# I need help with site to site VPN configuration



## adamhildy (Jul 16, 2015)

I am trying to configure a site to site VPN between two cisco routers. I feel like I have all the required configs but obviously something is wrong or missing since I can't get the connection to come up. 
Any advice on these configs would be greatly appreciated.

note: the 74.83.192.118 address that is configured as the peer on R2 is the address it has been given by DHCP from the ISP.

Router 1 Configuration:


!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
boot-start-marker
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
no ip subnet-zero
ip cef
!
!
ip dhcp excluded-address 192.168.0.0 192.168.0.19
ip dhcp excluded-address 192.168.0.200 192.168.0.250
!
ip dhcp pool DHCPPOOL
network 192.168.0.0 255.255.255.0
dns-server 216.68.1.100 216.68.2.100 
default-router 192.168.0.1 
!
!
no ip domain lookup
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 secret CISCO
!
! 
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY address 66.42.201.6
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
!
crypto map MAP 10 ipsec-isakmp 
set peer 66.42.201.6
set transform-set SET 
match address 130
!
!
!
!
interface FastEthernet0/0
description Link to ISP
ip address dhcp
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
crypto map MAP
!
interface FastEthernet0/1
description Link to Cisco Switch
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 100 interface FastEthernet0/0 overload
!
!
logging 192.168.0.10
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 130 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
password 7 032D550F0F0E154D400E16
logging synchronous
line aux 0
line vty 0 4
privilege level 15
password 7 143E1C0F05051E2A2A2F3C
logging synchronous
transport input ssh
transport output ssh
!
end



Router 2 Configuration:




!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable secret CISCO
!
no aaa new-model
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.0 192.168.2.199
!
ip dhcp pool DHCPPOOL
network 192.168.2.0 255.255.255.0
dns-server 216.68.1.100 216.68.2.100 
default-router 192.168.2.1 
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
username admin privilege 15 password 0 monster 
archive
log config
hidekeys
! 
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key KEY address 74.83.192.118
!
!
crypto ipsec transform-set SET esp-3des esp-md5-hmac 
!
crypto map MAP 10 ipsec-isakmp 
set peer 74.83.192.118
set transform-set SET 
match address 130
!
!
!
!
!
!
interface FastEthernet0/0
description Link to Cincy Bell 10Mbps Fiber
ip address 66.42.201.6 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map MAP
!
interface FastEthernet0/1
description Link to Dell PowerConnect 6248 Switch
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.68.28.233
ip route 0.0.0.0 0.0.0.0 66.42.201.5
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 100 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 130 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
password CISCO
logging synchronous
login
line aux 0
line vty 0 4
password CISCO
login
!
scheduler allocate 20000 1000
end


----------



## MitchConner (May 8, 2015)

Hi mate, can you show me the output from the following please:

show ver
show crypto session


----------



## MitchConner (May 8, 2015)

Edit: Can you check your routing as well please mate, your statics are a bit odd.


----------



## MitchConner (May 8, 2015)

Edit: sh ip route

From both routers please.


----------



## adamhildy (Jul 16, 2015)

Router 1:

show version:

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.3(8)T11, RELEASE SOFTWARE (fc1)
Technical Support: Support and Documentation - Cisco Systems
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 10-Aug-05 15:43 by dchih

ROM: System Bootstrap, Version 12.3(8r)T8, RELEASE SOFTWARE (fc1)

R1 uptime is 17 hours, 6 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.123-8.T11.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
Export Compliance Product Report Application

If you require further assistance please contact us by sending email to
[email protected].

cisco 1841 (revision 5.0) with 118784K/12288K bytes of memory.
Processor board ID FTX0942W2D2
2 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
31744K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102



sh crypto session:

Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN
Peer: 66.42.201.6/500
IPSEC FLOW: permit ip 192.168.0.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 0, origin: crypto map

sh ip route:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 74.83.192.1 to network 0.0.0.0

10.0.0.0/32 is subnetted, 1 subnets
S 10.2.2.22 [254/0] via 74.83.192.1, FastEthernet0/0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
74.0.0.0/23 is subnetted, 1 subnets
C 74.83.192.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [254/0] via 74.83.192.1





Router 2:

Show Version:

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: Support and Documentation - Cisco Systems
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 12:44 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

R2 uptime is 7 weeks, 13 hours, 27 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advsecurityk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
Export Compliance Product Report Application

If you require further assistance please contact us by sending email to
[email protected].

Cisco 1841 (revision 7.0) with 235520K/26624K bytes of memory.
Processor board ID FTX1341Z03X
2 FastEthernet interfaces
1 Serial interface
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102



show crypto session:

Crypto session current status

Interface: FastEthernet0/0
Session status: DOWN
Peer: 74.83.192.118 port 500
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.0.0/255.255.255.0
Active SAs: 0, origin: crypto map



show ip route:

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 66.42.201.5 to network 0.0.0.0

66.0.0.0/30 is subnetted, 1 subnets
C 66.42.201.4 is directly connected, FastEthernet0/0
C 192.168.2.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 66.42.201.5


----------



## MitchConner (May 8, 2015)

Your routing is a bit off mate 

Before we go ahead with a fix, can I ask the purpose of the VPN tunnel?

Just thinking aloud to myself, depending on the purpose, you may want to consider configuring GRE with IPsec.

Also, md5 hashing is not recommended. Not only is it insecure, it can cause hash collisions which can ruin your morning!


----------



## adamhildy (Jul 16, 2015)

We have two warehouses that need to be connected. Warehouse #2 has to reach servers that are located at warehouse #1.

What problems are you seeing in my routing?

I can ping from one warehouse public IP to the other.


----------



## adamhildy (Jul 16, 2015)

For this to meet my requirements I need this connection to have static private IPs on both ends of the tunnel. So if it enters the tunnel as 192.168.0.10 it always comes out the other end as 192.168.2.10. I'm not even sure if this is possible.


----------



## MitchConner (May 8, 2015)

You'd need to NAT exempt the traffic in order to do that mate.

I'd go for a gre tunnel and route to the remote network through that and bypass Nat completely.

If you can give me a couple of hours mate, I'll put your current config in my lab and post the config you need.


----------



## adamhildy (Jul 16, 2015)

That would be great. I really appreciate your time.


----------



## adamhildy (Jul 16, 2015)

One quick question, maybe the configs will answer this. How do we configure the static private IP mapping without NAT?


----------



## MitchConner (May 8, 2015)

I may have misunderstood your question mate, but you don't need to NAT as we'll be routing traffic to the remote network across the gre tunnel.


----------



## adamhildy (Jul 16, 2015)

So it will just keep the same IP address the whole time?


----------



## MitchConner (May 8, 2015)

Yes mate


----------



## adamhildy (Jul 16, 2015)

Sorry, just one more question. Does it matter that one end of this connection is DHCP from the ISP? Or will we need to get a static IP from them?


----------



## MitchConner (May 8, 2015)

Not necessarily mate, a static would be awesome but I'm guessing you probably have some sort of dynamic dns running which means the peer address can be a domain name.


----------



## MitchConner (May 8, 2015)

Haven't forgotten about this mate, tied up the last couple of days but i'll post the required config in a couple of hours


----------



## MitchConner (May 8, 2015)

Hi mate, sorry for the delay.

Here you go:

Router 1

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SECRET address 60.50.50.6
!
!
crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile GRE
set transform-set TRANS_SET
!
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel destination 60.50.50.6
tunnel protection ipsec profile GRE
!
ip route 192.168.1.0 255.255.255.0 Tunnel0
!
ip access-list extended GRE_ACL
permit gre 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Remote Router

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key SECRET address 60.50.50.2
!
crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile GRE
set transform-set TRANS_SET
!
interface Tunnel0
ip address 1.1.1.2 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/0
tunnel destination 60.50.50.2
tunnel protection ipsec profile GRE
!
ip route 192.168.0.0 255.255.255.0 Tunnel0
!
ip access-list extended GRE_ACL
permit gre 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

The GRE_ACL will need to match your current local LANs (both ends), and the 60.50.50.x addresses should match your current public addresses configured on your router. You can use the following command on your dhcp interface:

interface tunnel 0
tunnel destination *yourdomainname.com*

You'll need to add a name-server to your router so it can look up the address. I've attached a screenshot showing the traffic being encrypted as it passes over the gre tunnel.

Any problems just give me a shout.


----------



## adamhildy (Jul 16, 2015)

Thanks alot. I'll givr this a shot and let you know if I have any questions. Thanks for your time.


----------



## MitchConner (May 8, 2015)

Vikaram said:


> Prerequisites
> 
> Requirements
> 
> ...


I think your referencing a very old Cisco document there mate, minimum I would recommend is 3DES, DES isn't secure and not best practice.

You also don't need CCP among other things...


----------

