Re: Router-to-Router Dynamic-to-Static IPSec with NAT from Arbaaz Khan on 2011-11-24 (Ccielab archives 11/2011)

From: Arbaaz Khan <arbaazkhan83_at_gmail.com>
Date: Thu, 24 Nov 2011 16:10:53 +0300

Hi A

The configuration of Site-B
Site-B got other tunnels and to make it simple i removed the Access-list
for tunnels which are working.

%%%%%%%%%%%%%%%%%%%%%
Site-B configuration
%%%%%%%%%%%%%%%%%%%%%

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share

crypto isakmp policy 2
hash md5
authentication pre-share

crypto isakmp key cisco address 97.12.118.X
crypto isakmp key cisco address 217.218.185.x
crypto isakmp key cisco address 62.249.x.x
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 300

crypto ipsec transform-set PAC1 esp-des esp-md5-hmac
crypto ipsec transform-set PAC2 esp-3des esp-md5-hmac
crypto ipsec transform-set PAC3 esp-3des esp-md5-hmac
crypto ipsec transform-set PAC4 esp-3des esp-md5-hmac

crypto dynamic-map MAP 10
set transforim-set PAC4
match address PAC4

crypto map IMAP 5 ipsec-isakmp dynamic MAP

crypto map IMAP 6 ipsec-isakmp
set peer 97.12.118.X
set transform-set PAC1
match address PAC1

crypto map IMAP 7 ipsec-isakmp
set peer 217.218.185.x
set transform-set PAC2
match address PAC2

crypto map IMAP 8 ipsec-isakmp
set peer 62.249.x.x
set transform-set PAC3
match address PAC3

interface GigabitEthernet0/0
description Network
ip address 172.20.20.1 255.255.255.0

interface GigabitEthernet0/1
description ISP
ip address 217.90.12.x 255.255.255.248
crypto map IMAP

router eigrp 2
network 172.20.20.1 0.0.0.0
no auto-summary

ip route 0.0.0.0 0.0.0.0 217.90.12.x
ip route 172.20.245.1 255.255.255.255 217.90.12.x

ip access-list extended PAC4
permit ip 172.20.20.0 0.0.0.255 172.20.245.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 172.20.245.0 0.0.0.255

Thanks
A Khan

On Thu, Nov 24, 2011 at 2:15 PM, Alexei Monastyrnyi <alexeim73_at_gmail.com>wrote:

> Hi Arbaaz.
>
> What exactly is the problem? Does the connection progress from phase 1 to
> phase 2?
> Any debug outputs?
> Better post at least the config of site B to have a full picture of both
> ends.
>
> Cheers,
> A.
>
>
>
> On 11/24/2011 9:03 PM, Arbaaz Khan wrote:
>
> Hi Experts
> I got Simple VPN setup but have problem getting Tunnel up with Dynamic IP.
> Any input is appreciated.
> To simplify the setup I labled the sites as A,B,C. here goes the details
> and my configuration.
>
>
> Site-A connects to Site-C [ Firewall-to-Router Static-to-Dynamic IPSec with
> NAT ]
> Site-B connects to Site-C [ Router-to-Router Static-to-Dynamic IPSec with
> NAT ]
>
> Site-A terminates the VPN on Pix 525
> Site-B terminates the VPN on IOS Router with static Public IP
> site-C terminates the VPN on IOS Router with Dynamic Public IP
> Site A - 217.18.1.x
> Site B - 217.90.12.x
> Site C - 0.0.0.0 [ Dynamic IP ]
>
>
> %%%%%%%%%%%%
> Site-C configuration %%
> %%%%%%%%%%%%%
>
> crypto isakmp policy 10
> hash md5
> authentication pre-share
>
> crypto isakmp policy 11
> encr 3des
> hash md5
> authentication pre-share
>
> crypto isakmp key cisco address 217.18.1.X
> crypto isakmp key cisco address 217.90.12.X
> crypto isakmp keepalive 300
> !
> !
> crypto ipsec transform-set trans1 esp-des esp-md5-hmac
> crypto ipsec transform-set trans2 esp-3des esp-md5-hmac
> !
> crypto map CMAP 10 ipsec-isakmp
> set peer 217.18.1.X
> set transform-set trans1
> match address FL1
>
> crypto map CMAP 10 ipsec-isakmp
> set peer 217.90.12.X
> set transform-set trans2
> match address GW1
>
>
> interface Ethernet0
> ip address 172.20.245.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> ip tcp adjust-mss 1300
> hold-queue 100 out
> !
> interface Ethernet2
> no ip address
> pppoe enable
> pppoe-client dial-pool-number 1
> hold-queue 100 out
> !
> interface ATM0
> bandwidth 4160
> no ip address
> load-interval 30
> shutdown
> no atm ilmi-keepalive
> dsl operating-mode auto
> pvc 0/50
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
>
> interface Dialer0
> bandwidth 4160
> ip address negotiated
> ip mtu 1492
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> no ip mroute-cache
> dialer pool 1
> dialer-group 1
> no cdp enable
> ppp authentication pap callin
> ppp chap refuse
> ppp pap sent-username cisco password 7 cisco
> ppp ipcp address accept
> crypto map CMAP
>
> ip route 0.0.0.0 0.0.0.0 Dialer0
>
> ip nat source list INTERNET interface Dialer0 overload
> !
> !
> ip access-list extended INTERNET
> deny ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
> deny ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
> deny ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
> deny ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
> permit ip 172.20.245.0 0.0.0.255 any
>
> ip access-list extended FL1
> permit ip 172.20.245.0 0.0.0.255 172.20.100.0 0.0.1.255
> permit ip 172.20.245.0 0.0.0.255 192.168.30.0 0.0.0.255
>
> ip access-list extended GW1
> permit ip 172.20.245.0 0.0.0.255 172.20.20.0 0.0.0.255
> permit ip 172.20.245.0 0.0.0.255 192.168.2.0 0.0.0.255
>
> I have no problems on the Tunnel between Site-A and Site-C
>
> Thanks
> A Khan
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 24 2011 - 16:10:53 ART

This archive was generated by hypermail 2.2.0 : Thu Dec 01 2011 - 06:29:31 ART