Configuring Two Cisco VPN 5000 Series Concentrators to Establish an IPSec LAN-to-LAN Tunnel Routing IPX

Document ID: 4179

Cisco has announced the end of sales for the Cisco VPN 5000 Series Concentrators. For more information, please see the End-of-Sales Announcement.

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure
      Network Diagram
      Configurations
Verify
Troubleshoot
      Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document gives an overview of the configuration required to establish an IPSec LAN-to-LAN tunnel routing Internetwork Packet Exchange (IPX) between two Cisco VPN 5000 Series Concentrators. For information about how to establish basic connectivity, or for a reference on configuration syntax, refer to the VPN 5000 Concentrator documentation. IPX network connectivity was tested with routers running IPX on the local networks.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

Cisco VPN 5000 Concentrator software version 5.2.19US
VPN 5001 Concentrator

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses the network setup shown in this diagram.

Configurations

This document uses the configurations shown here.

VPN Concentrator 5001A
VPN Concentrator 5001B

VPN Concentrator 5001A

[ IP Ethernet 0 ]
 Mode                     = Routed
 SubnetMask               = 255.255.255.0
 IPAddress                = 10.1.1.1

[ IP Ethernet 1 ]
 Mode                     = Routed
 SubnetMask               = 255.255.255.0
 IPAddress                = 100.1.1.1

[ IP Static ]
 0.0.0.0 0.0.0.0 100.1.1.2 1 redist=none
 20.0.0.0 255.0.0.0 vpn 1 1 redist=none

[ Logging ]
 Level                    = 7
 Enabled                  = On

[ General ]
 VPNGateway               = 100.1.1.2
 EnablePassword           =
 Password                 =
 DeviceName               = "VPN5001A"
 EthernetAddress          = 00:00:a5:f0:c9:00
 DeviceType               = VPN 5001 Concentrator
 ConfiguredOn             =  Timeserver not configured
 ConfiguredFrom           = Command Line, from Console

[ Tunnel Partner VPN 1 ]
 Transform                = esp(md5,des)
 Peer                     = "20.0.0.0/8"
 BindTo                   = "ethernet1"
 LocalAccess              = "10.0.0.0/8"
 Partner                   = 200.1.1.1
 Mode                     = Aggressive
 KeyManage                = Auto

[ IP VPN 1 ]
 Numbered                  = Off
 Mode                     = Routed

[ IPX Ethernet 0 ]
 FrameTypeIINet           = aa
 SapTimer                 = 60
 RipTimer                 = 60
 FrameSNAP                = Off
 Frame8022                = Off
 FrameRaw                 = Off
 FrameTypeII              = Seed
 Mode                     = Routed

[ IPX VPN 1 ]
 Net                      = aa
 Mode                     = Routed


[ IKE Policy ]
 Protection               = MD5_DES_G1

Configuration size is 1544 out of 65500 bytes.
VPN5001A#

VPN Concentrator 5001B

[ General ]
 EthernetAddress          = 00:02:4b:9c:ba:80
 VPNGateway               = 200.1.1.2
 DeviceType               = VPN 5001 Concentrator
 ConfiguredOn             = Timeserver not configured
 ConfiguredFrom           = Command Line, from Console
 Password                 =
 DeviceName               = "VPN5001B"

[ IP Ethernet 1 ]
 Mode                     = Routed
 SubnetMask               = 255.255.255.0
 IPAddress                = 200.1.1.1

[ IP Ethernet 0 ]
 Mode                     = Routed
 SubnetMask                = 255.255.255.0
 IPAddress                = 20.1.1.1

[ IP Static ]
 0.0.0.0 0.0.0.0 200.1.1.2 1 redist=none
 10.0.0.0 255.0.0.0 vpn 1 1 redist=none


[ Tunnel Partner VPN 1 ]
 Transform                = esp(md5,des)
 Peer                     = "10.0.0.0/8"
 BindTo                   = "ethernet1"
 LocalAccess              = "20.0.0.0/8"
 Partner                  = 100.1.1.1
 Mode                     = Aggressive
 KeyManage                = Auto

   IP VPN 1 ]
  Numbered                 = Off
 Mode                     = Routed

[ IPX Ethernet 0 ]
 FrameTypeIINet           = bb
 SapTimer                 = 60
 RipTimer                 = 60
 FrameSNAP                = Off
 Frame8022                = Off
 FrameRaw                 = Off
 FrameTypeII              = Seed
 Mode                     = Routed

[ IPX VPN 1 ]
 Net                      = bb
 Mode                     = Routed

[ IKE Policy ]
 Protection               = MD5_DES_G1

Configuration size is 1446 out of 65500 bytes.

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

show vpn partners—Shows this information:
- VPN port number to which the peer is connected.
- The tunnel peer's IP address.
- The UDP port for the connection.
- Whether the tunnel peer is connected to this VPN Concentrator's Tunnel Partner Default section instead of a specific Tunnel Partner section.
- The IP address used as the local endpoint of the tunnel.
- The duration of time that the partners have been connected.
show vpn statistics verbose—Shows this information for users and Partners and the total for both:
- Current active connections.
- Currently negotiating connections.
- The highest number of concurrent active connections since the last reboot.
- The total number of successful connections since the last reboot.
- The number of tunnel starts.
- The number of tunnels for which there were no errors.
- The number of tunnels with errors.
show ipx routing—Shows the routing table in two sections. The first section is the network information for the directly-connected routes. The second section shows the dynamic routes obtained through IPX Routing Information Protocol (RIP) packets on the directly-connected networks.

show ipx servers—Shows the information in the Service Advertising Protocol (SAP) table, which is explained in this table:

Type	The server type.
Name	The server name.
Net Address	The IPX address (net - node) of the server.
Port	The port or socket number where the server is listening.
Hops	The number of hops away that the server is from this device. Values are between 1 and 16. If a hop count is 16, the server is timed out and are purged from the table.
TTL	The Time to Live (TTL) for the service in seconds. A value of 999 means that the timeout is infinite and will never be timed out.
Iface	The interface through which information about the service is received. The interface where the service is located is also identified.

show ipx runtime—Displays command runtime IPX parameters.
show system information—Displays information such as software version, hardware (memory, and so forth), last configuration date, MAC addressing, uptime, and so on. Refer to the Cisco VPN 5000 Series Concentrator Software show Command Reference for further information.

This is sample command output of the show vpn statistics verbose command.

VPN5001B#show vpn statistics verbose
Current In High Running Tunnel Tunnel Tunnel
Active Negot Water Total Starts OK Error
--------------------------------------------------------------
Users 0 0 0 0 0 0 0
Partners 1 0 1 1 0 0 0
Total 1 0 1 1 0 0 0

Stats VPN1
Wrapped 13241
Unwrapped 13241
BadEncap 0
BadAuth 0
BadEncrypt 0
rx IP 6789
rx IPX 6452
rx Apple 0
rx Other 0
tx IP 7931
tx IPX 5309
tx Apple 0
tx Other 0
IKE rekey 0

Input VPN pkts dropped due to no SA: 0

Input VPN pkts dropped due to no free queue entries: 0

ISAKMP Negotiation stats
Admin packets in 0
Fastswitch packets in 0
No cookie found 0
Can't insert cookie 0
Inserted cookie(L) 0
Inserted cookie(R) 0
Cookie not inserted(L) 0
Cookie not inserted(R) 0
Cookie conn changed 0
Cookie already inserted 0
Deleted cookie(L) 0
Deleted cookie(R) 0
Cookie not deleted(L) 0
Cookie not deleted(R) 0
Forwarded to RP 0
Forwarded to IOP 0
Bad UDP checksum 0
Not fastswitched 0
Bad Initiator cookie 0
Bad Responder cookie 0
Has Responder cookie 0
No Responder cookie 0
No SA 0
Bad find conn 0
Admin queue full 0
Priority queue full 0
Bad IKE packet 0
No memory 0
Bad Admin Put 0
IKE pkt dropped 0
No UDP PBuf 0
No Manager 0
Mgr w/ no cookie 0
Cookie Scavenge Add 0
Cookie Scavenge Rem 0
Cookie Scavenged 0
Cookie has mgr err 0
New conn limited 0
VPN5001B#

This is sample command output of the show ipx routing command.

VPN5001B#show ipx routing
Directly Connected Routes:
Net Nmbr Refs Uses Flags Iface
bb 1 30 0 Ether0

Dynamic Routes:
Net Nmbr Gateway Refs Uses Hops TTL Flags Iface
aa bb - 100.1.1.1 1 12 1 168 0 VPN1
VPN5001B#

This is sample command output of the show ipx servers command.

VPN5001B#show ipx servers
Type Name Net Address Skt Hops TTL Iface
5ba VPN5001A aa-00:00:a5:f0:c9:00::80fc 1 120 VPN1
5ba VPN5001B bb-00:02:4b:9c:ba:80::80fc 0 999 Ether0

Total Novell Servers: 2
VPN5001B#

This is sample command output of the show system information command.

Software Version: VPN 5001 Concentrator V5.2.19.0001 (dballan) US
SW Build Date: 12/8/00 14:25
Memory: 2048K Flash ROM, 128K CFG Flash, 65536K RAM
Last Configuration Date: none
Configuration File: none
Configuration: Running saved config, buffer unmodified
Ethernet Address: 00:00:a5:f0:c9:00
Ethernet Address: 00:00:a5:f0:c9:01
Up Time: 6 minutes 51 secs
Terminal settings: 80x24, Erase <BS>, Non-Enhanced Parser, More On
Time Server: disabled
VPN5001A#

This is sample command output of the show ipx runtime command.

VPN5001B#show ipx runtime
Timers
Port RIP SAP Frame Seed Net Flags
Ether0 60 60 Ether TypeII Seed BB <>
802.3 (RAW) Off
802.2 (LLC) Off
SNAP Off
Ether1 ** Disabled **
Bridge ** Disabled **
VPN1 60 60 BB <>
IPX RIP Global Filters: none
IPX SAP Global Filters: none

This is an example of the show ipx servers taken from the router.

2514b#show ipx servers
Codes: S - Static, P - Periodic, E - EIGRP, N - NLSP, H - Holddown, + = detail
U - Per-user static
2 Total IPX Servers

Table ordering is based on routing and server info

Type Name Net Address Port Route Hops Itf
P 5BA VPN5001B BB.0002.4b9c.ba80:80FC 1/00 1 Et0
P 5BA VPN5001A AA.0000.a5f0.c900:80FC 2/02 2 Et0
2514b#

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

show syslog buffer—Allows you to view previously buffered events.
vpn trace dump all—Shows information about all matching VPN connections. This includes information about:
- The time.
- The VPN number.
- The real IP address of the peer.
- The scripts that have been run.
- In the case of an error, the routine and line number of the software code where the error occurred.

NetPro Discussion Forums - Featured Conversations

Networking Professionals Connection is a forum for networking professionals to share questions, suggestions, and information about networking solutions, products, and technologies. The featured links are some of the most recent conversations available in this technology.

NetPro Discussion Forums - Featured Conversations for VPN

Service Providers: VPN Service Architectures

Service Providers: Network Management

Virtual Private Networks: Security

Virtual Private Networks: General

Related Information

Updated: May 02, 2008

Document ID: 4179

Hierarchical Navigation

Cisco VPN 5000 Series Concentrators