Cisco VTI based VPN configuration on 887 router

The latest network consultancy job we are doing here at Gconnect involves a network designed to provide redundant VPN tunnels between 2 sites using a combination of 5 DSL (cisco 887) routers. The requirements for the job were that in the event of an ADL line failure then the VPN traffic should continue to flow with minimal disruption to the clients. While everything is in normal operation traffic destined for the internet should be routed over a different path than the VPN traffic so keeping an ‘un-contended path’ for the critical site to site traffic. It was decided that we’d use a dynamic routing protocol to make the failover happen nicely and so that dictated that we would need to use a GRE/IPSec type tunnel to make it work!   In order to show how these site to site tunnels are made, I’ve made a quick diagram (shown below):

ipsec-gre

Config for Router 1 shown on the lefthand side:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set GCONNECT esp-aes esp-sha-hmac
!
crypto ipsec profile GC-PROFILE
 set transform-set GCONNECT
!
interface Tunnel0
 ip address 10.10.10.1 255.255.255.0
 ip ospf 1 area 0
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel destination 1.1.1.1
 tunnel protection ipsec profile GC-PROFILE
!

Config for Router 2 shown on the righthand side:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp key ******** address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto ipsec transform-set GCONNECT esp-aes esp-sha-hmac
!
crypto ipsec profile GC-PROFILE
 set transform-set GCONNECT
!
interface Tunnel0
 ip address 10.10.10.2 255.255.255.0
 ip ospf 1 area 0
 tunnel source Dialer0
 tunnel mode ipsec ipv4
 tunnel destination 2.2.2.2
 tunnel protection ipsec profile GC-PROFILE
!

when you now execute a show ip route the routes show be visible in the table.

This entry was posted in Cisco and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *