Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco IOS VPN routing Question

Status
Not open for further replies.
Rearview

Rearview

MIS
May 28, 2002
150
US
I have a VPN (Actually, three of them) going from a Cisco 2600 series router at my main location to three remote offices with Cisco 1700 series routers. All routers have built in VPN AIM modules.

Let's say the subnet at a remote office is 172.16.100.0

I have traffic from my main network (lets call it 172.16.1.0) routed through a Frame relay connection to a 3rd party IP Address, let's call it 42.42.42.42. So, from my main site and any T1 connected sites, the route on my "default gateway" router is "ip route 42.42.42.0 255.255.255.0 172.16.1.5" (router connected to the frame relay) and this works great.

Well, I need to be able to route data to this location from my VPN connected sites. I've tried several things, but nothing works. I don't think an ip route statement will work. I tried putting that IP address as part of the crypto map, but I don't know if I did it right.

Can someone tell me what I need to do to make this work. I started playing around with "ip vrf" stuff last night, but I don't think that is right. Thanks...
 
Sort by date Sort by votes
If you have configured destination network as part of crypto, you can send routing tables to peer with:

in crypto map put:
reverse-route remote-peer

With this, when a VPN client connects to Cisco Router will get the routes needed via VPN tunnel.
 
Upvote 0 Downvote
This may look a bit confusing, but here is an example of what you could do. It would involve creating a loopback address on each router (3 on the main one), and a GRE tunnel on each (again, 3 on the main router).

This would be an example of your host router.

====================================================

!This is your encryption policy
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
!
!for the following 3 statements, make the isakmp key be something alpha-numeric, difficult to crack. Also the addresses will be the public IP's of the other sites.
crypto isakmp key site1 address x.x.x.x
crypto isakmp key site2 address x.x.x.x
crypto isakmp key site3 address x.x.x.x
!
!
!The next 3 lines can have the transfor-set names be anything that you want
crypto ipsec transform-set Remote1 esp-3des esp-md5-hmac
crypto ipsec transform-set Remote2 esp-3des esp-md5-hmac
crypto ipsec transform-set Remote3 esp-3des esp-md5-hmac
!
!
!The following 3 crypto maps need to have the IP's set to the public IP's of the far side)
crypto map vpn-backup 1 ipsec-isakmp
set peer x.x.x.x
set transform-set Remote1
match address 101
crypto map vpn-backup 2 ipsec-isakmp
set peer x.x.x.x
set transform-set Remote2
match address 102
crypto map vpn-backup 3 ipsec-isakmp
set peer x.x.x.x
set transform-set Remote3
match address 103
!
!
!
!
!These can be any IP's that you want...I recommend 19.168.x.x. You MUST use 255.255.255.255 subnet mask.
interface Loopback0
ip address 192.168.1.1 255.255.255.255
!
interface Loopback1
ip address 192.168.1.2 255.255.255.255
!
interface Loopback3
ip address 192.168.1.3 255.255.255.255
!
!The following are the GRE tunnels that you would build to the far sites. Other than the last 3 statements for each tunnel, it will be configured just like any other point to point link. IP can be anythign that you want.
!
interface Tunnel1
description Tunnel to Remote1
bandwidth 1536
ip address 172.22.1.1 255.255.255.252
no ip proxy-arp
ip mtu 1400
no ip route-cache
ip tcp adjust-mss 1340
ip ospf authentication
ip ospf authentication-key treepump
ip ospf cost 21
no ip mroute-cache
tunnel source Loopback0
tunnel destination 192.168.1.4
crypto map vpn-backup
!
interface Tunnel2
description Tunnel to Remote2
bandwidth 1536
ip address 172.22.1.5 255.255.255.252
no ip proxy-arp
ip mtu 1400
no ip route-cache
ip tcp adjust-mss 1340
ip ospf authentication
ip ospf authentication-key treepump
ip ospf cost 31
no ip mroute-cache
tunnel source Loopback1
tunnel destination 192.168.1.5
crypto map vpn-backup
!
interface Tunnel3
description Tunnel to Remote3
bandwidth 1536
ip address 172.22.1.9 255.255.255.252
no ip proxy-arp
ip mtu 1400
ip tcp adjust-mss 1340
ip ospf authentication
ip ospf authentication-key treepump
ip ospf cost 41
no ip mroute-cache
qos pre-classify
tunnel source Loopback3
tunnel destination 192.168.1.6
crypto map vpn-backup
!
interface FastEthernet0/0
description LAN at main site
ip address 172.16.1.254 255.255.255.0
no ip proxy-arp
ip ospf authentication-key treepump
ip ospf network broadcast
ip ospf cost 10
speed 100
full-duplex
no cdp enable
!
!You mention having T1's...so this will be the serial virtual interface created off that. No ip is on the physical at all
interface Serial0/0:1
description Link to Internet
!put in the public IP address and subnet mask of your main site here
ip address x.x.x.x x.x.x.x
ip access-group 104 in
ip access-group 105 out
crypto map vpn-backup
!
router ospf 14882
router-id 172.16.1.1
log-adjacency-changes
network 172.16.1.0 0.0.0.255 area 0.0.0.0
!
no ip http server
no ip http secure-server
!
!You will need to put in static route to the public addresses of the remote sites (all 3) pointing to your public default gateway at your host, as given to your by your carrier
ip route x.x.x.x 255.255.255.255 x.x.x.x
!You will need to put in static route to the loopback addresses of the remote sites (all 3) pointing to your public default gateway at your host, as given to your by your carrier
ip route 192.168.1.4 255.255.255.255 x.x.x.x
ip route 192.168.1.5 255.255.255.255 x.x.x.x
ip route 192.168.1.6 255.255.255.255 x.x.x.x
!
!
!
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 1 permit 172.22.1.0 0.0.0.255
access-list 2 permit 172.16.1.0 0.0.0.255
access-list 2 permit 172.22.1.0 0.0.0.255
access-list 101 remark Interesting Traffic Definition To Remote1
access-list 101 permit gre host 192.168.1.1 host 192.168.1.4
access-list 102 remark Interesting Traffic Definition to Remote2
access-list 102 permit gre host 192.168.1.2 host 192.168.1.5
access-list 103 remark Interesting Traffic Definition to Remote3
access-list 104 permit gre host 192.168.1.3 host 192.168.1.6
access-list 104 remark Allow IPSec Inbound from Internet
access-list 104 permit gre any any
!in the following 3, put the public IP of remote site 1
access-list 104 permit ahp host x.x.x.x any
access-list 104 permit esp host x.x.x.x any
access-list 104 permit udp host x.x.x.x any eq isakmp
!repeat here for remote 2, using the public IP
access-list 104 permit ahp host x.x.x.x any
access-list 104 permit esp host x.x.x.x any
access-list 104 permit udp host x.x.x.x any eq isakmp
!ditto here for #3
access-list 104 permit ahp host x.x.x.x any
access-list 104 permit esp host x.x.x.x any
access-list 104 permit udp host x.x.x.x any eq isakmp
!the following 2 allow IP info for routing as well as ping
access-list 104 permit ip 172.16.1.0 0.0.0.255 any
access-list 104 permit icmp 172.16.1.0 0.0.0.255 any
access-list 105 remark Allow IPSec Outbound from Network/Router
access-list 105 permit gre any any
!put in the public ip of remote1, then 2, then 3, just like above
access-list 105 permit ahp any host x.x.x.x
access-list 105 permit esp any host x.x.x.x
access-list 105 permit udp any host x.x.x.x eq isakmp
access-list 105 permit ahp any host x.x.x.x
access-list 105 permit esp any host x.x.x.x
access-list 105 permit udp any host x.x.x.x eq isakmp
access-list 105 permit ahp any host x.x.x.x
access-list 105 permit esp any host x.x.x.x
access-list 105 permit udp any host x.x.x.x eq isakmp
access-list 105 permit ip any 172.16.1.0 0.0.0.255
access-list 105 permit icmp any 172.16.1.0 0.0.0.255
!
!the following is for telnet access
line vty 0 4
access-class 1 in

 
Upvote 0 Downvote
if your VPNs terminate on the same interface as your frame-relay this would be considered a redirect ( as the traffic would come into the interface through the VPN and try and go out the same interface) which I know you can NOT do on a PIX and I think the router acts the same way and will not work.
 
Upvote 0 Downvote
If the router can do it though just make sure the 42.42.42.42 device has a route back to the VPN connected network
 
Upvote 0 Downvote
The VPNs terminate at my central administration building coming in on the public Internet interface. The connected frame relay router is on the LAN, so that would be a different interface.
 
Upvote 0 Downvote
My VPNs are 172.16.64.0, 172.16.65.0, etc...

I had theis route put on the frame relay router (I don;t cntrol that router):

ip route 172.16.64.0 255.255.192.0 172.16.1.8

That should do it, right?
 
Upvote 0 Downvote
Oh, and 172.16.1.8 is the VPN router connected to the public Internet.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
223
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
204
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
209
Hayden09
Hayden09
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
119
Zero6
Zero6

Part and Inventory Search

Sponsor

Back
Top