Home > CISCO, Network Design, Security > Configuring IPSec tunnel between two LANs using the same subnet

Configuring IPSec tunnel between two LANs using the same subnet

May 15th, 2010

How to set up an IPSec tunnel between two LANs using the same subnet.

Conflicting LAN IP subnets can cause difficulties when routing through a tunnel.  This configuration uses NAT to overcome the problem of duplicate addresses:

Configuring IPSec Tunnel Between Same Subnets

CONFIGURATIONS:

Router A

Current configuration : 1404 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SV3-2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
!
!
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!

!— These are the Internet Key Exchange (IKE) parameters.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.5.76.57
!

!— These are the IPSec parameters.

crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
!
!
crypto map mymap 10 ipsec-isakmp
set peer 10.5.76.57
set transform-set myset1

!— Encrypt traffic to the other side.

match address 100
!
!
!
interface Serial0/0
description Interface to Internet
ip address 10.5.76.58 255.255.0.0
ip nat outside
clockrate 128000
crypto map mymap
!
interface Ethernet0/0
ip address 172.16.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
half-duplex
!
!

!— This is the NAT traffic.

ip nat inside source static network 172.16.0.0 172.18.0.0 /16 no-alias
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!

!— Encrypt traffic to the other side.

access-list 100 permit ip 172.18.0.0 0.0.255.255 172.19.0.0 0.0.255.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

Router B

Current configuration : 1255 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SV3-15
!
boot-start-marker
boot-end-marker
!
!
memory-size iomem 15
no aaa new-model
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!

!— These are the IKE parameters.

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.5.76.58
!

!— These are the IPSec parameters.

crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
set peer 10.5.76.58
set transform-set myset1

!— Encrypt traffic to the other side.

match address 100
!
!
interface FastEthernet0/0
ip address 172.16.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
description Interface to Internet
ip address 10.5.76.57 255.255.0.0
ip nat outside
crypto map mymap
!

!— This is the NAT traffic.

ip nat inside source static network 172.16.0.0 172.19.0.0 /16 no-alias
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!

!— Encrypt traffic to the other side.

access-list 100 permit ip 172.19.0.0 0.0.255.255 172.18.0.0 0.0.255.255
!
!
line con 0
line aux 0
line vty 0 4
!
!
!
end

Categories: CISCO, Network Design, Security Tags: ,
Comments are closed.