Cisco 877 Single Hub + Multiple Spoke + VPN Client Configuration

Unanswered Question
Aug 7th, 2009

Greetings, i havent configured one of these for both a multispoke L2L VPN and VPN client on a single router before, could someone have a quick look at see if the cofig is ok.

Hub Site:

aaa authentication login default local

aaa authentication login userauth local

aaa authorization exec default local

aaa authorization network groupauth local

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp key ************** address ************** no-xauth

crypto isakmp key ************** address ************** no-xauth

crypto isakmp key ************** address ************** no-xauth

!

crypto isakmp client configuration group vpnclientgroup

key **************

dns 192.168.10.10

wins 192.168.10.10

domain dbm.local

pool dhcppool

acl 199

include-local-lan

pfs

max-logins 10

netmask 255.255.255.0

!

crypto ipsec transform-set 3DesSecure esp-3des

!

crypto dynamic-map clientmap 1

set security-association lifetime seconds 86400

set transform-set 3DesSecure

reverse-route

!

!

crypto map hqmap client authentication list userauth

crypto map hqmap isakmp authorization list groupauth

crypto map hqmap client configuration address respond

!

crypto map hqmap 1 ipsec-isakmp

description ****** Link to tpon-ro-877 ******

set peer **************

set security-association lifetime seconds 86400

set transform-set 3DesSecure

set pfs group2

match address 101

!

crypto map hqmap 2 ipsec-isakmp

description ****** Link to blston-ro-877 ******

set peer **************

set security-association lifetime seconds 86400

set transform-set 3DesSecure

set pfs group2

match address 102

!

crypto map hqmap 3 ipsec-isakmp

description ****** Link to Hnwrth-ro-877 ******

set peer **************

set security-association lifetime seconds 86400

set transform-set 3DesSecure

set pfs group2

match address 103

!

crypto map hqmap 65535 ipsec-isakmp dynamic clientmap

!

interface Dialer1

description WAN Interface

crypto map hqmap

!

ip local pool dhcppool 172.31.255.50 172.31.255.60

!

access-list 100 remark ****** NAT ACL ******

access-list 100 deny ip 192.168.10.0 0.0.0.255 172.31.255.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

!

access-list 101 remark ****** Link to tpon-ro-877 ******

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

!

access-list 102 remark ****** Link to blston-ro-877 ******

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255

!

access-list 103 remark ****** Link to Hnwrth-ro-877 ******

access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255

!

access-list 199 remark ****** Split Tunnel Encrypted Traffic ******

access-list 199 permit ip 192.168.10.0 0.0.0.255 172.31.255.0 0.0.0.255

!

interface Vlan1

ip address 192.168.10.1 255.255.255.0

!

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Todd Pula Fri, 08/07/2009 - 07:01

I would recommend that you move the client authentication/authorization config from the crypto map into an ISAKMP profile. You will then associate this profile with the dynamic crypto map where it will only apply to the connecting RA clients. For example,

crypto isakmp profile vpnclient

match identity group vpnclientgroup

client authentication list userauth

isakmp authorization list groupauth

client configuration address respond

crypto dynamic-map clientmap 1

set security-association lifetime seconds 86400

set transform-set 3DesSecure

set isakmp-profile vpnclient

reverse-route

steliiospsimopoulos Fri, 08/21/2009 - 00:53

Hi,

may I ask (because I face similar problem with the vpn) if I have to remove the rest vpn client's config after I apply the solution you said ?

Thanks for your time.

exonetinf1nity Fri, 08/21/2009 - 04:05

Yes you can remove the following lines after applying the above configuration.

crypto map hqmap client authentication list userauth

crypto map hqmap isakmp authorization list groupauth

crypto map hqmap client configuration address respond

Regards

Actions

This Discussion