Site to Site VPN questions ( by VPN newbie )

Discussion in 'Cisco' started by JJ DD, Aug 18, 2004.

  1. JJ DD

    JJ DD Guest

    Hello,

    I need to setup a VPN between two 7300 routers for the first time and
    have a few questions :
    - should I use AES or 3DES ? Are there any guidelines ?
    - What I don't get is on which interface you should assign the crypto
    map ? What should be the tunnel endpoint the Ethernet or the serial
    interface of the routers ? Some people suggest to configure a loopback
    address but I don't see the use of that.
    Any tips or hints would be very helpfull . . .
    JJ DD, Aug 18, 2004
    #1
    1. Advertising

  2. (JJ DD) wrote in message news:<>...
    > Hello,
    >
    > I need to setup a VPN between two 7300 routers for the first time and
    > have a few questions :
    > - should I use AES or 3DES ? Are there any guidelines ?
    > - What I don't get is on which interface you should assign the crypto
    > map ? What should be the tunnel endpoint the Ethernet or the serial
    > interface of the routers ? Some people suggest to configure a loopback
    > address but I don't see the use of that.
    > Any tips or hints would be very helpfull . . .


    Here are my notes i use to build vpn tunnels between cisco routers.

    Cisco Router - Static VPN tunnel to another Router or other VPN device
    using Pre-Share Key. I still have faith in 3des.


    The following commnds will build a VPN in LAN to LAN Extension mode
    between network 192.168.252.0/28 and 172.16.1.0/24. This example shows
    you how to configure router to router lan extension tunnels. Items in
    bold are network or pix model specific. Routers should be used in vpn
    solutions when QOS is required.

    These are the access lists you will need apply to your router in order
    for the vpn to work and your router to be secure.

    ip access-list extended acl-in
    remark Traffic from the internet
    permit icmp any host 172.30.2.1 packet-too-big
    permit esp any host 172.30.2.1
    permit udp any host 172.30.2.1 eq isakmp
    remark INCOMMING VPN TRAFFIC FROM REMOTE SITE (VPN)
    permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255.

    ip access-list extended acl-out
    remark Traffic from the internet
    permit icmp host 192.168.254.1 any packet-too-big
    permit esp host 192.168.254.1 any
    permit udp host 192.168.254.1 eq isakmp any
    remark OUTGOING VPN TRAFFIC TO REMOTE SITE (VPN)
    permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255

    Central Router Configuration
    hostname centralrouter
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key mypresharekey address 172.30.2.1
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPNCONNECTIONS 10 ipsec-isakmp
    set peer 172.30.2.2
    set transform-set 3DES-SHA
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    description Outside Interface
    ip address 172.30.1.1 255.255.255.0
    crypto map VPNCONNECTIONS
    !
    interface FastEthernet0
    description Inside Interface
    ip address 192.168.252.254 255.255.255.0
    ip nat inside
    !
    ip nat inside source route-map NONAT interface Ethernet0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.1.2
    !
    !
    access-list 110 remark except the private network from that nat rule
    access-list 110 deny ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 110 permit ip 192.168.252.0 0.0.0.255 any
    access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    VPN TUNNEL
    access-list 115 permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    !
    route-map NONAT permit 10
    match ip address 110
    !
    end

    Remote Router Configuration
    The remote End is an exact mirror

    hostname remotevpnrouter
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key mypresharekey address 172.30.1.1
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPNCONNNECTIONS 10 ipsec-isakmp
    set peer 172.30.1.1
    set transform-set 3DES-SHA
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    description Outside Interface
    ip address 172.30.2.1 255.255.255.0
    crypto map VPNCONNNECTIONS
    ip access-group in
    !
    interface FastEthernet0
    description Inside Interface
    ip address 172.168.1.254 255.255.255.0
    ip nat inside
    !
    ip nat inside source route-map NONAT interface Ethernet0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.2.2
    !
    !
    access-list 110 remark except the private network from that nat rule
    access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    access-list 110 permit ip 172.16.1.0 0.0.0.255 any
    access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    VPN TUNNEL
    access-list 115 permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    !
    route-map NONAT permit 10
    match ip address 110
    !
    end
    Anthony Mahoney, Aug 19, 2004
    #2
    1. Advertising

  3. JJ DD

    JJ DD Guest

    (Anthony Mahoney) wrote in message news:<>...
    > (JJ DD) wrote in message news:<>...
    > > Hello,
    > >
    > > I need to setup a VPN between two 7300 routers for the first time and
    > > have a few questions :
    > > - should I use AES or 3DES ? Are there any guidelines ?
    > > - What I don't get is on which interface you should assign the crypto
    > > map ? What should be the tunnel endpoint the Ethernet or the serial
    > > interface of the routers ? Some people suggest to configure a loopback
    > > address but I don't see the use of that.
    > > Any tips or hints would be very helpfull . . .

    >
    > Here are my notes i use to build vpn tunnels between cisco routers.
    >
    > Cisco Router - Static VPN tunnel to another Router or other VPN device
    > using Pre-Share Key. I still have faith in 3des.
    >
    >
    > The following commnds will build a VPN in LAN to LAN Extension mode
    > between network 192.168.252.0/28 and 172.16.1.0/24. This example shows
    > you how to configure router to router lan extension tunnels. Items in
    > bold are network or pix model specific. Routers should be used in vpn
    > solutions when QOS is required.
    >
    > These are the access lists you will need apply to your router in order
    > for the vpn to work and your router to be secure.
    >
    > ip access-list extended acl-in
    > remark Traffic from the internet
    > permit icmp any host 172.30.2.1 packet-too-big
    > permit esp any host 172.30.2.1
    > permit udp any host 172.30.2.1 eq isakmp
    > remark INCOMMING VPN TRAFFIC FROM REMOTE SITE (VPN)
    > permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255.
    >
    > ip access-list extended acl-out
    > remark Traffic from the internet
    > permit icmp host 192.168.254.1 any packet-too-big
    > permit esp host 192.168.254.1 any
    > permit udp host 192.168.254.1 eq isakmp any
    > remark OUTGOING VPN TRAFFIC TO REMOTE SITE (VPN)
    > permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    >
    > Central Router Configuration
    > hostname centralrouter
    > !
    > !
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp key mypresharekey address 172.30.2.1
    > !
    > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    > !
    > crypto map VPNCONNECTIONS 10 ipsec-isakmp
    > set peer 172.30.2.2
    > set transform-set 3DES-SHA
    > match address 115
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description Outside Interface
    > ip address 172.30.1.1 255.255.255.0
    > crypto map VPNCONNECTIONS
    > !
    > interface FastEthernet0
    > description Inside Interface
    > ip address 192.168.252.254 255.255.255.0
    > ip nat inside
    > !
    > ip nat inside source route-map NONAT interface Ethernet0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 172.30.1.2
    > !
    > !
    > access-list 110 remark except the private network from that nat rule
    > access-list 110 deny ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    > access-list 110 permit ip 192.168.252.0 0.0.0.255 any
    > access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    > VPN TUNNEL
    > access-list 115 permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    > !
    > route-map NONAT permit 10
    > match ip address 110
    > !
    > end
    >
    > Remote Router Configuration
    > The remote End is an exact mirror
    >
    > hostname remotevpnrouter
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp key mypresharekey address 172.30.1.1
    > !
    > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    > !
    > crypto map VPNCONNNECTIONS 10 ipsec-isakmp
    > set peer 172.30.1.1
    > set transform-set 3DES-SHA
    > match address 115
    > !
    > !
    > !
    > !
    > interface Ethernet0
    > description Outside Interface
    > ip address 172.30.2.1 255.255.255.0
    > crypto map VPNCONNNECTIONS
    > ip access-group in
    > !
    > interface FastEthernet0
    > description Inside Interface
    > ip address 172.168.1.254 255.255.255.0
    > ip nat inside
    > !
    > ip nat inside source route-map NONAT interface Ethernet0 overload
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 172.30.2.2
    > !
    > !
    > access-list 110 remark except the private network from that nat rule
    > access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    > access-list 110 permit ip 172.16.1.0 0.0.0.255 any
    > access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    > VPN TUNNEL
    > access-list 115 permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    > !
    > route-map NONAT permit 10
    > match ip address 110
    > !
    > end


    Thanks a lot for the information Anthony, I'll let you know if I got
    the thing working or not.
    JJ DD, Aug 22, 2004
    #3
  4. (JJ DD) wrote in message news:<>...
    > (Anthony Mahoney) wrote in message news:<>...
    > > (JJ DD) wrote in message news:<>...
    > > > Hello,
    > > >
    > > > I need to setup a VPN between two 7300 routers for the first time and
    > > > have a few questions :
    > > > - should I use AES or 3DES ? Are there any guidelines ?
    > > > - What I don't get is on which interface you should assign the crypto
    > > > map ? What should be the tunnel endpoint the Ethernet or the serial
    > > > interface of the routers ? Some people suggest to configure a loopback
    > > > address but I don't see the use of that.
    > > > Any tips or hints would be very helpfull . . .

    > >
    > > Here are my notes i use to build vpn tunnels between cisco routers.
    > >
    > > Cisco Router - Static VPN tunnel to another Router or other VPN device
    > > using Pre-Share Key. I still have faith in 3des.
    > >
    > >
    > > The following commnds will build a VPN in LAN to LAN Extension mode
    > > between network 192.168.252.0/28 and 172.16.1.0/24. This example shows
    > > you how to configure router to router lan extension tunnels. Items in
    > > bold are network or pix model specific. Routers should be used in vpn
    > > solutions when QOS is required.
    > >
    > > These are the access lists you will need apply to your router in order
    > > for the vpn to work and your router to be secure.
    > >
    > > ip access-list extended acl-in
    > > remark Traffic from the internet
    > > permit icmp any host 172.30.2.1 packet-too-big
    > > permit esp any host 172.30.2.1
    > > permit udp any host 172.30.2.1 eq isakmp
    > > remark INCOMMING VPN TRAFFIC FROM REMOTE SITE (VPN)
    > > permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255.
    > >
    > > ip access-list extended acl-out
    > > remark Traffic from the internet
    > > permit icmp host 192.168.254.1 any packet-too-big
    > > permit esp host 192.168.254.1 any
    > > permit udp host 192.168.254.1 eq isakmp any
    > > remark OUTGOING VPN TRAFFIC TO REMOTE SITE (VPN)
    > > permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    > >
    > > Central Router Configuration
    > > hostname centralrouter
    > > !
    > > !
    > > crypto isakmp policy 1
    > > encr 3des
    > > authentication pre-share
    > > group 2
    > > crypto isakmp key mypresharekey address 172.30.2.1
    > > !
    > > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    > > !
    > > crypto map VPNCONNECTIONS 10 ipsec-isakmp
    > > set peer 172.30.2.2
    > > set transform-set 3DES-SHA
    > > match address 115
    > > !
    > > !
    > > !
    > > !
    > > interface Ethernet0
    > > description Outside Interface
    > > ip address 172.30.1.1 255.255.255.0
    > > crypto map VPNCONNECTIONS
    > > !
    > > interface FastEthernet0
    > > description Inside Interface
    > > ip address 192.168.252.254 255.255.255.0
    > > ip nat inside
    > > !
    > > ip nat inside source route-map NONAT interface Ethernet0 overload
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 172.30.1.2
    > > !
    > > !
    > > access-list 110 remark except the private network from that nat rule
    > > access-list 110 deny ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    > > access-list 110 permit ip 192.168.252.0 0.0.0.255 any
    > > access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    > > VPN TUNNEL
    > > access-list 115 permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    > > !
    > > route-map NONAT permit 10
    > > match ip address 110
    > > !
    > > end
    > >
    > > Remote Router Configuration
    > > The remote End is an exact mirror
    > >
    > > hostname remotevpnrouter
    > > crypto isakmp policy 1
    > > encr 3des
    > > authentication pre-share
    > > group 2
    > > crypto isakmp key mypresharekey address 172.30.1.1
    > > !
    > > crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    > > !
    > > crypto map VPNCONNNECTIONS 10 ipsec-isakmp
    > > set peer 172.30.1.1
    > > set transform-set 3DES-SHA
    > > match address 115
    > > !
    > > !
    > > !
    > > !
    > > interface Ethernet0
    > > description Outside Interface
    > > ip address 172.30.2.1 255.255.255.0
    > > crypto map VPNCONNNECTIONS
    > > ip access-group in
    > > !
    > > interface FastEthernet0
    > > description Inside Interface
    > > ip address 172.168.1.254 255.255.255.0
    > > ip nat inside
    > > !
    > > ip nat inside source route-map NONAT interface Ethernet0 overload
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 172.30.2.2
    > > !
    > > !
    > > access-list 110 remark except the private network from that nat rule
    > > access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    > > access-list 110 permit ip 172.16.1.0 0.0.0.255 any
    > > access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    > > VPN TUNNEL
    > > access-list 115 permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    > > !
    > > route-map NONAT permit 10
    > > match ip address 110
    > > !
    > > end

    >
    > Thanks a lot for the information Anthony, I'll let you know if I got
    > the thing working or not.



    I actually used my notes the other night to build a checkpoint to pix
    vpn tunnel, and discovered i had had a missing important set of
    commands.


    One the remote end i mentioned you need these commands.

    crypto map dyn-map 1 ipsec-isakmp
    crypto map dyn-map 1 match address PROTECT
    crypto map dyn-map 1 set peer 203.X.X.X
    crypto map dyn-map 1 set transform-set strong
    crypto map dyn-map interface outside

    You dont, You need these commands to acutally tell the pix where the
    vpn server is :

    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address PROTECT
    crypto map newmap 10 set peer 203.X.X.X
    crypto map newmap 10 set transform-set strong
    crypto map newmap interface outside
    Anthony Mahoney, Aug 23, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. daben
    Replies:
    1
    Views:
    409
    Walter Roberson
    May 23, 2004
  2. tical
    Replies:
    3
    Views:
    3,869
    tical
    May 27, 2004
  3. pasatealinux
    Replies:
    1
    Views:
    1,994
    pasatealinux
    Dec 17, 2007
  4. Patrick Michael

    Re: Questions....questions....questions

    Patrick Michael, Jun 16, 2004, in forum: A+ Certification
    Replies:
    0
    Views:
    779
    Patrick Michael
    Jun 16, 2004
  5. SteveB
    Replies:
    0
    Views:
    3,122
    SteveB
    Mar 26, 2009
Loading...

Share This Page