Solved: Re: site2site VPN on 887

dexaminternational · ‎04-08-2011

I have 2 887 routers with DSL interface and fixed public ip addresses.

I can access the internet from behind these routers and can remote configure them via telnet

Router 1 local ip is 10.10.10.1 and Router 2 is 192.168.50.252

I'm having difficulties in setting up a site2site VPN - I've followed the instructions - but it doesn't seem to do anything - so I'm obviously missing something stupid ... Please Help

Tia

Here's the instructions I've been following - these seem to be repeated in various places ... http://www.facebook.com/topic.php?uid=150551369144&topic=14627

Here's the config of router 1 - router 2 is the same but opposite (and with the appropriate ppp settings!)

Building configuration...

Current configuration : 2125 bytes
!
! Last configuration change at 12:57:27 UTC Fri Apr 8 2011
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable password xxxx
!
no aaa new-model
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool dhcppool
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.6.40.178
!
!
ip cef
ip name-server 62.6.40.178
no ipv6 cef
!
!
license udi pid CISCO887M-K9 sn FCZ1447C1UT
!
!
username admin privilege 15 password 0 xxxx

!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key xxxx address <public ip address of other router>
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SIPTRAN esp-3des esp-md5-hmac
!
crypto map SIPMAP 10 ipsec-isakmp
set peer <public ip address of other router>
set transform-set SIPTRAN
match address 100
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname <hostname>
ppp chap password 0 <password>
ppp pap sent-username <hostname> password 0 <password>
crypto map SIPMAP
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxx
login
!
scheduler max-task-time 5000
end

menelaospardalis · ‎04-08-2011

Hi,

You are missing the access-list 1 which is set in "ip nat inside source list 1 interface Dialer1 overload"

This should be like that:

Router1:

access-list 1 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 1 permit ip 10.10.10.0 0.0.0.255 any

Router 2:

access-list 1 deny ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 1 permit ip 192.168.50.0 0.0.0.255 any

In this way you are telling your routers to avoid NAT for traffic that crosses the VPN tunnel.

Regards

View solution in original post

menelaospardalis · ‎04-08-2011

Hi,

You are missing the access-list 1 which is set in "ip nat inside source list 1 interface Dialer1 overload"

This should be like that:

Router1:

access-list 1 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 1 permit ip 10.10.10.0 0.0.0.255 any

Router 2:

access-list 1 deny ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 1 permit ip 192.168.50.0 0.0.0.255 any

In this way you are telling your routers to avoid NAT for traffic that crosses the VPN tunnel.

Regards

dexaminternational · ‎04-08-2011

Aaaggghhh !!

access-list 1 deny ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
^
% Invalid input detected at '^' marker.

"They" don't like to make life easy do they?!!!

menelaospardalis · ‎04-08-2011

I am sorry for my instructions. I did not pay many attention to the details. Access-list 1 belongs to standard lists while the one you need is an extended list. Therefore try the same as before but instead of number 1 try a number between 100 and 199. Note: number 100 is already in use so don't try this number... Obviously you will have to change number 1 at "ip nat inside..." as well...

dexaminternational · ‎04-08-2011

Hmm - no joy ...

Router A:

DEXSIP

Building configuration...

Current configuration : 3822 bytes
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable password
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-<10 digit code A>
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-<10 digit code A>
revocation-check none
rsakeypair TP-self-signed-<10 digit code A>
!
!
crypto pki certificate chain TP-self-signed-<10 digit code A>
certificate self-signed 01

        quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool dhcppool
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1
   dns-server 62.6.40.178
!
!
ip cef
ip name-server 62.6.40.178
no ipv6 cef
!
!
license udi pid CISCO887M-K9 sn FCZ1447C1UT
!
!
username admin privilege 15 password 0
!
!
!
!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key address
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SIPTRAN esp-3des esp-md5-hmac
!
crypto map SIPMAP 10 ipsec-isakmp
set peer
set transform-set SIPTRAN
match address 100
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
ppp pap sent-username password 0
crypto map SIPMAP
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 deny   ip 10.10.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
!
scheduler max-task-time 5000
end

Router#

Router B

Building configuration...

Current configuration : 3964 bytes
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
enable password
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-<10 digit code>
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-<10 digit code>
revocation-check none
rsakeypair TP-self-signed-<10 digit code>
!
!
crypto pki certificate chain TP-self-signed-<10 digit code>
certificate self-signed 01

        quit
ip source-route
!
!
ip dhcp excluded-address 192.168.50.252
!
ip dhcp pool dhcppool
   network 192.168.50.0 255.255.255.0
   default-router 192.168.50.252
   dns-server 62.6.40.178
!
!
ip cef
ip name-server 62.6.40.178
no ipv6 cef
!
!
license udi pid CISCO887M-K9 sn FCZ150290QY
!
!
username admin privilege 15 password 0
!

!
crypto isakmp policy 9
hash md5
authentication pre-share
crypto isakmp key address
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set SIPTRAN esp-3des esp-md5-hmac
!
crypto map SIPMAP 10 ipsec-isakmp
set peer
set transform-set SIPTRAN
match address 100
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 192.168.50.252 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp chap hostname
ppp chap password 0
ppp pap sent-username password 0
crypto map SIPMAP
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 101 interface Dialer1 overload
!
access-list 100 permit ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 deny ip 192.168.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.50.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login
transport input all
!
scheduler max-task-time 5000
end

Router#

Btw - I've decided I'm no good at this Cisco router configuration game ...

dexaminternational · ‎04-08-2011

Ah - I think it's working - I can ping from a machine behind router A to router B ... just playing around with some settings on a machine behind router B now ...

Thanks!