Configure Site to Site VPNs in Cisco 2911's
Upcoming SlideShare
Loading in...5
×
 

Configure Site to Site VPNs in Cisco 2911's

on

  • 3,192 views

Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

Quick presentation on the steps to build out a mesh site to site network using a cisco 2911

Statistics

Views

Total Views
3,192
Views on SlideShare
3,191
Embed Views
1

Actions

Likes
0
Downloads
32
Comments
0

1 Embed 1

https://kcw.kddi.ne.jp 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/

Configure Site to Site VPNs in Cisco 2911's Configure Site to Site VPNs in Cisco 2911's Presentation Transcript

  • CIS 264Dan MorrillHighline Community College
  •  A static IP address on the EXTERNAL interface of yourrouter Needs to be in the 192.168.203.X range for this class (allexamples will use this IP range) Cisco 2911 Access to the router as exec Patience Remember to check your work before you commit thechanges Remember Write MEM A backup of your router configuration before doing this Just in case bad things happen to good people
  •  http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/ provides good stepby step in case you need it http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/83-cisco-vpn-part-i providesgood background support for setting up a site to siteVPN in a Cisco router http://www.fredshack.com/docs/vpnios.htmlsomewhat convoluted but workable – use as a backupresource in case something goes wrong
  •  Create an IKE (Internet Key Exchange) policy for yourrouter1. Router(config)#crypto isakmp policy 92. Router(config-isakmp)#hash md53. Router(config-isakmp)#authentication pre-share
  •  Router(config)#crypto isakmp key VPNKEY address192.168.203.25 Where the VPNKEY is the shared key that you will usefor the VPN, and remember to set the same key on theother end VPNKEY = keyR7ToR5 to help with the namingconvention 192.168.203.25 the static public IP address of theother end
  •  Router(config)#crypto ipsec security-associationlifetime seconds YYYYY where YYYYY is the associations lifetime in seconds. It isusually used as 86400, which is one day.
  •  Router(config)#access-list AAA permit ipSSS.SSS.SSS.SSS WIL.DCA.RDM.ASKDDD.DDD.DDD.DDD WIL.DCA.RDM.ASK Access-list AAA permit ip 192.168.203.25 0.0.0.255192.168.203.26 0.0.0.255 Where 203.26 is the Active Directory server or othercomputer on the network that will pass data backand forth between racks in the VPN Where WIL.DCA.RDM.ASK = wild card mask of thenetwork, the reverse subnet for a flat “C” network
  •  Define the transformations set that will be used for theVPN connection Router(config)#crypto ipsec transform-setSETNAME AAAA BBBB Where SETNAME is the name of the transformationsset. You can choose any name you like. Naming isimportant to keep track of the transforms BBBB and CCCCC is the transformation set. Irecommend the use of “esp-3des esp-md5-hmac”.
  •  Router(config)#crypto map MAPNAME PRIORITY ipsec-isakmp Router(config-crypto-map)#set peer 192.168.203.25 Router(config-crypto-map)#set transform-set SETNAME Router(config-crypto-map)#match address AAA Where MAPNAME is a name of your choice to the crypto-map PRIORITY is the priority of this map over other maps to thesame destination. If this is your only crypto-map give it anynumber, for example 10. 192.168.203.25 the static public IP address of the other end SETNAME is the name of the transformations set that weconfigured in step 5 AAA is the number of the access-list that we created to definethe traffic in step 4
  •  Router(config-if)#crypto map MAPNAME where MAPNAME is the name of the crypto-map thatwe defined in step 6. Now, repeat these steps on the other end, andremember to use the same key along with the sameauthentication and transform set.
  •  Repeat steps 2, 4, 5, 6, 7 for each VPN you want to setup for each connection point R3, R4, R5, R6, R7 in all you will have 5 VPNconnections in your router configuration Remember to skip step 3 This is step 3, this is a global configuration that will workon all VPN’s connected to the router Router(config)#crypto ipsec security-associationlifetime seconds YYYYY
  •  show crypto isakmp sa show crypto ipsec sa show crypto engine connections active and show crypto map All those should show what you entered Then write mem Then do a show run to see if everything took after writemem