ProTech's home page

ProTech-Online.com

This is an example of a running configuration for a 1811 IPSEC VPN spoke with IP SLA to keep routing working for remote networks.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PARouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 ***************************
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone EST -5
!
crypto pki trustpoint TP-self-signed-145767206
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-145767206
 revocation-check none
 rsakeypair TP-self-signed-145767206
!
!
crypto pki certificate chain TP-self-signed-145767206
 certificate self-signed 01
 **********************************
     quit
no dot11 syslog
!
dot11 ssid my_network_PA
 authentication open
 authentication key-management wpa
 guest-mode
 wpa-psk ascii 0 my_wifi_password
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.250.1 192.168.250.10
!
ip dhcp pool vpa_dhcp
   import all
   network 192.168.250.0 255.255.255.0
   dns-server 192.168.100.7 192.168.100.9
   default-router 192.168.250.1
   netbios-name-server 192.168.100.7
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name my_network.biz
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username ********** privilege 15 secret 5 *****************
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 300
crypto isakmp key my-vpn-password address hub_public_ip_address_isp1 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map rtp 1 ipsec-isakmp
 set peer hub_public_ip_address_isp1
 set transform-set ESP-3DES-SHA
 match address 110
!
archive
 log config
  hidekeys
!
!
bridge irb
!
!
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid my_network_PA
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 !
 encryption mode ciphers aes-ccm
 !
 ssid my_network_PA
 !
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface FastEthernet0
 ip address spoke_public_ipaddress 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map rtp
!
interface FastEthernet1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface Async1
 no ip address
 encapsulation slip
 shutdown
!
interface BVI1
 ip address 192.168.250.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 isp_gateway_ip_address
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map NAT interface FastEthernet0 overload
!
ip sla 10
 icmp-echo 192.168.160.1 source-ip 192.168.250.1
 frequency 1800
ip sla schedule 10 life forever start-time now
no logging trap
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 110 permit ip 192.168.250.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 115 deny   ip 192.168.250.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 deny   ip 192.168.250.0 0.0.0.255 192.168.160.0 0.0.0.255
access-list 115 permit ip 192.168.250.0 0.0.0.255 any
no cdp run
!
!
!
!
route-map NAT permit 10
 match ip address 115
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 0 0
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
!
end


Copyright © 2013 ProTechs-Online.com; All rights reserved.