Hi Kayasaman,

I ran into the same problem. I have a 857W at home and I would like to set up a VPN

Are you able to share a working config for it?

Cheers,

Fabio

Hi Fabio,

sorry for the late reply!

My ISP did something strange to my network at home meaning I can't access the forums from there and hence have to write in from work now.

I have got some config for you:

Router1 = 200.1.1.1

Router2 = 200.2.2.2

------------------------------------------------------Router1----------------------------

[...]

crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 200.2.2.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 200.2.2.2
set transform-set myset
match address 101

[...]

interface Dialer0
description To DSLAM
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname chapuname
ppp chap password 7 chappasswd
ppp ipcp dns 200.1.1.2 200.1.1.3
crypto map myvpn

[...]

ip nat inside source route-map NO-NAT interface Dialer0 overload

[...]

access-list 101 permit ip 172.16.0.0 0.0.0.63 192.168.0.0 0.0.1.255
access-list 101 permit ip 172.16.0.64 0.0.0.63 192.168.0.0 0.0.1.255
access-list 101 permit ip 172.16.0.192 0.0.0.63 192.168.0.0 0.0.1.255

access-list 110 deny   ip 172.16.0.0 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 deny   ip 172.16.0.64 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 deny   ip 172.16.0.192 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 permit ip 172.16.0.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.63 any

[...]

dialer-list 1 protocol ip permit

route-map NO-NAT permit 10
match ip address 110

------------------------------------------------------Router2----------------------------

[...]

crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 101

[...]

interface Dialer0
  description To DSLAM
  ip address negotiated
  ip nat outside
  no ip virtual-reassembly
  encapsulation ppp
  no ip route-cache
  dialer pool 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname chapuname
  ppp chap password 7 chappasswd
  ppp ipcp dns 200.2.2.2 200.2.2.3
  crypto map myvpn

[...]

ip nat inside source route-map NO-NAT interface Dialer0 overload

[...]

access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.0 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.64 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.192 0.0.0.63

access-list 110 deny   ip 192.168.0.0 0.0.1.255 172.16.0.0 0.0.0.63
access-list 110 deny   ip 192.168.0.0 0.0.1.255 172.16.0.64 0.0.0.63
access-list 110 deny   ip 192.168.0.0 0.0.1.255 172.16.0.192 0.0.0.63
access-list 110 permit ip 192.168.0.0 0.0.1.255 any

[...]

dialer-list 1 protocol ip permit

route-map NO-NAT permit 10
  match ip address 110

If you add this in addition to the full router config the VPN will work!!

You can also use these tools to debug:

show cryprto isakmp sa

show crypto ipsec sa

more tools can be found if you run the:

show crypto isakmp ?

or

show crypto ipsec ?

commands.

debug commands can also be run!

Regards,

Kaya

Hi Kaya,

Thank you very much for getting back to me.

I'll give that a shot.

Cheers,

Fabio

No problem :-)

If you experience any problems at all try rebooting the router, or taking out the VPN config to reinitialize the crypto module inside the system. Sometimes the system can become errornous and not connect properly.

If after finding yourself connected but unable to ping between systems, you might have an MTU or other unseen issue which you will need to contanct your ISP about - provided they are happy to help unlike mine!

Good luck.