1. Home
  2. Cisco Systems
  3. VPN Between two Cisco 1720 Router

VPN Between two Cisco 1720 Router

Hello @all,

hope you can help me out. I have tryed to setup a Router-to-Router VPN in a GRE Tunnel (describe in Cisco IOS Cookbook). I got the gre Tunnel to work. But the crypt not.

I have the folloging setup

Router A (Dialer0 / A.B.C.D) ----- INTERNET --- (Fa0 / E.F.G.H)Router B | | --(Tunnel1/172.16.1.1) --- GRE TUNNEL --- (Tunnel1/172.16.1.2)--

A.B.C.D and E.F.G.H are static IP's. Router A does a DSL Dialup with pppoe and PAP.

GRE Setup: ========== Route A:

interface Tunnel1 ip address 172.16.1.1 255.255.255.252 tunnel source A.B.C.D tunnel destination E.F.G.H exit

Router B:

interface Tunnel1 ip address 172.16.1.2 255.255.255.252 tunnel source E.F.G.H tunnel destination A.B.C.D exit

This does work!

IPSETUP ======= Router A:

--------- ! crypto isakmp policy 101 encr 3des authentication pre-share crypto isakmp key bor1s address E.F.G.H no-xauth ! crypto ipsec transform-set TUNNEL esp-3des mode transport ! crypto map mymap 10 ipsec-isakmp set peer E.F.G.H set transform-set TUNNEL match address 102 ! access-list 102 permit gre host A.B.C.D host E.F.G.H

Router B:

--------- ! crypto isakmp policy 101 encr 3des authentication pre-share crypto isakmp key bor1s address A.B.C.D no-xauth

! crypto ipsec transform-set TUNNEL esp-3des mode transport ! crypto map mymap 10 ipsec-isakmp set peer A.B.C.D set transform-set TUNNEL match address 102

When I add crypto map mymap to the interfaces Dialer0 and fa0 the Tunnel stops working. Hope someone can help me out with that.

So long Alexander

Complete Config ROUTER A: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterA ! logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 ! username LOGINNAME password 0 SECRETPASSWORD memory-size iomem 20 ip subnet-zero ! ! ip name-server 194.8.194.60 ip name-server 213.168.112.60 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 4 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! crypto isakmp policy 101 encr 3des authentication pre-share crypto isakmp key bor1s address E.F.G.H no-xauth ! ! crypto ipsec transform-set TUNNEL esp-3des mode transport crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto map mymap 10 ipsec-isakmp set peer E.F.G.H set transform-set TUNNEL match address 102 ! ! ! ! interface Tunnel1 ip address 172.16.1.1 255.255.255.252 tunnel source A.B.C.D tunnel destination E.F.G.H ! interface Ethernet0 description DSL-AC no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface FastEthernet0 description LOCALLAN ip address 192.168.4.1 255.255.255.0 ip nat inside speed auto no cdp enable ! interface Dialer0 ip address negotiated no ip proxy-arp ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer persistent dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username snipped-for-privacy@netcologne.de password 7 DSLLOGIN crypto map mymap ! ip nat inside source list 1 interface Dialer0 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip http server ip pim bidir-enable ! access-list 1 permit 192.168.4.0 0.0.0.255 access-list 102 permit gre host A.B.C.D host E.F.G.H ! ! line con 0 line aux 0 line vty 0 4 login authentication local_auth ! no scheduler allocate end

Complete Config RouterB: ======================== ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RouterK ! boot system flash c1700-k9o3sy7-mz.122-11.t11.bin logging buffered 4096 debugging aaa new-model ! ! aaa authentication login local_auth local aaa session-id common enable secret 5 SECRETPW ! username USERNAME password 0 LOGINPW memory-size iomem 25 ip subnet-zero ! ! ! ip audit notify log ip audit po max-events 100 ip ssh authentication-retries 4 ! ! crypto isakmp policy 101 encr 3des authentication pre-share crypto isakmp key bor1s address A.B.C.D ! ! crypto ipsec transform-set TUNNEL esp-3des mode transport ! crypto map mymap 10 ipsec-isakmp set peer A.B.C.D set transform-set TUNNEL match address 102 ! ! ! ! interface Loopback0 descr LOCAL TEST LAN ip address 192.168.6.1 255.255.255.0 ! interface Tunnel1 ip address 172.16.1.2 255.255.255.252 tunnel source E.F.G.H tunnel destination A.B.C.D ! interface Ethernet0 no ip address shutdown half-duplex no cdp enable ! interface FastEthernet0 ip address E.F.G.H 255.255.252.0 speed auto no cdp enable crypto map mymap ! ip classless ip route 0.0.0.0 0.0.0.0 ip route 192.168.4.0 255.255.255.0 172.16.1.1 no ip http server ip pim bidir-enable ! ! access-list 102 permit gre host E.F.G.H host A.B.C.D no cdp run ! ! line con 0 line aux 0 line vty 0 4 login authentication local_auth ! end

Reply to
Alexander Gr=F
Loading thread data ...

"Alexander Grümmer" wrote in message news: snipped-for-privacy@mid.dfncis.de...

Alexander, it appears you are trying to mix different kinds of vpns here. You can't use a crypto map and gre tunnel together. What you want to do is dump the crypto map and then do something like:

crypto ipsec profile myProfile set transform-set TUNNEL

int tunnel 1 tunnel protection ipsec profile myProfile

Hope that helps,

Jim

Reply to
Scooby

In some versions of IOS, the crypto map needs to be applied on the outbound WAN interface (Dialer0) and the tunnel interface (but not the LAN interface). The requirement for the crypto map on the GRE tunnel interface was removed in later IOS versions.

What are you seeing in the crypto debugs?

Cheers,

Matt

Reply to
Matthew Melbourne

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.