Multiple VPNs on Cisco 837

aquillaaquilla South East, UKMember Posts: 148 ■■■□□□□□□□
Hi,

This post isn't related to CCNP but I thought it would be best suited here due to its content. :)

We have two offices that have bog standard ADSL in them with a Cisco 837 router. Each office has a static IP and the router does NAT for the users at each office.

I would like to achieve the following abjectives without purchasing additional equipment (if possible).

i) Create a router-to-router VPN to link the offices;
ii) Allow mobile users to VPN in to access resources on the internal networks.

The first point I have managed to do - the link is up and I can ping devices at the other site. Is the router able to perform these functions together or am I going to have to purchase additional equipment?

Thanks in advance.
Regards,

CCNA R&S; CCNP R&S

Comments

  • networker050184networker050184 Mod Posts: 11,962 Mod
    You should be able to do both as far as I know, but not sure what kind of processor hit you would take with both.
    An expert is a man who has made all the mistakes which can be made.
  • shednikshednik Member Posts: 2,005
    You should be able to do both as far as I know, but not sure what kind of processor hit you would take with both.


    Yes that should work just fine I just wouldn't want to have to many people VPN in on a smaller router such as that...with many tunnels terminating on a smaller router I can see that pegging quickly. If you have multiple IPs I would maybe invest in another router or a VPN concentrator but it depends on the number of remote users and what kind of internet link are you running this on?
  • aquillaaquilla South East, UKMember Posts: 148 ■■■□□□□□□□
    Hi Networker,

    Right after some further searching and reading on Cisco I have tried using VTI (Virtual Tunnel Interfaces). I have a tunnel interface setup on each router and can access devices on LAN at site 2 from site 1 :-

    Site 1 = 10.0.1.0 /24
    Site 2 = 10.0.0.0 /24

    C:\Users\Stuart>tracert 10.0.0.251

    Tracing route to 10.0.0.251 over a maximum of 30 hops

    1 1 ms 1 ms 1 ms 10.0.1.254
    2 55 ms 62 ms 61 ms 10.254.0.2
    3 60 ms 65 ms 66 ms 10.0.0.251

    Trace complete.

    This document on cisco.com helped alot:
    IPSec Virtual Tunnel Interface - Cisco Systems

    My next step is to get VPN access sorted for mobile users.
    Regards,

    CCNA R&S; CCNP R&S
  • aquillaaquilla South East, UKMember Posts: 148 ■■■□□□□□□□
    shednik wrote: »
    Yes that should work just fine I just wouldn't want to have to many people VPN in on a smaller router such as that...with many tunnels terminating on a smaller router I can see that pegging quickly. If you have multiple IPs I would maybe invest in another router or a VPN concentrator but it depends on the number of remote users and what kind of internet link are you running this on?

    Hi,

    The offices are small (less than six at each site) hence the basic connection and routers. There will only be a couple of people VPN'ing in at most.
    Regards,

    CCNA R&S; CCNP R&S
  • networker050184networker050184 Mod Posts: 11,962 Mod
    To allow the VPN clients to connect you can just set up an "easy" VPN server.
    An expert is a man who has made all the mistakes which can be made.
  • aquillaaquilla South East, UKMember Posts: 148 ■■■□□□□□□□
    To allow the VPN clients to connect you can just set up an "easy" VPN server.

    Hi Networker,

    Something I am about to look at now.

    Thanks,
    Regards,

    CCNA R&S; CCNP R&S
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    Check this link out as well to create isakmp profiles to distinguish your site-to-site and remote vpn connections

    ISAKMP Profile Overview [Cisco IOS IPsec] - Cisco Systems
  • Panzer919Panzer919 Member Posts: 462
    This is what i use to create EZVPN links


    conf t
    crypto ipsec client ezvpn (Company Name)
    connect auto
    group EzVPN key EzVPN
    local-address loopback0
    mode network-extension (or Client)
    peer (IP Address of EzVPN server)
    ip dhcp pool dhcpPool
    network 192.168.0.0 255.255.255.0
    dns-server 24.29.1.218 24.29.1.219
    default-router 192.168.0.1
    lease 0 16
    exit
    ip dhcp excluded-address 192.168.0.1
    interface loopback 0
    ip address (Public IP Address) 255.255.255.255
    interface Ethernet 0
    ip address 192.168.0.1 255.255.255.0
    crypto ipsec client ezvpn (Name) inside
    interface (outgoing int)
    crypto ipsec client ezvpn (Name)
    exit
    router rip <-- or what ever you are using
    passive-interface loopback0
    passive-interface ethernet0
    distribute-list 50 out (outgoing int) 0
    exit
    access-list 50 permit (Public IP Address) 0.0.0.0
    exit
    Cisco Brat Blog

    I think “very senior” gets stuck in there because the last six yahoos that applied for the position couldn’t tell a packet from a Snickers bar.

    Luck is where opportunity and proper planning meet

    I have not failed. I've just found 10,000 ways that won't work.
    Thomas A. Edison
  • aquillaaquilla South East, UKMember Posts: 148 ■■■□□□□□□□
    Hi Guys,

    Just wanted to thanks for the help guys. Now have everything up and running. :)
    Regards,

    CCNA R&S; CCNP R&S
  • gojericho0gojericho0 Member Posts: 1,059 ■■■□□□□□□□
    what did you final solution look like?
Sign In or Register to comment.