RE: Working VPN config

From: Naushad Prasla (naushad.prasla@xxxxxxxxx)
Date: Sat Jan 08 2000 - 17:58:38 GMT-3

• Next message: Manjeet Chawla: "Re: CCIE lab SAP Performance"
• Previous message: Naushad Prasla: "RE: CCIE lab SAP Performance"
• Maybe in reply to: Brad Hedlund: "Working VPN config"
• Next in thread: Brad Hedlund: "RE: Working VPN config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Brad,

Do you must have "Crypto ISAKMP Policy 1". I have been able to make it work
without this policy. Refer to the URL below for an example. I have tried it
and it works.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/secur
_c/scprt4/scipsec.htm#xtocid2141731

This stuff is extremely confusing. Specially various encrpytion methodoloy
and its application.

Naushad

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Brad Hedlund
Sent: Thursday, January 06, 2000 3:32 PM
To: 'ccielab@groupstudy.com'
Subject: Working VPN config

I was able to put together a working VPN configuration as follows:

              ------e0 R4 s0 --------- Internet --------- e0/0 R9 e1/0 ----

                             <---------Encrypted Tunnel---> (IPsec)

I am running EIGRP over the tunnel making the "internet" look like a leased
line.
Given that I may be able to do dial-backup over the VPN with floating
statics.
The URL I mailed out int the previous email doesnt use a tunnel interface, I
just threw that in.
I will just show the configs. If I add all the show commands that proves it
works this email might be too long for the list to send.

R4#wr t
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
!
no ip domain-lookup
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key MyFirstVPN address 200.100.100.9
!
!
crypto ipsec transform-set VPNtoR9 ah-md5-hmac esp-des
!
 !
 crypto map winter 10 ipsec-isakmp
 set peer 200.100.100.9
 set security-association lifetime seconds 600
 set transform-set VPNtoR9
 set pfs group2
 match address 101
!
!
!
interface Loopback99
 ip address 4.4.4.4 255.255.255.255
!
interface Tunnel0
 ip address 10.10.49.4 255.255.255.0
 tunnel source 200.200.200.4
 tunnel destination 200.100.100.9
 crypto map winter
!
interface BRI0/0
 no ip address
 shutdown
!
interface Ethernet0/0
 ip address 10.10.4.1 255.255.255.0
 no keepalive
!
interface Serial0/0
 ip address 200.200.200.4 255.255.255.0
 encapsulation frame-relay
 ip ospf network point-to-multipoint
 no ip mroute-cache
 no fair-queue
!
router eigrp 100
 network 10.0.0.0
!
router ospf 1
 network 200.200.200.0 0.0.0.255 area 0.0.1.244
!
ip classless
!
logging buffered 4096 debugging
no logging console
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
end

R4#

R9#sh ru
Building configuration...

Current configuration:
!
version 11.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R9
!
!
ip subnet-zero
no ip domain-lookup
!
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/1/0
!
voice-port 2/1/1
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key MyFirstVPN address 200.200.200.4
!
!
crypto ipsec transform-set VPNtoR4 ah-md5-hmac esp-des
!
 !
 crypto map summer 10 ipsec-isakmp
 set peer 200.200.200.4
 set security-association lifetime seconds 600
 set transform-set VPNtoR4
 set pfs group2
 match address 101
!
!
!
interface Loopback99
 ip address 9.9.9.9 255.255.255.255
 no ip directed-broadcast
!
interface Tunnel0
 ip address 10.10.49.9 255.255.255.0
 tunnel source 200.100.100.9
 tunnel destination 200.200.200.4
 crypto map summer
!
interface Ethernet0/0
 ip address 200.100.100.9 255.255.255.0
 no ip directed-broadcast
 no keepalive
!
interface Serial0/0
 no ip address
 no ip directed-broadcast
 no ip mroute-cache
 shutdown
 no fair-queue
!
interface BRI1/0
 no ip address
 no ip directed-broadcast
 shutdown
!
interface Ethernet1/0
 ip address 10.10.9.1 255.255.255.0
 no ip directed-broadcast
 no keepalive
!
interface BRI1/1
 no ip address
 no ip directed-broadcast
 shutdown
!
router eigrp 100
 network 10.0.0.0
!
router ospf 1
 network 200.100.100.0 0.0.0.255 area 0
!
ip classless
!
no logging console
access-list 101 permit ip 10.10.0.0 0.0.255.255 10.10.0.0 0.0.255.255
!
!
line con 0
 exec-timeout 0 0
 transport input none
line aux 0
line vty 0 4
 no login
!
end

R9#

-Brad

• Next message: Manjeet Chawla: "Re: CCIE lab SAP Performance"
• Previous message: Naushad Prasla: "RE: CCIE lab SAP Performance"
• Maybe in reply to: Brad Hedlund: "Working VPN config"
• Next in thread: Brad Hedlund: "RE: Working VPN config"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:22:43 GMT-3