist der Router der Firma Contact Personal Service in AACHEN ^C ! line con 0 line aux 0 line vty 0 4 login authentication local_auth transport input ssh ! end
RouterK: ========
RouterK#show run Building configuration...
Current configuration : 1695 bytes ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterK ! boot system flash c1700-k9o3sy7-mz.122-11.t11.bin logging buffered 4096 debugging aaa new-model ! ! aaa authentication login SSH local aaa session-id common enable secret 5 $1$jdEd$JQFMcFNXV/8IhxCZ9O/3s1 ! username ice password 0 alex123 memory-size iomem 25 ip subnet-zero ! ! ip domain name contactpersonal.de ip dhcp excluded-address 192.168.6.1 192.168.6.20 ! ip dhcp pool dhcpKoeln network 192.168.6.0 255.255.255.0 default-router 192.168.6.1 ! ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 4 ! ! crypto isakmp policy 1 authentication pre-share lifetime 84600 crypto isakmp key test12345 address IPB ! ! crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac mode transport ! crypto map s1first local-address FastEthernet0 crypto map s1first 1 ipsec-isakmp set peer 87.78.66.88 set transform-set proposal1 match address 101 ! ! ! ! interface Tunnel1 bandwidth 180 ip address 172.17.3.6 255.255.255.0 tunnel source IPA tunnel destination IPB crypto map s1first ! interface Ethernet0 ip address 192.168.6.1 255.255.255.0 no keepalive full-duplex no cdp enable ! interface FastEthernet0 ip address IPA 255.255.252.0 no ip mroute-cache no keepalive speed auto no cdp enable ! ip classless ip route 0.0.0.0 0.0.0.0 137.226.28.1 ip route 192.168.4.0 255.255.255.0 Tunnel1 no ip http server ip pim bidir-enable ! ! access-list 101 permit gre host IPA host IPB no cdp run ! ! line con 0 line aux 0 line vty 0 4 transport input ssh ! end
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.