cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1705
Views
0
Helpful
10
Replies

How can I set up a VPN with 1 cisco router?

sgregory1
Level 1
Level 1

I have a remote branch I wish to connect to a VPN with our cisco router.  Which is the best protocol to do this?  How can I set it up?

10 Replies 10

andre.ortega
Spotlight
Spotlight

Yes, you can. And you can use IPSec (You nedd check your router (IOS) support IPSec.)

Do you need site-to-site vpn ou remote access (client to site)?

Show version reports:

Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)

It would be from one site to this one, but there is no cisco router on the other end.  But this is the only link I need a VPN on

This IOS have not support for IPSec, and you need a device for each site, or users can use a client vpn.

See this link with example of the config VPN between router and ASA http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Regards.

What is this ASA? What I've done in the past is used cisco's VPN software on a windows machine to connect to a VPN.  Can I not set that up?

Remote site will connect with software to VPN server enabled on my router.  Is this possible? Is this what your link is meaning?

This is a sample only, for VPN site-to-site.

Do have your remote site another device (like ASA, router or a linux server)? If yes this device will connect in router.

If not the users can use a vpn client installed in computers.

Regards.

I have a problem with this.  It seems my route has no "crypto" command:

(config)#     

#crypto ?

% Unrecognized command
(config)#crypto ?
% Unrecognized command

EDIT: Our other router which is the same as this one has the crypto command.  a show version notes that the flash image is different!

Router not working:

System image file is "flash:c1841-ipbase-mz.124-1c.bin"

Router crypto is there:
System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"

Okay I have just finished updating the image and reconfiguring the router.  From the looks of this, I need to generate a key or something.  This is a bit confusing... for example the guide mentions hard-coding a static IP address on the client end.  My client is DHCP enabled... so is there another way I can configure this?

The "ASA" device... you say that can be any old router..? why is there a CLI shown?

See two samples:

      Site A                                   SITE B

LAN---ROUTER----INTERNET----ROUTER---LAN

SITE A

R0#sh run

Building configuration...

Current configuration : 1610 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R0

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$/Uap$KYw5T9RRj2Iqw7YRnybUp.

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

description Conexao R2 F0/0

ip address 10.10.10.1 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R1 S1/0

bandwidth 2048

ip address 1.1.1.2 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao com R1 S1/1

ip address 1.1.1.6 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 10.10.10.0 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

!

ip access-list extended ACL_VPN

permit icmp 0.0.0.2 255.255.255.252 host 10.10.10.6

permit icmp host 10.10.10.2 host 10.10.10.6

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

============================================================

SITE B

R1#sh run

Building configuration...

Current configuration : 1571 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$zRJc$5ba6iIHxQzlIVZROagEWa0

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.2 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

ip address 10.10.10.5 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R0 S1/0

bandwidth 2048

ip address 1.1.1.1 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao R0 S1/1

bandwidth 128

ip address 1.1.1.5 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 1.1.1.4 0.0.0.3 area 0

network 10.10.10.4 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

ip access-list extended ACL_VPN

permit icmp host 10.10.10.6 host 10.10.10.2

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

R1#

==============================================

Second sample:

any place

USERS--- INTERNET----ROUTER---LAN

aaa new-model

!

!

aaa authentication login vpnauthen local

aaa authorization network vpnautho local

!

crypto isakmp policy 50

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group CANOPUS_GROUP

key c4n0pu5

domain canopus.com.br

pool VPN_POOL

include-local-lan

split-dns canopus.com.br

pfs

!

!

crypto ipsec transform-set CLIENT_SET esp-3des esp-md5-hmac

!

crypto dynamic-map CLIENT_MAP 50

set transform-set CLIENT_SET

reverse-route

!

!

crypto map CLIENT_VPN client authentication list vpnauthen

crypto map CLIENT_VPN isakmp authorization list vpnautho

crypto map CLIENT_VPN client configuration address respond

crypto map CLIENT_VPN 50 ipsec-isakmp dynamic CLIENT_MAP

!

!

ip local pool VPN_POOL 10.10.254.10 10.10.254.15

Regards.

I wonder if you are just trying to set up the router so a PC running the VPN client can connect.  Here is an example of how to set that up.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.pdf

Wait... Steve are you setting up a site-to-site vpn or are you doing a remote-access (client)?  What devices do you have on each side? If one side is DHCP you can use Dynamic VPN to establish a connection. I have vpn setup over ADSL and can send you a sample config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: