Basic VPN Setup (HELP!)

Unanswered Question
Aug 16th, 2007

Okay, maybe I'm just acting brain-dead here, but I really need some help. Here's my situation: I'm trying to set up a basic VPN tunnel from my network (running over an 1841 with the advsecurity IOS) to a remote network. Here's the caveat: that remote network has used every single private IP address that exists already, so we can't use any of them. Obviously, our network needs to NAT a public IP address across the tunnel so that the remote network will not get confused, since our network is using 192.168.1.0/24. I was told I only needed a very simple, basic VPN. The settings I was given from this remote network's admin were as follows:

3des encryption with MD5 integrity

IKE encryption and Diffie-Hellman Group: 3DES with Group 2

Aggressive mode ISAKMP initial contact payload: disabled

Compression: Disabled

Rekey timeout: 08:00:00

Rekey data count: (None)

Keepalive interval: 00:01:00

Keepalive (On-demand connections): Disabled

Anti Reply: Enabled

IPsec DFBit: Clear

I'm really beating my head against the wall here, so here, let me dump the config here (edited for length and private IPs) and hopefully you guys can help me!

Building configuration...

Current configuration : 4829 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname PeotaRouter

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.150 192.168.1.254

!

ip dhcp pool sdm-pool1

import all

network 192.168.1.0 255.255.255.0

domain-name ourdomain.com

dns-server DNS1 DNS2

default-router 192.168.1.1

!

!

ip name-server DNS1

ip name-server DNS2

!

!

!

(snip for length)

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key (our psk) address (far end router IP)

crypto isakmp keepalive 60

!

!

crypto ipsec transform-set tunnel esp-3des

!

!

interface FastEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$

ip address (ext ip) 255.255.255.0

ip nat outside

no ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description $ES_LAN$

ip address 192.168.1.1 255.255.255.0

ip nat inside

no ip virtual-reassembly

duplex auto

speed auto

!

ip default-gateway (our gateway ip)

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat pool ovrld (our ext ip) (our ext ip) netmask 255.255.255.0

ip nat inside source list 7 pool ovrld overload

ip nat inside source static network 192.168.2.1 (ext ip for vpn) /32

ip nat outside source static tcp (our ext ip) 407 192.168.1.227 407 extendable

ip nat outside source static udp (our ext ip) 407 192.168.1.227 407 extendable

ip nat outside source static tcp (our ext ip) 1417 192.168.1.227 1417 extendable

!

access-list 7 permit any

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 111 permit ip host 192.168.1.104 host (ip of machine on other end of tunnel)

!

!

control-plane

!

banner login ^CC

(snip for length)

^C

!

line con 0

login local

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion