How can I set up a VPN with 1 cisco router?

Unanswered Question
Mar 25th, 2010

I have a remote branch I wish to connect to a VPN with our cisco router.  Which is the best protocol to do this?  How can I set it up?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andre.ortega Thu, 03/25/2010 - 10:48

Yes, you can. And you can use IPSec (You nedd check your router (IOS) support IPSec.)

Do you need site-to-site vpn ou remote access (client to site)?

sgregory1 Thu, 03/25/2010 - 11:53

Show version reports:

Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)

It would be from one site to this one, but there is no cisco router on the other end.  But this is the only link I need a VPN on
sgregory1 Thu, 03/25/2010 - 13:21

What is this ASA? What I've done in the past is used cisco's VPN software on a windows machine to connect to a VPN.  Can I not set that up?

Remote site will connect with software to VPN server enabled on my router.  Is this possible? Is this what your link is meaning?

andre.ortega Thu, 03/25/2010 - 14:09

This is a sample only, for VPN site-to-site.

Do have your remote site another device (like ASA, router or a linux server)? If yes this device will connect in router.

If not the users can use a vpn client installed in computers.

Regards.

sgregory1 Thu, 03/25/2010 - 14:27

I have a problem with this.  It seems my route has no "crypto" command:

(config)#     

#crypto ?

% Unrecognized command
(config)#crypto ?
% Unrecognized command

EDIT: Our other router which is the same as this one has the crypto command.  a show version notes that the flash image is different!

Router not working:

System image file is "flash:c1841-ipbase-mz.124-1c.bin"

Router crypto is there:
System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"
sgregory1 Thu, 03/25/2010 - 15:52

Okay I have just finished updating the image and reconfiguring the router.  From the looks of this, I need to generate a key or something.  This is a bit confusing... for example the guide mentions hard-coding a static IP address on the client end.  My client is DHCP enabled... so is there another way I can configure this?

The "ASA" device... you say that can be any old router..? why is there a CLI shown?

andre.ortega Fri, 03/26/2010 - 05:24

See two samples:

      Site A                                   SITE B

LAN---ROUTER----INTERNET----ROUTER---LAN

SITE A

R0#sh run

Building configuration...

Current configuration : 1610 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R0

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$/Uap$KYw5T9RRj2Iqw7YRnybUp.

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

description Conexao R2 F0/0

ip address 10.10.10.1 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R1 S1/0

bandwidth 2048

ip address 1.1.1.2 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao com R1 S1/1

ip address 1.1.1.6 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 10.10.10.0 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

!

ip access-list extended ACL_VPN

permit icmp 0.0.0.2 255.255.255.252 host 10.10.10.6

permit icmp host 10.10.10.2 host 10.10.10.6

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

============================================================

SITE B

R1#sh run

Building configuration...

Current configuration : 1571 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$zRJc$5ba6iIHxQzlIVZROagEWa0

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.2 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

ip address 10.10.10.5 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R0 S1/0

bandwidth 2048

ip address 1.1.1.1 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao R0 S1/1

bandwidth 128

ip address 1.1.1.5 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 1.1.1.4 0.0.0.3 area 0

network 10.10.10.4 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

ip access-list extended ACL_VPN

permit icmp host 10.10.10.6 host 10.10.10.2

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

R1#

==============================================

Second sample:

any place

USERS--- INTERNET----ROUTER---LAN

aaa new-model

!

!

aaa authentication login vpnauthen local

aaa authorization network vpnautho local

!

crypto isakmp policy 50

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group CANOPUS_GROUP

key c4n0pu5

domain canopus.com.br

pool VPN_POOL

include-local-lan

split-dns canopus.com.br

pfs

!

!

crypto ipsec transform-set CLIENT_SET esp-3des esp-md5-hmac

!

crypto dynamic-map CLIENT_MAP 50

set transform-set CLIENT_SET

reverse-route

!

!

crypto map CLIENT_VPN client authentication list vpnauthen

crypto map CLIENT_VPN isakmp authorization list vpnautho

crypto map CLIENT_VPN client configuration address respond

crypto map CLIENT_VPN 50 ipsec-isakmp dynamic CLIENT_MAP

!

!

ip local pool VPN_POOL 10.10.254.10 10.10.254.15

Regards.

DialerString_2 Fri, 03/26/2010 - 12:56

Wait... Steve are you setting up a site-to-site vpn or are you doing a remote-access (client)?  What devices do you have on each side? If one side is DHCP you can use Dynamic VPN to establish a connection. I have vpn setup over ADSL and can send you a sample config.

Actions

This Discussion