IPSec - Lan to Lan - Nat routers - 1 Static and 1 Dynamic ip

IPSec - Lan to Lan - Nat routers - 1 Static and 1 Dynamic ip: Posted by Sharqy_5 on July 20th, 2003; I've got the following situation:
2 sites
one site with a 826 adsl router which gets a dynamic ip. (site 1)
one site with a 1721 router (incl adsl and eth wic) which has a static ip.
(site 2)
Both routers use Nat for address translation.
I'd like to connect the sites to each other by ipsec, but won't get it
working.
In the meanwhile i've got a working configuration which doesn't use ipsec.
Could someone help me solving this problem.

Here is the configuration of site 2, site 1 will folow:

version 12.2
service timestamps debug uptime
service timestamps log datetime msec localtime show-timezone
no service password-encryption
!
hostname Site 2
!
logging console critical
aaa new-model
!
!
aaa authentication ppp default if-needed group radius
aaa authorization network default group radius
aaa accounting network default start-stop group radius
aaa session-id common
enable secret 5 xxxx.
enable password xxxx
!
username xxxx password xxxx
memory-size iomem 25
clock timezone GMT 2
ip subnet-zero
no ip source-route
!
!
no ip domain lookup
!
no ip bootp server
ip dhcp-server 192.168.5.1
vpdn enable
!
vpdn-group PPTP_WIN2KCLIENT
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
interface Loopback0
ip address 192.168.20.1 255.255.255.0
!
interface Tunnel1
bandwidth 512
ip address 192.168.200.1 255.255.255.252
ip mtu 1434
ip tcp adjust-mss 1380
tunnel source Ethernet0
tunnel destination 1.1.1.1
tunnel mode ipip
!
interface ATM0
description Connected to ADSL
no ip address
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
no fair-queue
hold-queue 224 in
!
interface Ethernet0
description Connected to SDSL
ip address 3.3.3.3 255.255.255.240
ip nat outside
no ip route-cache
no ip mroute-cache
half-duplex
no cdp enable
!
interface FastEthernet0
description Connected to the internal net
ip address 192.168.1.1 255.255.255.0 secondary
ip address 192.168.5.254 255.255.255.0
ip nat inside
ip policy route-map email
speed auto
no cdp enable
!
interface Virtual-Template1
description Connected to VPN users
ip unnumbered Loopback0
ip nat inside
peer default ip address dhcp
compress mppc
ppp encrypt mppe 128
ppp authentication ms-chap
!
interface Dialer0
description For connection to dial ISP
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp pap sent-username xxxx password xxxx
!
ip nat inside source list 101 interface Dialer0 overload
ip nat inside source list 104 interface Ethernet0 overload
ip nat inside source static tcp 192.168.5.3 25 interface Ethernet0 25
ip nat inside source static tcp 192.168.5.3 110 interface Ethernet0 110
ip nat inside source static tcp 192.168.5.3 143 interface Ethernet0 143
ip nat inside source static tcp 192.168.5.3 443 interface Ethernet0 443
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 217.166.56.97 250
ip route 1.1.1.1 255.255.255.255 3.3.3.3
ip route 192.168.6.0 255.255.255.0 192.168.200.2
no ip http server
!
!
logging facility local1
logging 192.168.5.1
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 104 permit ip 192.168.5.0 0.0.0.255 any
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 any
access-list 198 permit tcp host 192.168.5.3 eq 143 192.168.0.0 0.0.255.255
access-list 198 permit tcp host 192.168.5.3 eq 443 192.168.0.0 0.0.255.255
access-list 198 permit tcp host 192.168.5.3 eq smtp 192.168.0.0 0.0.255.255
access-list 198 permit tcp host 192.168.5.3 eq pop3 192.168.0.0 0.0.255.255
access-list 199 permit tcp host 192.168.5.3 eq 443 any
access-list 199 permit tcp host 192.168.5.3 eq pop3 any
access-list 199 permit tcp host 192.168.5.3 eq smtp any
access-list 199 permit tcp host 192.168.5.3 eq 143 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map email permit 5
match ip address 198
!
route-map email permit 10
match ip address 199
set ip next-hop 3.3.3.3
!
route-map email permit 20
set default interface Dialer0
!
snmp-server community public RO
snmp-server enable traps tty
radius-server host 192.168.5.1 auth-port 1812 acct-port 1813
radius-server retransmit 3
radius-server key xxxx
radius-server authorization permit missing Service-Type
!
line con 0
line aux 0
line vty 0 4
access-class 102 in
password xxxx
!
ntp clock-period 17180048
ntp server 207.46.248.43
end

Thanks in advance,

Rene Poelman

Similar Posts

Static and Dynamic IP (Networking) by Jarmo from Finland
static or dynamic IP? (Internet & Broadband) by Rob
Dynamic & Static IP for Internet & LAN (Software & Applications) by scootgirl.com
Dynamic vs. Static IP? (Internet & Broadband) by PsychicStickleBrick
static or dynamic which is better? (Internet & Broadband) by Whiteflyer