Site to Site VPN questions ( by VPN newbie )

Discussion in 'Cisco' started by JJ DD, Aug 18, 2004.

  1. JJ DD

    JJ DD Guest

    Hello,

    I need to setup a VPN between two 7300 routers for the first time and
    have a few questions :
    - should I use AES or 3DES ? Are there any guidelines ?
    - What I don't get is on which interface you should assign the crypto
    map ? What should be the tunnel endpoint the Ethernet or the serial
    interface of the routers ? Some people suggest to configure a loopback
    address but I don't see the use of that.
    Any tips or hints would be very helpfull . . .
     
    JJ DD, Aug 18, 2004
    #1
    1. Advertisements

  2. Here are my notes i use to build vpn tunnels between cisco routers.

    Cisco Router - Static VPN tunnel to another Router or other VPN device
    using Pre-Share Key. I still have faith in 3des.


    The following commnds will build a VPN in LAN to LAN Extension mode
    between network 192.168.252.0/28 and 172.16.1.0/24. This example shows
    you how to configure router to router lan extension tunnels. Items in
    bold are network or pix model specific. Routers should be used in vpn
    solutions when QOS is required.

    These are the access lists you will need apply to your router in order
    for the vpn to work and your router to be secure.

    ip access-list extended acl-in
    remark Traffic from the internet
    permit icmp any host 172.30.2.1 packet-too-big
    permit esp any host 172.30.2.1
    permit udp any host 172.30.2.1 eq isakmp
    remark INCOMMING VPN TRAFFIC FROM REMOTE SITE (VPN)
    permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255.

    ip access-list extended acl-out
    remark Traffic from the internet
    permit icmp host 192.168.254.1 any packet-too-big
    permit esp host 192.168.254.1 any
    permit udp host 192.168.254.1 eq isakmp any
    remark OUTGOING VPN TRAFFIC TO REMOTE SITE (VPN)
    permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255

    Central Router Configuration
    hostname centralrouter
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key mypresharekey address 172.30.2.1
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPNCONNECTIONS 10 ipsec-isakmp
    set peer 172.30.2.2
    set transform-set 3DES-SHA
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    description Outside Interface
    ip address 172.30.1.1 255.255.255.0
    crypto map VPNCONNECTIONS
    !
    interface FastEthernet0
    description Inside Interface
    ip address 192.168.252.254 255.255.255.0
    ip nat inside
    !
    ip nat inside source route-map NONAT interface Ethernet0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.1.2
    !
    !
    access-list 110 remark except the private network from that nat rule
    access-list 110 deny ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    access-list 110 permit ip 192.168.252.0 0.0.0.255 any
    access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    VPN TUNNEL
    access-list 115 permit ip 192.168.252.0 0.0.0.255 172.16.1.0 0.0.0.255
    !
    route-map NONAT permit 10
    match ip address 110
    !
    end

    Remote Router Configuration
    The remote End is an exact mirror

    hostname remotevpnrouter
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key mypresharekey address 172.30.1.1
    !
    crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
    !
    crypto map VPNCONNNECTIONS 10 ipsec-isakmp
    set peer 172.30.1.1
    set transform-set 3DES-SHA
    match address 115
    !
    !
    !
    !
    interface Ethernet0
    description Outside Interface
    ip address 172.30.2.1 255.255.255.0
    crypto map VPNCONNNECTIONS
    ip access-group in
    !
    interface FastEthernet0
    description Inside Interface
    ip address 172.168.1.254 255.255.255.0
    ip nat inside
    !
    ip nat inside source route-map NONAT interface Ethernet0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 172.30.2.2
    !
    !
    access-list 110 remark except the private network from that nat rule
    access-list 110 deny ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    access-list 110 permit ip 172.16.1.0 0.0.0.255 any
    access-list 115 remark INCLUDE PRIVATE NETWORK TO PRIVATE NETWORK IN
    VPN TUNNEL
    access-list 115 permit ip 172.16.1.0 0.0.0.255 192.168.252.0 0.0.0.255
    !
    route-map NONAT permit 10
    match ip address 110
    !
    end
     
    Anthony Mahoney, Aug 19, 2004
    #2
    1. Advertisements

  3. JJ DD

    JJ DD Guest

    Thanks a lot for the information Anthony, I'll let you know if I got
    the thing working or not.
     
    JJ DD, Aug 22, 2004
    #3

  4. I actually used my notes the other night to build a checkpoint to pix
    vpn tunnel, and discovered i had had a missing important set of
    commands.


    One the remote end i mentioned you need these commands.

    crypto map dyn-map 1 ipsec-isakmp
    crypto map dyn-map 1 match address PROTECT
    crypto map dyn-map 1 set peer 203.X.X.X
    crypto map dyn-map 1 set transform-set strong
    crypto map dyn-map interface outside

    You dont, You need these commands to acutally tell the pix where the
    vpn server is :

    crypto map newmap 10 ipsec-isakmp
    crypto map newmap 10 match address PROTECT
    crypto map newmap 10 set peer 203.X.X.X
    crypto map newmap 10 set transform-set strong
    crypto map newmap interface outside
     
    Anthony Mahoney, Aug 23, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.