PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:yamaha:vpn:ipsec-vpn-rtx1210-site-to-site:ipsec-vpn-rtx1210-site-to-site

WIP: Configure YAMAHA Router Site to Site IPsec VPN with RTX1210

  1. RTX1210 14.01.36
  2. Main mode IPsec VPN
  3. Aggressive mode IPsec VPN
  4. This configuration is PoC config, not production ready config. This lab lack of ip filter security implementation!!

Topology

Base Configuration

  • R1
console character en.ascii
console prompt R1
console info on
login timer 21474836
syslog debug on
ip lan1 address 10.1.1.1/24
ip lan2 address 198.51.100.1/24
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 10.1.1.11-10.1.1.191/24
ip route 192.0.2.0/24 gateway 198.51.100.3
  • R2
console character en.ascii
console prompt R2
console info on
login timer 21474836
syslog debug on
ip lan1 address 10.2.2.2/24
ip lan2 address 192.0.2.2/24
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 10.2.2.11-10.2.2.191/24
ip route 198.51.100.0/24 gateway 192.0.2.3
  • SW3 Switch Cisco Catalyst 3750 IOS 15.0

This device can be replaced another routing device. Be careful this device using port mirroring (SPAN: Switch Port Analyzer) feature.

configure terminal
!
ip routing
!
no cdp run
!
monitor session 1 source interface FastEthernet 1/0/24
monitor session 1 destination interface FastEthernet 1/0/1 encapsulation replicate
!
interface FastEthernet 1/0/23
 no switchport
 ip address 192.0.2.3 255.255.255.0
interface FastEthernet 1/0/24
 no switchport
 ip address 198.51.100.3 255.255.255.0
!
end
  1. Ethernet 5 Connected to R1
  2. Ethernet 6 Connected to R2
  3. Ethernet 7 is Wireshark Probing Port
  4. Fa1/0/1 is Wireshark Probing Port
  5. Fa1/0/24 is Connected to R1 LAN 2
  6. Fa1/0/23 is Connected to R2 LAN 2

Configure IPsec VPN Public IP (Main Mode)

  • R1
tunnel select 1
 ipsec tunnel 1
 ipsec sa policy 1 1 esp aes-cbc sha-hmac
 ipsec ike keepalive log 1 off
 ipsec ike keepalive use 1 on
 ipsec ike nat-traversal 1 on
 ipsec ike pre-shared-key 1 text secret12345
 ipsec ike remote address 1 192.0.2.2
 ip tunnel address 10.1.2.1/30
 ip tunnel tcp mss limit auto
 tunnel enable 1
ipsec auto refresh on
#
ip route 10.2.2.0/24 gateway 10.1.2.2
#ip route 10.2.2.0/24 gateway tunnel 1
  • R2
tunnel select 1
 ipsec tunnel 1
 ipsec sa policy 1 1 esp aes-cbc sha-hmac
 ipsec ike keepalive log 1 off
 ipsec ike keepalive use 1 on
 ipsec ike nat-traversal 1 on
 ipsec ike pre-shared-key 1 text secret12345
 ipsec ike remote address 1 198.51.100.1
 ip tunnel address 10.1.2.2/30
 ip tunnel tcp mss limit auto
 tunnel enable 1
ipsec auto refresh on
#
ip route 10.1.1.0/24 gateway 10.1.2.1
#ip route 10.1.1.0/24 gateway tunnel 1

NOT Verified: Configure IPsec VPN Public IP (Aggressive Mode)

  • R1 (Fixed IP)
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text secret12345
ipsec ike remote address 1 any
ipsec ike remote name 1 site2
ip tunnel address 10.1.2.1/30
ip tunnel tcp mss limit auto
tunnel enable 1
ipsec auto refresh on
#
ip route 10.2.2.0/24 gateway 10.1.2.2
#ip route 10.2.2.0/24 gateway tunnel 1
  • R2 (Non FIxed IP)
tunnel select 1
ipsec tunnel 1
ipsec sa policy 1 1 esp aes-cbc sha-hmac
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on
ipsec ike nat-traversal 1 on
ipsec ike pre-shared-key 1 text secret12345
ipsec ike remote address 1 198.51.100.1
ip tunnel address 10.1.2.2/30
ip tunnel tcp mss limit auto
tunnel enable 1
ipsec auto refresh on
#
ip route 10.1.1.0/24 gateway 10.1.2.1
#ip route 10.1.1.0/24 gateway tunnel 1

References

tech/network/yamaha/vpn/ipsec-vpn-rtx1210-site-to-site/ipsec-vpn-rtx1210-site-to-site.txt · Last modified: 2020/05/30 13:21 by wnoguchi