Anybody has an example of a remote access VPN config using an IOS router?

I have search cisco support for days now and can't get a decent
example of the proper way to do it.

I can get it to work on a lan but as soon as I use public addresses I
doesn't work.

Also anybody has some howto, books, links, examples to has the best
practices of vpn configurations. Specialy regarding multiple users?

Thanks for your help.

Eric

 

We have a 1710 router acting as a VPN Server (as a proof-of-concept
setup prior to installing a VPN Concentrator). I wouldn't like to
claim that this is the "proper" way to do it, but it works.

The Ethernet0 port is effectively connected direcly to the Internet.

Config looks like this:-

<SNIP>
!
logging buffered 4096 debugging
aaa new-model
!
!
aaa authorization network vpn-clientgroup local
aaa session-id common
!
<SNIP>
!
ip subnet-zero
!
!
no ip domain-lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group vpn-clientgroup
key *REMOVED*
pool dynpool
acl 111
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
!
!
crypto map dynmap isakmp authorization list vpn-clientgroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
description Management Loopback address
ip address *REMOVED*
!
interface Ethernet0
ip address *PUBLIC ADDRESS REMOVED*
half-duplex
crypto map dynmap
!
interface FastEthernet0
ip address *PRIVATE ADDRESS REMOVED*
speed 100
!
ip local pool dynpool *ADDRESS RANGE REMOVED*
ip default-gateway *PUBLIC ADDRESS REMOVED*
ip classless
ip route 0.0.0.0 0.0.0.0 *PUBLIC ADDRESS REMOVED*
ip route 10.0.0.0 255.0.0.0 *PRIVATE ADDRESS REMOVED*
ip route *REMOVED*
no ip http server
ip pim bidir-enable
!
!
logging trap debugging
logging source-interface FastEthernet0
logging *REMOVED*
access-list 111 permit ip *REMOVED* *REMOVED*
access-list 111 permit ip *REMOVED* *REMOVED*
no cdp run
!
<SNIP>

Hope that's of some help.

Pete

 

Thanks for the reply.

Has I look your config mine looks exactly like you ... my error was an
incorrect route in the router AND in the internal firewall. Now that
is works ...

My follow up question is ... what do you guys do for multiple users or
groups?

here is my configs. I want to know if this is a good practice or
there is a cleaner way to do it ... thanks .. Eric

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 20
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group VPNUSRG1
key xxxxxx
pool IPPOOL1
acl 150
!
crypto isakmp client configuration group VPNUSRG0
key xxxxxx
pool IPPOOL0
acl 101
!
crypto isakmp client configuration group VPNUSRG2
key xxxxxx
pool IPPOOL2
acl 150
!
crypto isakmp client configuration group VPNUSRG3
key xxxxxx
pool IPPOOL3
acl 150
!
crypto isakmp client configuration group VPNUSRG4
key xxxxxx
pool IPPOOL4
acl 101
!
!
crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSECPROFILE1
set transform-set TRFMSET1
!
!
crypto dynamic-map DYNMAP1 1
set security-association lifetime seconds 86400
set transform-set TRFMSET1
!
!
crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
crypto map DYNMAP1 client configuration address respond
crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP0 isakmp authorization list VPNUSRG0
crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP1 isakmp authorization list VPNUSRG1
crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP2 isakmp authorization list VPNUSRG2
crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP3 isakmp authorization list VPNUSRG3
crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP4 isakmp authorization list VPNUSRG4
crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
!

 

At present, we only have one group of users as our set-up is still in
the testing phase. If we had multiple user groups, I would probably
have configured it in the same way that you have done. However, we
will be using a VPN concentrator when our system goes live.

Pete