[cinuben108]

Hai, I would like to setup a vpn connectivity between 2 offices. We have already a 1841 and 2 or 3 877 routers with us. We are planning to use 1841 in main office with a Diginet connection having static Ips and 877 routers at remote offices having ADSL link.
Kindly suggest me what all configurations I need to do in both ends.

[auglan]

Plenty of info out there regarding vpn's if you just take the time and look.

[Wired]

The title has been changed. Next time please choose a better title as per the rules, thanks.

[auglan]

You can do L2L tunnels if you want for each remote site. Another option would be DMVPN. This is more of a hub and spoke topology. With DMVPN most of the time you will run a dynamic routing protocol between hub and spokes. Use a multipoint gre interface on the hub. If you want spoke to spoke dynamic tunnels then its multipoint gre all the way around. Lots of options.

Configuration depends on what type you want to go with. For L2L static tunnels this will do:


crypto isakmp policy 10 (ISAKMP Policy)
authentication pre-share
hash sha
encryption aes
group 5

crypto isakmp key cisco address X.X.X.X (remote site ip)


crypto ipsec transform-set TSET esp-aes esp-sha-hmac (Transform Set)

crypto map MYMAP 10 ipsec-isakmp (Crypto Map)
set peer X.X.X.X (remote site ip address)
set transform-set TSET
match address 100


access-list 100 permit ip X.X.X.X Y.Y.Y.Y X.X.X.X Y.Y.Y.Y (Crypto ACL for Interesting Traffic)

int fa0/0
crypto map MYMAP




Could also do VTI based Vpn's which will give you a routable tunnel interface for QOS, Policy etc.

Dont forget to add a no-nat rule so vpn traffic doesnt get natted.


access-list 101 deny ip X.X.X.X Y.Y.Y.Y X.X.X.X Y.Y.Y.Y (traffic not to be natted)
access-list 101 permit ip any any (Traffic to be natted - Can get more specific here if need be)


route-map NO_NAT permit 10
match ip address 101

ip nat inside source route-map NO_NAT interface fa0/0 overload (Assuming your using PAT on the outside interface)