1. Home
  2. Cisco Systems
  3. Router to Router VPN

Router to Router VPN

Had someone come in and set up a vpn for me and they made a mess of things, so I would like to do it myself. Like to setup a router to router vpn using the following: hub router - C2621 IOS 12.2 protocol is eigrp

remote router (spoke) C1721 IOS 12.3 protocol is eigrp

What I would like to do is be able to create a tunnel between the 2 routers (one is home and the other is the office). I'll want to allow certain ports through (3307, 4899, 25, 110, 53, 22)

I've noticed that there is a acl for allowing gre through. access-list 125 permit gre host 111.222.333.444 host 111.222.333.445 but when I do a" sh crypto isakmp sa" nothing is visible same goes for sh crypto peer, profile, etc. The only bit of info I get is when I do: sh crypto map Crypto Map "clientmap" 20 ipsec-isakmp Peer = 111.222.333.444 Extended IP access list 125 access-list 125 permit gre host 111.222.333.445 host

111.222.333.444 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ rtpset, } Interfaces using crypto map clientmap:

Also need to know how to determine if tunnel is up.

So if someone can direct me to a good document on explaining the setup and the commands I would appreciate it.

Thanks

Reply to
Jon L. Miller
Loading thread data ...

Hi Jon,

Have a look at the following link concerning GRE/IPSEC.

formatting link
You will not need to pipe holes for the above mentioned ports as they bypass any INBOUND/EXTERNAL access-lists on the peer router/s or visa versa because of the order of operation of IPSEC traffic processing.

Try running debugs on ISAKMP - "debug crypto isakmp" and see what the router spits out.

Post your config if you have any problems,

Rob

Reply to
RobO

In article , RobO wrote: :You will not need to pipe holes for the above mentioned ports as they :bypass any INBOUND/EXTERNAL access-lists on the peer router/s or visa :versa because of the order of operation of IPSEC traffic processing.

My reading here suggests that that is true only for some IOS releases within about the last year: before, the encapsulating packets for IPSec had to be permitted by the interface ACL, and the decapsulated packets had to be permitted as well.

Reply to
Walter Roberson

Walter,

Thanks for pointing that out to me.

Reply to
RobO

Hi,

Would anyone be able to recommend Cisco products which I could use to replace my current router to router VPN? I need more reliability. Currently I'm using a combination of Zoom ADSL modem and Linksys BEFVP41 routers at each of two sites. The line keeps dropping, maybe 2-3 times a week. Would a 871 do what I need? Whatever model, it needs to be easy to set up and maintain, ideally through a CRWS interface, though I could do basic command-line work, I am not Cisco certified.

Thanks in advance, SW

Reply to
S W

I can recommend the 877-W, we use these at a lot of sites and the tunnels are usually rock solid - they do not usually require reboots etc.

Although from what you've said you could be look> Hi,

Reply to
peter.wonderboy

Hi

Apologies for the delay. Can you confirm that the 877-w has a user interface for setup, and is designed for linking two of them together?

SW

Reply to
S W

Reply to
tippenring

Thanks for the info.

Regards, SW

Reply to
S W

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.