T1 Site-to-Site VPN

From: "John" <john.thompson40@xxxxxxxxx>
Date: Thu, 30 Aug 2007 00:16:03 -0400

Soon I will have to setup a T1 with 2 1841 routers each with a CSU/DSU
module. I have a back-to-back test setup here, and I have that part
working. The next step was to establish a VPN tunnel between the 2 routers.
That step is also working.

Here is the network diagram:

Host (10.10.20.20)
|
(LAN IP: 10.10.20.1)
Cisco 1841
(WAN IP: 192.168.60.1)
|
(WAN IP: 192.168.40.1)
Cisco 1841
(LAN IP: 10.10.10.1)
|
Host (10.10.10.10)

Host 10.10.10.10 can ping anybody on the 10.10.20.0/24 network. Great. My
problem is that 192.168.40.1 can also ping anybody on the 10.10.20.0/24
network.

I know that I need to setup an ACL, but I want to make sure that I do this
right. I only want VPN traffic to be able to pass through, and I want to
deny any other traffic coming into each router. I currently have an
extended ACL matched to each crypto map, and I'm about 99.99999% sure that
it's correct. However, if I add a deny any any ACL to my serial interface,
then nobody and ping anybody anymore. This makes sense to me, but I want
the extended ACL match to my cypto maps to take precedence over that ACL and
let VPN traffic through.

What's the correct way to do this? Thanks.
-- John

RouterA:
!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterA

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

ip cef

!

!

!

!

ip domain name yourdomain.com

!

password encryption aes

!

!

username cisco privilege 15 secret 5 $1$uF6w$fMy7xMIp2BRaJMSi214EM/

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 6 LQVHTdLaGEbPEb^]bPAiKbISUPXEP^QVZAAB address
192.168.60.1

crypto isakmp keepalive 60 3 periodic

!

!

crypto ipsec transform-set L2LTransform esp-aes 256

!

crypto map L2LMap 1 ipsec-isakmp

set peer 192.168.60.1

set security-association level per-host

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set L2LTransform

set pfs group5

match address L2LAccess

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 192.168.40.1 255.255.255.0

encapsulation ppp

service-module t1 timeslots 1-24

crypto map L2LMap

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended L2LAccess

permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

!

!

!

control-plane

!

banner login

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a
privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS
CLI.

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want to
use.

For more information about SDM please follow the instructions in the QUICK
START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

!

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

end

Router B:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RouterB

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

ip cef

!

!

!

!

ip domain name yourdomain.com

!

password encryption aes

!

!

username cisco privilege 15 secret 5 $1$nAL8$hheCXtA4rN6.RosXTheFz0

!

!

!

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 5

crypto isakmp key 6 FMi^gCO^`\EGMaeIVfUECJLD_dMWJZCNVAAB address
192.168.40.1

crypto isakmp keepalive 60 3 periodic

!

!

crypto ipsec transform-set L2LTransform esp-aes 256

!

crypto map L2LMap 1 ipsec-isakmp

set peer 192.168.40.1

set security-association level per-host

set security-association lifetime seconds 86400

set security-association idle-time 86400

set transform-set L2LTransform

set pfs group5

match address L2LAccess

!

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$

ip address 10.10.20.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0

ip address 192.168.60.1 255.255.255.0

encapsulation ppp

service-module t1 clock source internal

service-module t1 timeslots 1-24

crypto map L2LMap

!

ip route 0.0.0.0 0.0.0.0 Serial0/0/0

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip access-list extended L2LAccess

permit ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255

!

!

!

control-plane

!

banner login

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

This feature requires the one-time use of the username "cisco"

with the password "cisco". The default username and password have a
privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS
CLI.

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want to
use.

For more information about SDM please follow the instructions in the QUICK
START

GUIDE for your router or go to http://www.cisco.com/go/sdm

-----------------------------------------------------------------------

!

line con 0

exec-timeout 0 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

end

.

Follow-Ups:
- Re: T1 Site-to-Site VPN
  - From: John

Prev by Date: SNMP and RADIUS
Next by Date: Re: Which is the OID for the error CRC on interface router cisco
Previous by thread: SNMP and RADIUS
Next by thread: Re: T1 Site-to-Site VPN
Index(es):
- Date
- Thread

Relevant Pages

RE: Router with security features
... Subject: Router with security features ... Unlike other companies Cisco tells their customers about bugs and security ... Using this information you can proactively secure your network. ... turn on a router configure it and then never look at it again. ...
(Security-Basics)
RE: [fw-wiz] Worms, Air Gaps and Responsibility
... but hundreds of thousands of Cisco routers allow connections from the ... It is not that Windows couldn't lower the ... As to the issue of the internal router interface being less than tight, ... I'm just saying that ubiquity doesn't equal targeting. ...
(Firewall-Wizards)
Re: Connecting Cisco 831 Router behind the D-Link Router
... My home network uses D-Link Router providing 192.168.1.x addrress ... When I connect Cisco 831 Router so that I can be ... At its most basic level, the dlink is a switch, and just had a dhcp ...
(comp.dcom.sys.cisco)
Re: Connecting Cisco 831 Router behind the D-Link Router
... My home network uses D-Link Router providing 192.168.1.x addrress ... When I connect Cisco 831 Router so that I can be ... At its most basic level, the dlink is a switch, and just had a dhcp ...
(comp.dcom.sys.cisco)
Re: Connecting Cisco 831 Router behind the D-Link Router
... My home network uses D-Link Router providing 192.168.1.x addrress ... When I connect Cisco 831 Router so that I can be be ... At its most basic level, the dlink is a switch, and just had a dhcp ...
(comp.dcom.sys.cisco)