Anybody has an example of a remote access VPN config using an IOS router?

Discussion in 'Cisco' started by Eric Berthiaume, Apr 27, 2004.

  1. I have search cisco support for days now and can't get a decent
    example of the proper way to do it.

    I can get it to work on a lan but as soon as I use public addresses I
    doesn't work.

    Also anybody has some howto, books, links, examples to has the best
    practices of vpn configurations. Specialy regarding multiple users?

    Thanks for your help.

    Eric
    Eric Berthiaume, Apr 27, 2004
    #1
    1. Advertising

  2. (Eric Berthiaume) wrote in message news:<>...
    > I have search cisco support for days now and can't get a decent
    > example of the proper way to do it.
    >
    > I can get it to work on a lan but as soon as I use public addresses I
    > doesn't work.
    >
    > Also anybody has some howto, books, links, examples to has the best
    > practices of vpn configurations. Specialy regarding multiple users?
    >
    > Thanks for your help.
    >
    > Eric


    We have a 1710 router acting as a VPN Server (as a proof-of-concept
    setup prior to installing a VPN Concentrator). I wouldn't like to
    claim that this is the "proper" way to do it, but it works.

    The Ethernet0 port is effectively connected direcly to the Internet.

    Config looks like this:-

    <SNIP>
    !
    logging buffered 4096 debugging
    aaa new-model
    !
    !
    aaa authorization network vpn-clientgroup local
    aaa session-id common
    !
    <SNIP>
    !
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group vpn-clientgroup
    key *REMOVED*
    pool dynpool
    acl 111
    !
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    !
    !
    crypto map dynmap isakmp authorization list vpn-clientgroup
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Loopback0
    description Management Loopback address
    ip address *REMOVED*
    !
    interface Ethernet0
    ip address *PUBLIC ADDRESS REMOVED*
    half-duplex
    crypto map dynmap
    !
    interface FastEthernet0
    ip address *PRIVATE ADDRESS REMOVED*
    speed 100
    !
    ip local pool dynpool *ADDRESS RANGE REMOVED*
    ip default-gateway *PUBLIC ADDRESS REMOVED*
    ip classless
    ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
    ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
    ip route *REMOVED*
    no ip http server
    ip pim bidir-enable
    !
    !
    logging trap debugging
    logging source-interface FastEthernet0
    logging *REMOVED*
    access-list 111 permit ip *REMOVED* *REMOVED*
    access-list 111 permit ip *REMOVED* *REMOVED*
    no cdp run
    !
    <SNIP>

    Hope that's of some help.

    Pete
    Pete Mainwaring, Apr 28, 2004
    #2
    1. Advertising

  3. Thanks for the reply.

    Has I look your config mine looks exactly like you ... my error was an
    incorrect route in the router AND in the internal firewall. Now that
    is works ...

    My follow up question is ... what do you guys do for multiple users or
    groups?

    here is my configs. I want to know if this is a good practice or
    there is a cleaner way to do it ... thanks .. Eric

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 60 20
    crypto isakmp xauth timeout 30

    !
    crypto isakmp client configuration group VPNUSRG1
    key xxxxxx
    pool IPPOOL1
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG0
    key xxxxxx
    pool IPPOOL0
    acl 101
    !
    crypto isakmp client configuration group VPNUSRG2
    key xxxxxx
    pool IPPOOL2
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG3
    key xxxxxx
    pool IPPOOL3
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG4
    key xxxxxx
    pool IPPOOL4
    acl 101
    !
    !
    crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile IPSECPROFILE1
    set transform-set TRFMSET1
    !
    !
    crypto dynamic-map DYNMAP1 1
    set security-association lifetime seconds 86400
    set transform-set TRFMSET1
    !
    !
    crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
    crypto map DYNMAP1 client configuration address respond
    crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP0 isakmp authorization list VPNUSRG0
    crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP1 isakmp authorization list VPNUSRG1
    crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP2 isakmp authorization list VPNUSRG2
    crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP3 isakmp authorization list VPNUSRG3
    crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP4 isakmp authorization list VPNUSRG4
    crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
    !

    (Pete Mainwaring) wrote in message news:<>...
    > (Eric Berthiaume) wrote in message news:<>...
    > > I have search cisco support for days now and can't get a decent
    > > example of the proper way to do it.
    > >
    > > I can get it to work on a lan but as soon as I use public addresses I
    > > doesn't work.
    > >
    > > Also anybody has some howto, books, links, examples to has the best
    > > practices of vpn configurations. Specialy regarding multiple users?
    > >
    > > Thanks for your help.
    > >
    > > Eric

    >
    > We have a 1710 router acting as a VPN Server (as a proof-of-concept
    > setup prior to installing a VPN Concentrator). I wouldn't like to
    > claim that this is the "proper" way to do it, but it works.
    >
    > The Ethernet0 port is effectively connected direcly to the Internet.
    >
    > Config looks like this:-
    >
    > <SNIP>
    > !
    > logging buffered 4096 debugging
    > aaa new-model
    > !
    > !
    > aaa authorization network vpn-clientgroup local
    > aaa session-id common
    > !
    > <SNIP>
    > !
    > ip subnet-zero
    > !
    > !
    > no ip domain-lookup
    > !
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh time-out 120
    > ip ssh authentication-retries 3
    > !
    > crypto isakmp policy 1
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp client configuration address-pool local dynpool
    > !
    > crypto isakmp client configuration group vpn-clientgroup
    > key *REMOVED*
    > pool dynpool
    > acl 111
    > !
    > !
    > crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map dynmap 1
    > set transform-set transform-1
    > !
    > !
    > crypto map dynmap isakmp authorization list vpn-clientgroup
    > crypto map dynmap client configuration address respond
    > crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    > !
    > !
    > !
    > !
    > interface Loopback0
    > description Management Loopback address
    > ip address *REMOVED*
    > !
    > interface Ethernet0
    > ip address *PUBLIC ADDRESS REMOVED*
    > half-duplex
    > crypto map dynmap
    > !
    > interface FastEthernet0
    > ip address *PRIVATE ADDRESS REMOVED*
    > speed 100
    > !
    > ip local pool dynpool *ADDRESS RANGE REMOVED*
    > ip default-gateway *PUBLIC ADDRESS REMOVED*
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
    > ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
    > ip route *REMOVED*
    > no ip http server
    > ip pim bidir-enable
    > !
    > !
    > logging trap debugging
    > logging source-interface FastEthernet0
    > logging *REMOVED*
    > access-list 111 permit ip *REMOVED* *REMOVED*
    > access-list 111 permit ip *REMOVED* *REMOVED*
    > no cdp run
    > !
    > <SNIP>
    >
    > Hope that's of some help.
    >
    > Pete
    Eric Berthiaume, Apr 29, 2004
    #3
  4. (Eric Berthiaume) wrote in message news:<>...
    > Thanks for the reply.
    >
    > Has I look your config mine looks exactly like you ... my error was an
    > incorrect route in the router AND in the internal firewall. Now that
    > is works ...
    >
    > My follow up question is ... what do you guys do for multiple users or
    > groups?
    >
    > here is my configs. I want to know if this is a good practice or
    > there is a cleaner way to do it ... thanks .. Eric
    >
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp keepalive 60 20
    > crypto isakmp xauth timeout 30
    >
    > !
    > crypto isakmp client configuration group VPNUSRG1
    > key xxxxxx
    > pool IPPOOL1
    > acl 150
    > !
    > crypto isakmp client configuration group VPNUSRG0
    > key xxxxxx
    > pool IPPOOL0
    > acl 101
    > !
    > crypto isakmp client configuration group VPNUSRG2
    > key xxxxxx
    > pool IPPOOL2
    > acl 150
    > !
    > crypto isakmp client configuration group VPNUSRG3
    > key xxxxxx
    > pool IPPOOL3
    > acl 150
    > !
    > crypto isakmp client configuration group VPNUSRG4
    > key xxxxxx
    > pool IPPOOL4
    > acl 101
    > !
    > !
    > crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
    > !
    > crypto ipsec profile IPSECPROFILE1
    > set transform-set TRFMSET1
    > !
    > !
    > crypto dynamic-map DYNMAP1 1
    > set security-association lifetime seconds 86400
    > set transform-set TRFMSET1
    > !
    > !
    > crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
    > crypto map DYNMAP1 client configuration address respond
    > crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
    > !
    > crypto map MAP0 isakmp authorization list VPNUSRG0
    > crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
    > !
    > crypto map MAP1 isakmp authorization list VPNUSRG1
    > crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
    > !
    > crypto map MAP2 isakmp authorization list VPNUSRG2
    > crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
    > !
    > crypto map MAP3 isakmp authorization list VPNUSRG3
    > crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
    > !
    > crypto map MAP4 isakmp authorization list VPNUSRG4
    > crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
    > !
    >


    At present, we only have one group of users as our set-up is still in
    the testing phase. If we had multiple user groups, I would probably
    have configured it in the same way that you have done. However, we
    will be using a VPN concentrator when our system goes live.

    Pete
    Pete Mainwaring, Apr 30, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,754
    Martin Bilgrav
    Feb 6, 2004
  2. Erwin Drager
    Replies:
    6
    Views:
    1,299
    Erwin Drager
    Apr 21, 2005
  3. Rohan
    Replies:
    1
    Views:
    1,345
    tweety
    Nov 29, 2006
  4. Uto cen
    Replies:
    2
    Views:
    951
    Uto cen
    Jan 26, 2007
  5. Peter Howkins
    Replies:
    0
    Views:
    344
    Peter Howkins
    Apr 30, 2007
Loading...

Share This Page