Setup VPN Connection with Cisco 2821 Router

Answered Question

Is it possible to setup Client to site VPN Connection with Cisco 2821 Router ? Is it possible to configure the router with VPN using Cisco Configuration Professional CCP. We find the following document http://www.cisco.com/en/US/products/ps5 … 314a.shtml

But when we order the router, the router is not shipped with Cisco Configuration Professional Expressed installed in the flash memory. Do we need to pay for this CCP? If yes, is it possible to buy the router with this configuration at this moment?

I have this problem too.
0 votes
Correct Answer by Sonenberk about 6 years 9 months ago

Hello,
here is some configuration of the test router
without "certification part".
If you need only preshared key, it would be better
to use some cisco examples.
Good luck to you.
Peter S.


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco28
!
boot-start-marker
boot-end-marker
!
logging buffered 128000
enable secret 5 $1$wgM4$hnI4TqvqWv8EwjDWUgsjQ1
enable password something
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
ip cef
!
no ip bootp server
ip domain name firma.com
ip host client-vpn 10.1.1.133
ip name-server 10.1.1.33
!
multilink bundle-name authenticated
!
license udi pid CISCO2821 sn FCZ012345KM
username user1 password 0 kamil1
username spravce privilege 15 password 0 kamil15
username user2 password 0 kamil2
!
redundancy
!
crypto ikev2 diagnose error 50
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
group 2
!
crypto isakmp client configuration group Group159
key Key159Key
pool SDM_POOL_1
acl 100
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set 3DES-MD5
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Loopback10
description For VPN Client
ip address 192.168.201.1 255.255.255.0
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address 10.1.1.220 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.220.1 255.255.255.0
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.200.1 192.168.200.10
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
access-list 10 remark Prisup na router
access-list 10 remark Pristup na router
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 192.168.201.0 0.0.0.255
access-list 10 permit 192.168.200.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
no cdp run
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 3600 0
password kamil
transport input all
!
scheduler allocate 20000 1000
ntp server 10.1.1.1
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Tue, 03/02/2010 - 02:59

[email protected]

Is it possible to setup Client to site VPN Connection with Cisco 2821 Router ? Is it possible to configure the router with VPN using Cisco Configuration Professional CCP. We find the following document http://www.cisco.com/en/US/products/ps5 … 314a.shtml

But when we order the router, the router is not shipped with Cisco Configuration Professional Expressed installed in the flash memory. Do we need to pay for this CCP? If yes, is it possible to buy the router with this configuration at this moment?

CCP is available as a free download, see this page for details -

http://www.cisco.com/en/US/products/ps9422/index.html

You will need a minimum of 12.4(9)T.

You may also want to have a look at these configuration examples for vpn client to router -

Router to IPSEC vpn client

Jon

Sonenberk Tue, 03/02/2010 - 05:35

Hello Jon,

we have tested cooperation: Cisco 2821 + Cisco VPN client. What type of authentication

do you want to use - certificate or preshared key? We used certificate in USB token.

We can put list of example configuration here, if you want.

But we didn't use CCP, it was configurated via "conf t".

Have a nice day.

Peter S.

Hello Peter,

Now, the image file in our router is 12.4(15)T. We will not buy any certificate from verisign for the VPN Connection. So, if we use prephase key, grateful if you could let me have the example configuration file for reference. Actually, I would like to just put the user name and password and the user make use of user name and password and the cisco vpn client to connect to our network.  By the way, may I know which cisco client are you using and grateful if you could provide the link for me to download. Thanks.

Best Regards,

Ming

Correct Answer
Sonenberk Wed, 03/03/2010 - 05:58

Hello,
here is some configuration of the test router
without "certification part".
If you need only preshared key, it would be better
to use some cisco examples.
Good luck to you.
Peter S.


version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco28
!
boot-start-marker
boot-end-marker
!
logging buffered 128000
enable secret 5 $1$wgM4$hnI4TqvqWv8EwjDWUgsjQ1
enable password something
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
dot11 syslog
no ip source-route
!
ip cef
!
no ip bootp server
ip domain name firma.com
ip host client-vpn 10.1.1.133
ip name-server 10.1.1.33
!
multilink bundle-name authenticated
!
license udi pid CISCO2821 sn FCZ012345KM
username user1 password 0 kamil1
username spravce privilege 15 password 0 kamil15
username user2 password 0 kamil2
!
redundancy
!
crypto ikev2 diagnose error 50
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
hash md5
group 2
!
crypto isakmp client configuration group Group159
key Key159Key
pool SDM_POOL_1
acl 100
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set 3DES-MD5
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Loopback10
description For VPN Client
ip address 192.168.201.1 255.255.255.0
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$
ip address 10.1.1.220 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.220.1 255.255.255.0
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.200.1 192.168.200.10
ip forward-protocol nd
ip http server
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
access-list 10 remark Prisup na router
access-list 10 remark Pristup na router
access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 permit 192.168.201.0 0.0.0.255
access-list 10 permit 192.168.200.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.201.0 0.0.0.255 192.168.200.0 0.0.0.255
no cdp run
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
exec-timeout 3600 0
password kamil
transport input all
!
scheduler allocate 20000 1000
ntp server 10.1.1.1
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

Actions

This Discussion