Newbie -- Needs help setting up a VPN on a SOHO 91

Discussion in 'Cisco' started by Garrett, Jan 5, 2004.

  1. Garrett

    Garrett Guest

    Hello!



    I am a newbie to this group, so please have patience with me!



    I am also fairly new to setting up VPN's in general. I've worked a bit with
    Cisco IOS in the past, but nothing heavy. I'm a UNIX Systems Administrator
    by day.



    I have a small Cisco SOHO 91 that I am trying to set-up an "easy vpn"
    configuration so that I can access my network remotely.



    My first question is, can the SOHO 91 do this? It does come with Easy VPN
    that is licensed for 5 users. I also have purchased the VPN Client 4.0.3.
    It seems, that the SOHO 91 is pretty much the same as the 800 series.



    Right now, I can connect to my SOHO with the VPN client software, and even
    get an IP address. However, I can't ping anything. Basically, nothing is
    going over the tunnel. Looking at the statistics in the client, I'm not
    seeing any "Received Bytes" or "Decrypted Packets".



    I'm pasting my config below. Which is a pretty basic config that I got from
    Cisco's website. I'm sure I messed something up!



    If anyone has a basic config, please let me know! This config was from 1700
    series router, but it was the only thing I could find, and the only one that
    had any results that seemed like I was getting anywhere.



    Basically, all I need to do, is allow me to connect with the VPN software to
    basically connect to my lan - which seems farily easy to me. I just need to
    access IP based resources, and possible Samba/Windows shares. The IP of the
    Cisco is a fixed IP in a block I own.



    Here's my config.



    version 12.2

    no service pad

    service timestamps debug uptime

    service timestamps log uptime

    no service password-encryption

    service internal

    !

    hostname testvpn

    !

    aaa new-model

    !

    !

    aaa authorization network hw-client-groupname local

    aaa session-id common

    enable password TEST

    !

    username cisco password 0 TEST

    memory-size iomem 15

    clock timezone - 0 6

    ip subnet-zero

    no ip source-route

    !

    !

    ip domain-name TEST.COM

    !

    !

    crypto isakmp policy 1

    encr 3des

    authentication pre-share

    group 2

    crypto isakmp client configuration address-pool local dynpool

    !

    crypto isakmp client configuration group hw-client-groupname

    key hw-client-password

    dns XX.XX.XX.XX

    ! wins 30.30.30.12 30.30.30.13

    domain TEST.COM

    pool dynpool

    !

    !

    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

    !

    crypto dynamic-map dynmap 1

    set transform-set transform-1

    !

    !

    crypto map dynmap isakmp authorization list hw-client-groupname

    crypto map dynmap client configuration address respond

    crypto map dynmap 1 ipsec-isakmp dynamic dynmap

    !



    !

    interface Ethernet0

    description connected to HQ LAN

    ip address 192.168.199.2 255.255.255.0

    no cdp enable

    !

    !

    interface Ethernet1

    description connected to INTERNET

    ip address XX.XX.XX.61 255.255.255.248

    no cdp enable

    crypto map dynmap

    !

    ip local pool dynpool 192.168.199.80 192.168.199.90

    ip classless

    no ip http server

    ip pim bidir-enable

    !

    !

    no cdp run

    !

    line con 0

    line aux 0

    line vty 0 4

    password TEST

    !

    end









    Thanks in advance for the help!



    Garrett
    Garrett, Jan 5, 2004
    #1
    1. Advertising

  2. Garrett

    Rik Bain Guest

    On Mon, 05 Jan 2004 08:57:23 -0600, Garrett wrote:



    >
    > Right now, I can connect to my SOHO with the VPN client software, and
    > even get an IP address. However, I can't ping anything. Basically,
    > nothing is going over the tunnel. Looking at the statistics in the
    > client, I'm not seeing any "Received Bytes" or "Decrypted Packets".
    >
    >
    >
    > Here's my config.
    >
    >

    <snip>
    >
    > crypto dynamic-map dynmap 1
    >
    > set transform-set transform-1
    >
    > !
    >



    Try:


    crypto dynamic-map dynmap 1
    reverse-route

    Since you are using addresses from the local subnet to assign to the
    clients, reverse route injection will cause the router to proxy arp for
    those addresses.


    Rik Bain
    Rik Bain, Jan 5, 2004
    #2
    1. Advertising

  3. Garrett

    Garrett Guest

    Thanks for your help Rik.

    I tried the setting you proposed and now it hangs on:

    "Securing Communications Channel"

    This is a non-production environment, and I can change anything I need.. So
    I don't mind doing anything.. Just really want to get it working.. I can
    merge it into my production environment later if/when I get it working...

    Just to clarify, I should have removed the line:

    "set transform-set transform-1 "

    Correct?

    Thanks!




    "Rik Bain" <> wrote in message
    news:p...
    > On Mon, 05 Jan 2004 08:57:23 -0600, Garrett wrote:
    >
    >
    >
    > >
    > > Right now, I can connect to my SOHO with the VPN client software, and
    > > even get an IP address. However, I can't ping anything. Basically,
    > > nothing is going over the tunnel. Looking at the statistics in the
    > > client, I'm not seeing any "Received Bytes" or "Decrypted Packets".
    > >
    > >
    > >
    > > Here's my config.
    > >
    > >

    > <snip>
    > >
    > > crypto dynamic-map dynmap 1
    > >
    > > set transform-set transform-1
    > >
    > > !
    > >

    >
    >
    > Try:
    >
    >
    > crypto dynamic-map dynmap 1
    > reverse-route
    >
    > Since you are using addresses from the local subnet to assign to the
    > clients, reverse route injection will cause the router to proxy arp for
    > those addresses.
    >
    >
    > Rik Bain
    Garrett, Jan 5, 2004
    #3
  4. Garrett

    Garrett Guest

    I also wanted to point out that I'm running IOS 12.2(8r)YN

    I just checked on the Feature Navigator on Cisco's website, and if I am
    reading it correctly, the version of IOS I have won't work?

    I have a Soho 91. I did a search for Easy Vpn Server. Looks like I might
    need to upgrade...

    Not 100% sure if I'm reading the site right.

    Garrett


    "Garrett" <> wrote in message
    news:IGgKb.51975$-kc.rr.com...
    >
    > Thanks for your help Rik.
    >
    > I tried the setting you proposed and now it hangs on:
    >
    > "Securing Communications Channel"
    >
    > This is a non-production environment, and I can change anything I need..

    So
    > I don't mind doing anything.. Just really want to get it working.. I can
    > merge it into my production environment later if/when I get it working...
    >
    > Just to clarify, I should have removed the line:
    >
    > "set transform-set transform-1 "
    >
    > Correct?
    >
    > Thanks!
    >
    >
    >
    >
    > "Rik Bain" <> wrote in message
    > news:p...
    > > On Mon, 05 Jan 2004 08:57:23 -0600, Garrett wrote:
    > >
    > >
    > >
    > > >
    > > > Right now, I can connect to my SOHO with the VPN client software, and
    > > > even get an IP address. However, I can't ping anything. Basically,
    > > > nothing is going over the tunnel. Looking at the statistics in the
    > > > client, I'm not seeing any "Received Bytes" or "Decrypted Packets".
    > > >
    > > >
    > > >
    > > > Here's my config.
    > > >
    > > >

    > > <snip>
    > > >
    > > > crypto dynamic-map dynmap 1
    > > >
    > > > set transform-set transform-1
    > > >
    > > > !
    > > >

    > >
    > >
    > > Try:
    > >
    > >
    > > crypto dynamic-map dynmap 1
    > > reverse-route
    > >
    > > Since you are using addresses from the local subnet to assign to the
    > > clients, reverse route injection will cause the router to proxy arp for
    > > those addresses.
    > >
    > >
    > > Rik Bain

    >
    >
    Garrett, Jan 5, 2004
    #4
  5. Garrett

    Rik Bain Guest

    On Mon, 05 Jan 2004 10:56:08 -0600, Garrett wrote:


    > Thanks for your help Rik.
    >
    > I tried the setting you proposed and now it hangs on:
    >
    > "Securing Communications Channel"
    >
    > This is a non-production environment, and I can change anything I need..
    > So I don't mind doing anything.. Just really want to get it working.. I
    > can merge it into my production environment later if/when I get it
    > working...
    >
    > Just to clarify, I should have removed the line:
    >
    > "set transform-set transform-1 "
    >
    > Correct?
    >
    > Thanks!
    >
    >
    >


    You want to add the reverse-route, while leaving everything
    else in place. The removal of the transform-set is causing the
    connection problem that you see now. Add it back (leaving reverse-route
    in) and see if it resolves your problem.

    Rik Bain
    Rik Bain, Jan 5, 2004
    #5
  6. Garrett

    Garrett Guest

    Success! I can now ping IP's on my local lan from the connect remote
    machine....

    However, a few things:

    1) Doing pings seem really sluggish.. They initially time out, and then
    finally resolve.
    2) My DNS Server is on a different subnet then the subnet I'm handing out
    for VPN connections. How/Where do I configure a static route to be set up
    the remotely connecting client?
    3) It doesn't appear that I am able to connect to anything outside of my
    localnetwork...

    I'm amazed that this is working -- since Cisco's Feature navigator basically
    indicated that I needed to upgrade.. I just about purchased a SmartNet
    contract for this router so I could get teh latest IOS!

    Thanks for your help.

    Garrett



    "Rik Bain" <> wrote in message
    news:p...
    > On Mon, 05 Jan 2004 10:56:08 -0600, Garrett wrote:
    >
    >
    > > Thanks for your help Rik.
    > >
    > > I tried the setting you proposed and now it hangs on:
    > >
    > > "Securing Communications Channel"
    > >
    > > This is a non-production environment, and I can change anything I need..
    > > So I don't mind doing anything.. Just really want to get it working.. I
    > > can merge it into my production environment later if/when I get it
    > > working...
    > >
    > > Just to clarify, I should have removed the line:
    > >
    > > "set transform-set transform-1 "
    > >
    > > Correct?
    > >
    > > Thanks!
    > >
    > >
    > >

    >
    > You want to add the reverse-route, while leaving everything
    > else in place. The removal of the transform-set is causing the
    > connection problem that you see now. Add it back (leaving reverse-route
    > in) and see if it resolves your problem.
    >
    > Rik Bain
    Garrett, Jan 5, 2004
    #6
  7. Garrett

    Rik Bain Guest

    On Mon, 05 Jan 2004 15:49:02 -0600, Garrett wrote:


    > Success! I can now ping IP's on my local lan from the connect remote
    > machine....
    >
    > However, a few things:
    >
    > 1) Doing pings seem really sluggish.. They initially time out, and
    > then finally resolve.
    > 2) My DNS Server is on a different subnet then the subnet I'm handing
    > out for VPN connections. How/Where do I configure a static route to be
    > set up the remotely connecting client?


    By default, the client should forward all packets over the tunnel. If
    you cannot reach another subnet, verify that that subnet can route to
    192.168.199.0.


    >3) It doesn't appear that I am
    > able to connect to anything outside of my localnetwork...


    Sounds like you might want to enable split-tunneling. This will send
    only the traffic you specify over the tunnel, while the rest will be sent
    out in the clear (bypassing tunnel).

    Example that will only tunnel to 192.168.199.0/24

    !
    access-list 199 permit ip 192.168.199.0 0.0.0.255 any
    !
    crypto isakmp client configuration group hw-client-groupname
    acl 199
    !

    In any event you can add other subnets to that list, so if you had
    192.168.100.0/24 on the inside, simple add

    access-list 199 permit ip 192.168.100.0 0.0.0.255 any


    Other wise, you will need to enable NAT on the router and configure PBR to
    bounce the incoming traffic off of an interface configured for ip nat
    inside before it gets routed back our of the WAN interface (aka NAT on a
    stick).


    >
    > I'm amazed that this is working -- since Cisco's Feature navigator
    > basically indicated that I needed to upgrade.. I just about purchased a
    > SmartNet contract for this router so I could get teh latest IOS!
    >



    The official support IOS for EZVPN server was 12.2(8)T IIRC, but I have
    seen it on non T train 12.2(8) code on the 800 series platform. I am too
    lazy to go find the IOS roadmap, but perhaps that code you are on is
    based on 12.2(8)T.


    > Thanks for your help.
    >
    > Garrett
    >
    Rik Bain, Jan 5, 2004
    #7
  8. Garrett

    Garrett Guest

    Wow.. What a difference.. I Added the ACL's for split tunning, and what a
    difference that made. I can access the Internet, and accessing local
    resources seem to be working alot better too. For example, without split
    tunneling, I could bring up a webpage on a local webserver, and it would
    just hang -- never loading the rest of the page. With Split tunnelling,
    the page loads instantly. Not sure why it wasn't working properly without
    Split Tunneling.

    I still don't know why pings time out inititally, and then start working..
    Probably not a big deal.

    Thanks for all your help Rik!


    "Rik Bain" <> wrote in message
    news:p...
    > On Mon, 05 Jan 2004 15:49:02 -0600, Garrett wrote:
    >
    >
    > > Success! I can now ping IP's on my local lan from the connect remote
    > > machine....
    > >
    > > However, a few things:
    > >
    > > 1) Doing pings seem really sluggish.. They initially time out, and
    > > then finally resolve.
    > > 2) My DNS Server is on a different subnet then the subnet I'm handing
    > > out for VPN connections. How/Where do I configure a static route to be
    > > set up the remotely connecting client?

    >
    > By default, the client should forward all packets over the tunnel. If
    > you cannot reach another subnet, verify that that subnet can route to
    > 192.168.199.0.
    >
    >
    > >3) It doesn't appear that I am
    > > able to connect to anything outside of my localnetwork...

    >
    > Sounds like you might want to enable split-tunneling. This will send
    > only the traffic you specify over the tunnel, while the rest will be sent
    > out in the clear (bypassing tunnel).
    >
    > Example that will only tunnel to 192.168.199.0/24
    >
    > !
    > access-list 199 permit ip 192.168.199.0 0.0.0.255 any
    > !
    > crypto isakmp client configuration group hw-client-groupname
    > acl 199
    > !
    >
    > In any event you can add other subnets to that list, so if you had
    > 192.168.100.0/24 on the inside, simple add
    >
    > access-list 199 permit ip 192.168.100.0 0.0.0.255 any
    >
    >
    > Other wise, you will need to enable NAT on the router and configure PBR to
    > bounce the incoming traffic off of an interface configured for ip nat
    > inside before it gets routed back our of the WAN interface (aka NAT on a
    > stick).
    >
    >
    > >
    > > I'm amazed that this is working -- since Cisco's Feature navigator
    > > basically indicated that I needed to upgrade.. I just about purchased a
    > > SmartNet contract for this router so I could get teh latest IOS!
    > >

    >
    >
    > The official support IOS for EZVPN server was 12.2(8)T IIRC, but I have
    > seen it on non T train 12.2(8) code on the 800 series platform. I am too
    > lazy to go find the IOS roadmap, but perhaps that code you are on is
    > based on 12.2(8)T.
    >
    >
    > > Thanks for your help.
    > >
    > > Garrett
    > >
    Garrett, Jan 5, 2004
    #8
  9. Garrett

    Garrett Guest

    I just wanted to thank Rik Bainz again for all of his help on setting up my
    VPN. I just wanted to post my final working config here -- to share with
    anyone else that may need it. I've obviously omitted identifying
    information.

    This configuration allows users using the Cisco VPN Client on desktop
    computers to connect up to the SoHo91 router and access local lan resources
    via Split Tunnelling. Upon connection all traffic, in the example, for
    192.168.11.X and 192.168.12.X will go over the tunnel while all other
    traffic will go out the default connection on the PC.


    Thanks!


    -----begin-my-config--------------------------------------------------------
    -------------------------------

    version 12.2
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    no service password-encryption
    service internal
    !
    hostname testvpn
    !
    aaa new-model
    !
    !
    aaa authorization network hw-client-groupname local
    aaa session-id common
    enable password PASSWORD
    !
    username cisco password 0 PASSWORD
    memory-size iomem 15
    clock timezone - 0 6
    ip subnet-zero
    no ip source-route
    !
    !
    ip domain-name TEST.com
    !
    !
    access-list 199 permit ip 192.168.10.0 0.0.0.255 any
    access-list 199 permit ip 192.168.11.0 0.0.0.255 any
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    !
    !
    crypto isakmp client configuration group USERID1
    key PASSWORD
    dns 192.168.12.12
    domain TEST.com
    pool dynpool
    acl 199
    !
    !
    !
    crypto isakmp client configuration group USERID2
    key PASSWORD
    dns 192.168.12.12
    domain TEST.com
    pool dynpool
    acl 199
    !
    !
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    reverse-route
    !
    !
    crypto map dynmap isakmp authorization list hw-client-groupname
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    interface Ethernet0
    description connected to HQ LAN
    ip address 192.168.11.2 255.255.255.0
    no cdp enable
    !
    !
    interface Ethernet1
    description connected to INTERNET
    ip address X.X.X.61 255.255.255.248
    no cdp enable
    crypto map dynmap
    !
    ip local pool dynpool 192.168.11.80 192.168.11.90
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet1
    ip route 192.168.11.0 255.255.255.0 192.168.11.1
    no ip http server
    ip pim bidir-enable
    !
    !
    no cdp run
    !
    line con 0
    line aux 0
    line vty 0 4
    password PASSWORD
    !
    end
    Garrett, Jan 6, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ronnie
    Replies:
    2
    Views:
    3,375
  2. Christian Hörster

    VPN Client & Soho 91 VPN Problems

    Christian Hörster, Feb 6, 2005, in forum: Cisco
    Replies:
    0
    Views:
    1,532
    Christian Hörster
    Feb 6, 2005
  3. Replies:
    0
    Views:
    664
  4. MajorPeabody

    SOHO 91 VPN Newbie Question

    MajorPeabody, Jan 30, 2006, in forum: Cisco
    Replies:
    0
    Views:
    718
    MajorPeabody
    Jan 30, 2006
  5. bg
    Replies:
    0
    Views:
    450
Loading...

Share This Page