Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Anybody has an example of a remote access VPN config using an IOS router?

Reply
Thread Tools

Anybody has an example of a remote access VPN config using an IOS router?

 
 
Eric Berthiaume
Guest
Posts: n/a
 
      04-27-2004
I have search cisco support for days now and can't get a decent
example of the proper way to do it.

I can get it to work on a lan but as soon as I use public addresses I
doesn't work.

Also anybody has some howto, books, links, examples to has the best
practices of vpn configurations. Specialy regarding multiple users?

Thanks for your help.

Eric
 
Reply With Quote
 
 
 
 
Pete Mainwaring
Guest
Posts: n/a
 
      04-28-2004
http://www.velocityreviews.com/forums/(E-Mail Removed) (Eric Berthiaume) wrote in message news:<(E-Mail Removed). com>...
> I have search cisco support for days now and can't get a decent
> example of the proper way to do it.
>
> I can get it to work on a lan but as soon as I use public addresses I
> doesn't work.
>
> Also anybody has some howto, books, links, examples to has the best
> practices of vpn configurations. Specialy regarding multiple users?
>
> Thanks for your help.
>
> Eric


We have a 1710 router acting as a VPN Server (as a proof-of-concept
setup prior to installing a VPN Concentrator). I wouldn't like to
claim that this is the "proper" way to do it, but it works.

The Ethernet0 port is effectively connected direcly to the Internet.

Config looks like this:-

<SNIP>
!
logging buffered 4096 debugging
aaa new-model
!
!
aaa authorization network vpn-clientgroup local
aaa session-id common
!
<SNIP>
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpn-clientgroup
key *REMOVED*
pool dynpool
acl 111
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
!
!
crypto map dynmap isakmp authorization list vpn-clientgroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
description Management Loopback address
ip address *REMOVED*
!
interface Ethernet0
ip address *PUBLIC ADDRESS REMOVED*
half-duplex
crypto map dynmap
!
interface FastEthernet0
ip address *PRIVATE ADDRESS REMOVED*
speed 100
!
ip local pool dynpool *ADDRESS RANGE REMOVED*
ip default-gateway *PUBLIC ADDRESS REMOVED*
ip classless
ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
ip route *REMOVED*
no ip http server
ip pim bidir-enable
!
!
logging trap debugging
logging source-interface FastEthernet0
logging *REMOVED*
access-list 111 permit ip *REMOVED* *REMOVED*
access-list 111 permit ip *REMOVED* *REMOVED*
no cdp run
!
<SNIP>

Hope that's of some help.

Pete
 
Reply With Quote
 
 
 
 
Eric Berthiaume
Guest
Posts: n/a
 
      04-29-2004
Thanks for the reply.

Has I look your config mine looks exactly like you ... my error was an
incorrect route in the router AND in the internal firewall. Now that
is works ...

My follow up question is ... what do you guys do for multiple users or
groups?

here is my configs. I want to know if this is a good practice or
there is a cleaner way to do it ... thanks .. Eric

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 20
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group VPNUSRG1
key xxxxxx
pool IPPOOL1
acl 150
!
crypto isakmp client configuration group VPNUSRG0
key xxxxxx
pool IPPOOL0
acl 101
!
crypto isakmp client configuration group VPNUSRG2
key xxxxxx
pool IPPOOL2
acl 150
!
crypto isakmp client configuration group VPNUSRG3
key xxxxxx
pool IPPOOL3
acl 150
!
crypto isakmp client configuration group VPNUSRG4
key xxxxxx
pool IPPOOL4
acl 101
!
!
crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSECPROFILE1
set transform-set TRFMSET1
!
!
crypto dynamic-map DYNMAP1 1
set security-association lifetime seconds 86400
set transform-set TRFMSET1
!
!
crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
crypto map DYNMAP1 client configuration address respond
crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP0 isakmp authorization list VPNUSRG0
crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP1 isakmp authorization list VPNUSRG1
crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP2 isakmp authorization list VPNUSRG2
crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP3 isakmp authorization list VPNUSRG3
crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP4 isakmp authorization list VPNUSRG4
crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
!

(E-Mail Removed) (Pete Mainwaring) wrote in message news:<(E-Mail Removed). com>...
> (E-Mail Removed) (Eric Berthiaume) wrote in message news:<(E-Mail Removed). com>...
> > I have search cisco support for days now and can't get a decent
> > example of the proper way to do it.
> >
> > I can get it to work on a lan but as soon as I use public addresses I
> > doesn't work.
> >
> > Also anybody has some howto, books, links, examples to has the best
> > practices of vpn configurations. Specialy regarding multiple users?
> >
> > Thanks for your help.
> >
> > Eric

>
> We have a 1710 router acting as a VPN Server (as a proof-of-concept
> setup prior to installing a VPN Concentrator). I wouldn't like to
> claim that this is the "proper" way to do it, but it works.
>
> The Ethernet0 port is effectively connected direcly to the Internet.
>
> Config looks like this:-
>
> <SNIP>
> !
> logging buffered 4096 debugging
> aaa new-model
> !
> !
> aaa authorization network vpn-clientgroup local
> aaa session-id common
> !
> <SNIP>
> !
> ip subnet-zero
> !
> !
> no ip domain-lookup
> !
> ip audit notify log
> ip audit po max-events 100
> ip ssh time-out 120
> ip ssh authentication-retries 3
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp client configuration address-pool local dynpool
> !
> crypto isakmp client configuration group vpn-clientgroup
> key *REMOVED*
> pool dynpool
> acl 111
> !
> !
> crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 1
> set transform-set transform-1
> !
> !
> crypto map dynmap isakmp authorization list vpn-clientgroup
> crypto map dynmap client configuration address respond
> crypto map dynmap 1 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !
> interface Loopback0
> description Management Loopback address
> ip address *REMOVED*
> !
> interface Ethernet0
> ip address *PUBLIC ADDRESS REMOVED*
> half-duplex
> crypto map dynmap
> !
> interface FastEthernet0
> ip address *PRIVATE ADDRESS REMOVED*
> speed 100
> !
> ip local pool dynpool *ADDRESS RANGE REMOVED*
> ip default-gateway *PUBLIC ADDRESS REMOVED*
> ip classless
> ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
> ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
> ip route *REMOVED*
> no ip http server
> ip pim bidir-enable
> !
> !
> logging trap debugging
> logging source-interface FastEthernet0
> logging *REMOVED*
> access-list 111 permit ip *REMOVED* *REMOVED*
> access-list 111 permit ip *REMOVED* *REMOVED*
> no cdp run
> !
> <SNIP>
>
> Hope that's of some help.
>
> Pete

 
Reply With Quote
 
Pete Mainwaring
Guest
Posts: n/a
 
      04-30-2004
(E-Mail Removed) (Eric Berthiaume) wrote in message news:<(E-Mail Removed) m>...
> Thanks for the reply.
>
> Has I look your config mine looks exactly like you ... my error was an
> incorrect route in the router AND in the internal firewall. Now that
> is works ...
>
> My follow up question is ... what do you guys do for multiple users or
> groups?
>
> here is my configs. I want to know if this is a good practice or
> there is a cleaner way to do it ... thanks .. Eric
>
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp keepalive 60 20
> crypto isakmp xauth timeout 30
>
> !
> crypto isakmp client configuration group VPNUSRG1
> key xxxxxx
> pool IPPOOL1
> acl 150
> !
> crypto isakmp client configuration group VPNUSRG0
> key xxxxxx
> pool IPPOOL0
> acl 101
> !
> crypto isakmp client configuration group VPNUSRG2
> key xxxxxx
> pool IPPOOL2
> acl 150
> !
> crypto isakmp client configuration group VPNUSRG3
> key xxxxxx
> pool IPPOOL3
> acl 150
> !
> crypto isakmp client configuration group VPNUSRG4
> key xxxxxx
> pool IPPOOL4
> acl 101
> !
> !
> crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
> !
> crypto ipsec profile IPSECPROFILE1
> set transform-set TRFMSET1
> !
> !
> crypto dynamic-map DYNMAP1 1
> set security-association lifetime seconds 86400
> set transform-set TRFMSET1
> !
> !
> crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
> crypto map DYNMAP1 client configuration address respond
> crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
> !
> crypto map MAP0 isakmp authorization list VPNUSRG0
> crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
> !
> crypto map MAP1 isakmp authorization list VPNUSRG1
> crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
> !
> crypto map MAP2 isakmp authorization list VPNUSRG2
> crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
> !
> crypto map MAP3 isakmp authorization list VPNUSRG3
> crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
> !
> crypto map MAP4 isakmp authorization list VPNUSRG4
> crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
> !
>


At present, we only have one group of users as our set-up is still in
the testing phase. If we had multiple user groups, I would probably
have configured it in the same way that you have done. However, we
will be using a VPN concentrator when our system goes live.

Pete
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
Question on Remote Access VPN Access Control on IOS Uto cen Cisco 2 01-26-2007 12:08 PM
Cisco 506e - remote-access vpn, split tunnel, client has no internet access. Rohan Cisco 1 11-29-2006 12:37 AM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments