1. Home
  2. Cisco Systems
  3. T1 Site-to-Site VPN

T1 Site-to-Site VPN

Soon I will have to setup a T1 with 2 1841 routers each with a CSU/DSU module. I have a back-to-back test setup here, and I have that part working. The next step was to establish a VPN tunnel between the 2 routers. That step is also working.

Here is the network diagram:

Host (10.10.20.20) | (LAN IP: 10.10.20.1) Cisco 1841 (WAN IP: 192.168.60.1) | (WAN IP: 192.168.40.1) Cisco 1841 (LAN IP: 10.10.10.1) | Host (10.10.10.10)

Host 10.10.10.10 can ping anybody on the 10.10.20.0/24 network. Great. My problem is that 192.168.40.1 can also ping anybody on the 10.10.20.0/24 network.

I know that I need to setup an ACL, but I want to make sure that I do this right. I only want VPN traffic to be able to pass through, and I want to deny any other traffic coming into each router. I currently have an extended ACL matched to each crypto map, and I'm about 99.99999% sure that it's correct. However, if I add a deny any any ACL to my serial interface, then nobody and ping anybody anymore. This makes sense to me, but I want the extended ACL match to my cypto maps to take precedence over that ACL and let VPN traffic through.

What's the correct way to do this? Thanks.

-- John

RouterA: !

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterA

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

ip cef

! ! ! !

ip domain name yourdomain.com

!

password encryption aes

! !

username cisco privilege 15 secret 5 $1$uF6w$fMy7xMIp2BRaJMSi214EM/

! ! ! !

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 6 LQVHTdLaGEbPEb^]bPAiKbISUPXEP^QVZAAB address

192.168.60.1

crypto isakmp keepalive 60 3 periodic

! !

crypto ipsec transform-set L2LTransform esp-aes 256

!

crypto map L2LMap 1 ipsec-isakmp

set peer 192.168.60.1

set security-association level per-host

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set L2LTransform

set pfs group5

match address L2LAccess

! ! !

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 192.168.40.1 255.255.255.0

encapsulation ppp

service-module t1 timeslots 1-24

crypto map L2LMap

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended L2LAccess

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

! ! !

control-plane

!

banner login 

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to

formatting link

-----------------------------------------------------------------------

 !

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

end

Router B:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterB

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

ip cef

! ! ! !

ip domain name yourdomain.com

!

password encryption aes

! !

username cisco privilege 15 secret 5 $1$nAL8$hheCXtA4rN6.RosXTheFz0

! ! ! !

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 6 FMi^gCO^`\\EGMaeIVfUECJLD_dMWJZCNVAAB address

192.168.40.1

crypto isakmp keepalive 60 3 periodic

! !

crypto ipsec transform-set L2LTransform esp-aes 256

!

crypto map L2LMap 1 ipsec-isakmp

set peer 192.168.40.1

set security-association level per-host

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set L2LTransform

set pfs group5

match address L2LAccess

! ! !

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$

ip address 10.10.20.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 192.168.60.1 255.255.255.0

encapsulation ppp

service-module t1 clock source internal

service-module t1 timeslots 1-24

crypto map L2LMap

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended L2LAccess

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

! ! !

control-plane

!

banner login 

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username privilege 15 secret 0

no username cisco

Replace and with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to

formatting link

-----------------------------------------------------------------------

 !

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

end

Reply to
John
Loading thread data ...

example for routerA

access-list 101 permit udp host 192.168.60.1 eq 500 host 192.168.40.1 eq 500 access-list 101 permit esp host 192.168.60.1 host 192.168.40.1 access-list 101 deny ip any any log

access-list 102 permit udp host 192.168.40.1 eq 500 host 192.168.60.1 eq 500 access-list 102 permit esp host 192.168.40.1 host 192.168.60.1 access-list 102 deny ip any any log

int ser0/0/0 ip access-group 101 in ip access-group 102 out

Hope that helps

--John

Reply to
John

I'll give it a try. Thanks.

Reply to
John

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.