Hello all,
I've got some questions that I hope someone can answer for me...
I need to set up a site to site VPN between two PLC's, I found
some configuration examples on Cisco's website, but I'm not sure
that they are appropriate.
There are a couple of differences between my network diagram and
the one used on Cisco's website. Basically, I have DSL modems to
configure. This shouldn't be an issue from the SPOKE routers
perspective as it (I believe) initiates the tunnel. On the HUB
router side, I suppose I'll have to configure the DSL modem
(which does support IPSec passthrough) to put the HUB router in
its DMZ.
I've got to set this all up and make it work Monday, so I'm hoping
that someone might spot some errors for me or perhaps offer a
suggestion for a simpler solution.
Obviously my Ethernet1 interface on HUB will have to change to
match the DSL modem. Ethernet0 on SPOKE should get an
assigned address just fine.
I'm getting more comfortable with Cisco products and am near finished
studying for my CCNA, but on this one I bit off a bit more than I
can chew.
Thanks!
Steven Wilson
VPN Site-to-Site 831 Routers named HUB and SPOKE
Static IP address on HUB side.
Based on Cisco Document ID: 46242
IOS Versions: 12.3(2)XC2
|HUB|---|DSL| INTERNET |DSL|---|SPOKE|---10.2.2.0/24
|
| static IP dynamic IP
|
10.1.1.0/24
HUB Configuration:
Current configuration : 2191 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username steven password 7 104F05090D16435B
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key 0 cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testgroup
key 0 alpha10
dns 1.1.1.1 2.2.2.2
wins 3.3.3.3 4.4.4.4
domain cisco.com
pool ippool
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN Clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description Inside interface.
ip address 10.1.1.1 255.255.255.0
no ip mroute-cache
shutdown
no keepalive
!
interface Ethernet1
description Outside interface.
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
shutdown
duplex auto
no keepalive
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool ippool 10.5.5.1 10.5.5.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
no ip http server
no ip http secure-server
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
!
end
SPOKE Configuration:
Spoke#show startup-config
Using 1296 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
no logging on
!
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 cisco123 address 10.48.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.48.67.181
set transform-set myset
match address 100
!
!
!
!
interface Ethernet0
description Inside interface.
ip address 10.2.2.2 255.255.255.0
no keepalive
!
interface Ethernet1
description Outside interface.
ip address dhcp
duplex auto
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
!
end
I've got some questions that I hope someone can answer for me...
I need to set up a site to site VPN between two PLC's, I found
some configuration examples on Cisco's website, but I'm not sure
that they are appropriate.
There are a couple of differences between my network diagram and
the one used on Cisco's website. Basically, I have DSL modems to
configure. This shouldn't be an issue from the SPOKE routers
perspective as it (I believe) initiates the tunnel. On the HUB
router side, I suppose I'll have to configure the DSL modem
(which does support IPSec passthrough) to put the HUB router in
its DMZ.
I've got to set this all up and make it work Monday, so I'm hoping
that someone might spot some errors for me or perhaps offer a
suggestion for a simpler solution.
Obviously my Ethernet1 interface on HUB will have to change to
match the DSL modem. Ethernet0 on SPOKE should get an
assigned address just fine.
I'm getting more comfortable with Cisco products and am near finished
studying for my CCNA, but on this one I bit off a bit more than I
can chew.
Thanks!
Steven Wilson
VPN Site-to-Site 831 Routers named HUB and SPOKE
Static IP address on HUB side.
Based on Cisco Document ID: 46242
IOS Versions: 12.3(2)XC2
|HUB|---|DSL| INTERNET |DSL|---|SPOKE|---10.2.2.0/24
|
| static IP dynamic IP
|
10.1.1.0/24
HUB Configuration:
Current configuration : 2191 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hub
!
no logging on
!
username steven password 7 104F05090D16435B
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key 0 cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testgroup
key 0 alpha10
dns 1.1.1.1 2.2.2.2
wins 3.3.3.3 4.4.4.4
domain cisco.com
pool ippool
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN Clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description Inside interface.
ip address 10.1.1.1 255.255.255.0
no ip mroute-cache
shutdown
no keepalive
!
interface Ethernet1
description Outside interface.
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
shutdown
duplex auto
no keepalive
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool ippool 10.5.5.1 10.5.5.254
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
no ip http server
no ip http secure-server
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
!
end
SPOKE Configuration:
Spoke#show startup-config
Using 1296 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Spoke
!
no logging on
!
no aaa new-model
ip subnet-zero
no ip domain lookup
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 cisco123 address 10.48.67.181
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.48.67.181
set transform-set myset
match address 100
!
!
!
!
interface Ethernet0
description Inside interface.
ip address 10.2.2.2 255.255.255.0
no keepalive
!
interface Ethernet1
description Outside interface.
ip address dhcp
duplex auto
crypto map mymap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip classless
no ip http server
no ip http secure-server
!
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
line con 0
no modem enable
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
!
end