08-07-2009 01:13 AM
Greetings, i havent configured one of these for both a multispoke L2L VPN and VPN client on a single router before, could someone have a quick look at see if the cofig is ok.
Hub Site:
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key ************** address ************** no-xauth
crypto isakmp key ************** address ************** no-xauth
crypto isakmp key ************** address ************** no-xauth
!
crypto isakmp client configuration group vpnclientgroup
key **************
dns 192.168.10.10
wins 192.168.10.10
domain dbm.local
pool dhcppool
acl 199
include-local-lan
pfs
max-logins 10
netmask 255.255.255.0
!
crypto ipsec transform-set 3DesSecure esp-3des
!
crypto dynamic-map clientmap 1
set security-association lifetime seconds 86400
set transform-set 3DesSecure
reverse-route
!
!
crypto map hqmap client authentication list userauth
crypto map hqmap isakmp authorization list groupauth
crypto map hqmap client configuration address respond
!
crypto map hqmap 1 ipsec-isakmp
description ****** Link to tpon-ro-877 ******
set peer **************
set security-association lifetime seconds 86400
set transform-set 3DesSecure
set pfs group2
match address 101
!
crypto map hqmap 2 ipsec-isakmp
description ****** Link to blston-ro-877 ******
set peer **************
set security-association lifetime seconds 86400
set transform-set 3DesSecure
set pfs group2
match address 102
!
crypto map hqmap 3 ipsec-isakmp
description ****** Link to Hnwrth-ro-877 ******
set peer **************
set security-association lifetime seconds 86400
set transform-set 3DesSecure
set pfs group2
match address 103
!
crypto map hqmap 65535 ipsec-isakmp dynamic clientmap
!
interface Dialer1
description WAN Interface
crypto map hqmap
!
ip local pool dhcppool 172.31.255.50 172.31.255.60
!
access-list 100 remark ****** NAT ACL ******
access-list 100 deny ip 192.168.10.0 0.0.0.255 172.31.255.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 101 remark ****** Link to tpon-ro-877 ******
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
!
access-list 102 remark ****** Link to blston-ro-877 ******
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
!
access-list 103 remark ****** Link to Hnwrth-ro-877 ******
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.40.0 0.0.0.255
!
access-list 199 remark ****** Split Tunnel Encrypted Traffic ******
access-list 199 permit ip 192.168.10.0 0.0.0.255 172.31.255.0 0.0.0.255
!
interface Vlan1
ip address 192.168.10.1 255.255.255.0
!
Regards
08-07-2009 07:01 AM
I would recommend that you move the client authentication/authorization config from the crypto map into an ISAKMP profile. You will then associate this profile with the dynamic crypto map where it will only apply to the connecting RA clients. For example,
crypto isakmp profile vpnclient
match identity group vpnclientgroup
client authentication list userauth
isakmp authorization list groupauth
client configuration address respond
crypto dynamic-map clientmap 1
set security-association lifetime seconds 86400
set transform-set 3DesSecure
set isakmp-profile vpnclient
reverse-route
08-07-2009 08:08 AM
Much appreciated, looks alot tidier thank you.
Regards
08-21-2009 12:53 AM
Hi,
may I ask (because I face similar problem with the vpn) if I have to remove the rest vpn client's config after I apply the solution you said ?
Thanks for your time.
08-21-2009 04:05 AM
Yes you can remove the following lines after applying the above configuration.
crypto map hqmap client authentication list userauth
crypto map hqmap isakmp authorization list groupauth
crypto map hqmap client configuration address respond
Regards
08-21-2009 05:28 AM
OK thank you very much, I'll do this.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: