Tunneling/VPN Issue between Cisco routers 1

[CyberAaron]

Hi,

I have two routers located at two branch offices. One is a 3660 and one is a 2600, both connected to different ISP's. I want to take some of my IP allocation from one office and add it to the other. I would assume I have to set up a VPN between the two and route the IP block over the VPN from one office to the other.

My questions: Does anyone have a link to a good how to on this or does anyone know of an easier way?

Any help is apreciated.

Thanks,

Aaron

 

[roguepacket]

Aaron,
This link should prove helpful in getting you going. You obviously need to have the IPSEC capable code running on your routers and might want to consider CPU load depending on the number of users.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009448f.shtml

Todd

 

[trailman73]

It is very easy to do, what IOS version are you running? How familiar are you with IOS commands?

Geoff

 

[rcasta]

trailman, could you post a basic configuration to achive this as I have the same kind of issue as CyberAaron.

thank you.

 

[rcasta]

By the way, if you could explain a bit regarding to IPSec basic commands I'd appreciate it.

thank you.

 

[trailman73]

Okay, the best way to do this is with ipsec tunnels with a pre-shared key. This way you will basically setup a "key" with an ip address for security. example:

ipsec isakmp key anything address 1.2.3.4 255.0.0.0
This will give host 1.2.3.4 access to the remote router (and visa versa)

here is a basic setup:

crypto isakmp policy 10
authentication pre-share
group 2
lifetime 28800

ipsec isakmp key anything address 1.2.3.4 255.0.0.0

ipsec isakmp transform-set anything esp-des esp-sha-hmac (if you are using 3des substitute it) (the transform sets must match on both routers)

cry map anything 10 ipsec-isakmp
set peer 1.2.3.4 (this is the remote router address)
match address 101 (this is the access-list below)
set transform-set anything

interface fastethernet 0/0
crypto map anything (assign the map to the public interface)

access-list 101 permit ip 1.2.3.0 0.0.0.255 1.2.0.0 0.0.255.255 (the first address is the Local LAN use .0 you have to do the subnet backwards .255 broadcast) (the second address is the remote LAN)

Let me know if you have problems,

Geoff

Remember: you will need to do this on both ends changing the ip addresses to reflect the other end of the tunnel

 

[CyberAaron]

I am running 12.0(7) on each router. I would say I am very familiar with IOS commands. I just read your above instructions, Thank you, these will be very helpful.

Aaron

 

[wybnormal]

We have a back to back config posted for two PIXs running preshared keys and IPsec on our boards.

http://www.packetattack.com

and go to the forum.

The concepts and commands will be mostly the same. Cisco's own site has some nice samples fully explained.

MikeS
Find me at

http://www.packetattack.com

"Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots."
Sun Tzu

 

[rcasta]

Can these tunnels be setup on demand basis? Or this configuration is only for permanent vpn connections?

My questions on this are because I am looking a way of using a broadband connection-which is ADSL-as a backup link. My network already has a way out through a T1 link.

Any pointers will greatly be appreciated.