Anybody has an example of a remote access VPN config using an IOS router?

Discussion in 'Cisco' started by Eric Berthiaume, Apr 27, 2004.

  1. I have search cisco support for days now and can't get a decent
    example of the proper way to do it.

    I can get it to work on a lan but as soon as I use public addresses I
    doesn't work.

    Also anybody has some howto, books, links, examples to has the best
    practices of vpn configurations. Specialy regarding multiple users?

    Thanks for your help.

    Eric
     
    Eric Berthiaume, Apr 27, 2004
    #1
    1. Advertisements

  2. We have a 1710 router acting as a VPN Server (as a proof-of-concept
    setup prior to installing a VPN Concentrator). I wouldn't like to
    claim that this is the "proper" way to do it, but it works.

    The Ethernet0 port is effectively connected direcly to the Internet.

    Config looks like this:-

    <SNIP>
    !
    logging buffered 4096 debugging
    aaa new-model
    !
    !
    aaa authorization network vpn-clientgroup local
    aaa session-id common
    !
    <SNIP>
    !
    ip subnet-zero
    !
    !
    no ip domain-lookup
    !
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 120
    ip ssh authentication-retries 3
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group vpn-clientgroup
    key *REMOVED*
    pool dynpool
    acl 111
    !
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    !
    !
    crypto map dynmap isakmp authorization list vpn-clientgroup
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Loopback0
    description Management Loopback address
    ip address *REMOVED*
    !
    interface Ethernet0
    ip address *PUBLIC ADDRESS REMOVED*
    half-duplex
    crypto map dynmap
    !
    interface FastEthernet0
    ip address *PRIVATE ADDRESS REMOVED*
    speed 100
    !
    ip local pool dynpool *ADDRESS RANGE REMOVED*
    ip default-gateway *PUBLIC ADDRESS REMOVED*
    ip classless
    ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
    ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
    ip route *REMOVED*
    no ip http server
    ip pim bidir-enable
    !
    !
    logging trap debugging
    logging source-interface FastEthernet0
    logging *REMOVED*
    access-list 111 permit ip *REMOVED* *REMOVED*
    access-list 111 permit ip *REMOVED* *REMOVED*
    no cdp run
    !
    <SNIP>

    Hope that's of some help.

    Pete
     
    Pete Mainwaring, Apr 28, 2004
    #2
    1. Advertisements

  3. Thanks for the reply.

    Has I look your config mine looks exactly like you ... my error was an
    incorrect route in the router AND in the internal firewall. Now that
    is works ...

    My follow up question is ... what do you guys do for multiple users or
    groups?

    here is my configs. I want to know if this is a good practice or
    there is a cleaner way to do it ... thanks .. Eric

    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 60 20
    crypto isakmp xauth timeout 30

    !
    crypto isakmp client configuration group VPNUSRG1
    key xxxxxx
    pool IPPOOL1
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG0
    key xxxxxx
    pool IPPOOL0
    acl 101
    !
    crypto isakmp client configuration group VPNUSRG2
    key xxxxxx
    pool IPPOOL2
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG3
    key xxxxxx
    pool IPPOOL3
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG4
    key xxxxxx
    pool IPPOOL4
    acl 101
    !
    !
    crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile IPSECPROFILE1
    set transform-set TRFMSET1
    !
    !
    crypto dynamic-map DYNMAP1 1
    set security-association lifetime seconds 86400
    set transform-set TRFMSET1
    !
    !
    crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
    crypto map DYNMAP1 client configuration address respond
    crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP0 isakmp authorization list VPNUSRG0
    crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP1 isakmp authorization list VPNUSRG1
    crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP2 isakmp authorization list VPNUSRG2
    crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP3 isakmp authorization list VPNUSRG3
    crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP4 isakmp authorization list VPNUSRG4
    crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
    !
     
    Eric Berthiaume, Apr 29, 2004
    #3
  4. At present, we only have one group of users as our set-up is still in
    the testing phase. If we had multiple user groups, I would probably
    have configured it in the same way that you have done. However, we
    will be using a VPN concentrator when our system goes live.

    Pete
     
    Pete Mainwaring, Apr 30, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.