Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

How do I set up a VPN?

  • Filter
  • Time
  • Show
Clear All
new posts

  • How do I set up a VPN?

    Hai, I would like to setup a vpn connectivity between 2 offices. We have already a 1841 and 2 or 3 877 routers with us. We are planning to use 1841 in main office with a Diginet connection having static Ips and 877 routers at remote offices having ADSL link.
    Kindly suggest me what all configurations I need to do in both ends.

  • #2
    Re: cinu

    Plenty of info out there regarding vpn's if you just take the time and look.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)


    • #3
      Re: cinu

      The title has been changed. Next time please choose a better title as per the rules, thanks.
      Last edited by Wired; 11th April 2012, 07:27.
      ** Remember to give credit where credit is due and leave reputation points where appropriate **


      • #4
        Re: How do I set up a VPN?

        You can do L2L tunnels if you want for each remote site. Another option would be DMVPN. This is more of a hub and spoke topology. With DMVPN most of the time you will run a dynamic routing protocol between hub and spokes. Use a multipoint gre interface on the hub. If you want spoke to spoke dynamic tunnels then its multipoint gre all the way around. Lots of options.

        Configuration depends on what type you want to go with. For L2L static tunnels this will do:

        crypto isakmp policy 10 (ISAKMP Policy)
        authentication pre-share
        hash sha
        encryption aes
        group 5

        crypto isakmp key cisco address X.X.X.X (remote site ip)

        crypto ipsec transform-set TSET esp-aes esp-sha-hmac (Transform Set)

        crypto map MYMAP 10 ipsec-isakmp (Crypto Map)
        set peer X.X.X.X (remote site ip address)
        set transform-set TSET
        match address 100

        access-list 100 permit ip X.X.X.X Y.Y.Y.Y X.X.X.X Y.Y.Y.Y (Crypto ACL for Interesting Traffic)

        int fa0/0
        crypto map MYMAP

        Could also do VTI based Vpn's which will give you a routable tunnel interface for QOS, Policy etc.

        Dont forget to add a no-nat rule so vpn traffic doesnt get natted.

        access-list 101 deny ip X.X.X.X Y.Y.Y.Y X.X.X.X Y.Y.Y.Y (traffic not to be natted)
        access-list 101 permit ip any any (Traffic to be natted - Can get more specific here if need be)

        route-map NO_NAT permit 10
        match ip address 101

        ip nat inside source route-map NO_NAT interface fa0/0 overload (Assuming your using PAT on the outside interface)
        Last edited by auglan; 11th April 2012, 16:55.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)