03-25-2010 10:14 AM
I have a remote branch I wish to connect to a VPN with our cisco router. Which is the best protocol to do this? How can I set it up?
03-25-2010 10:48 AM
Yes, you can. And you can use IPSec (You nedd check your router (IOS) support IPSec.)
Do you need site-to-site vpn ou remote access (client to site)?
03-25-2010 11:53 AM
Show version reports:
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)
03-25-2010 12:06 PM
This IOS have not support for IPSec, and you need a device for each site, or users can use a client vpn.
See this link with example of the config VPN between router and ASA http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml
Regards.
03-25-2010 01:21 PM
What is this ASA? What I've done in the past is used cisco's VPN software on a windows machine to connect to a VPN. Can I not set that up?
Remote site will connect with software to VPN server enabled on my router. Is this possible? Is this what your link is meaning?
03-25-2010 02:09 PM
This is a sample only, for VPN site-to-site.
Do have your remote site another device (like ASA, router or a linux server)? If yes this device will connect in router.
If not the users can use a vpn client installed in computers.
Regards.
03-25-2010 02:27 PM
I have a problem with this. It seems my route has no "crypto" command:
(config)#
#crypto ?
EDIT: Our other router which is the same as this one has the crypto command. a show version notes that the flash image is different!
Router not working:
System image file is "flash:c1841-ipbase-mz.124-1c.bin"
03-25-2010 03:52 PM
Okay I have just finished updating the image and reconfiguring the router. From the looks of this, I need to generate a key or something. This is a bit confusing... for example the guide mentions hard-coding a static IP address on the client end. My client is DHCP enabled... so is there another way I can configure this?
The "ASA" device... you say that can be any old router..? why is there a CLI shown?
03-26-2010 05:24 AM
See two samples:
Site A SITE B
LAN---ROUTER----INTERNET----ROUTER---LAN
SITE A
R0#sh run
Building configuration...
Current configuration : 1610 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R0
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$/Uap$KYw5T9RRj2Iqw7YRnybUp.
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.1.1.1 255.255.255.252
!
!
crypto ipsec transform-set teste_set esp-3des esp-sha-hmac
!
crypto map TESTE_MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set teste_set
match address ACL_VPN
!
!
interface FastEthernet0/0
description Conexao R2 F0/0
ip address 10.10.10.1 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
description Conexao com R1 S1/0
bandwidth 2048
ip address 1.1.1.2 255.255.255.252
serial restart-delay 0
crypto map TESTE_MAP
!
interface Serial1/1
description Conexao com R1 S1/1
ip address 1.1.1.6 255.255.255.252
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 10
log-adjacency-changes
network 1.1.1.0 0.0.0.3 area 0
network 10.10.10.0 0.0.0.3 area 0
!
ip http server
no ip http secure-server
!
!
ip access-list extended ACL_VPN
permit icmp 0.0.0.2 255.255.255.252 host 10.10.10.6
permit icmp host 10.10.10.2 host 10.10.10.6
!
!
control-plane
!
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
============================================================
SITE B
R1#sh run
Building configuration...
Current configuration : 1571 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$zRJc$5ba6iIHxQzlIVZROagEWa0
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key cisco address 1.1.1.2 255.255.255.252
!
!
crypto ipsec transform-set teste_set esp-3des esp-sha-hmac
!
crypto map TESTE_MAP 10 ipsec-isakmp
set peer 1.1.1.2
set transform-set teste_set
match address ACL_VPN
!
!
interface FastEthernet0/0
ip address 10.10.10.5 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
description Conexao com R0 S1/0
bandwidth 2048
ip address 1.1.1.1 255.255.255.252
serial restart-delay 0
crypto map TESTE_MAP
!
interface Serial1/1
description Conexao R0 S1/1
bandwidth 128
ip address 1.1.1.5 255.255.255.252
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
router ospf 10
log-adjacency-changes
network 1.1.1.0 0.0.0.3 area 0
network 1.1.1.4 0.0.0.3 area 0
network 10.10.10.4 0.0.0.3 area 0
!
ip http server
no ip http secure-server
!
ip access-list extended ACL_VPN
permit icmp host 10.10.10.6 host 10.10.10.2
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
login
!
!
end
R1#
==============================================
Second sample:
any place
USERS--- INTERNET----ROUTER---LAN
aaa new-model
!
!
aaa authentication login vpnauthen local
aaa authorization network vpnautho local
!
crypto isakmp policy 50
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group CANOPUS_GROUP
key c4n0pu5
domain canopus.com.br
pool VPN_POOL
include-local-lan
split-dns canopus.com.br
pfs
!
!
crypto ipsec transform-set CLIENT_SET esp-3des esp-md5-hmac
!
crypto dynamic-map CLIENT_MAP 50
set transform-set CLIENT_SET
reverse-route
!
!
crypto map CLIENT_VPN client authentication list vpnauthen
crypto map CLIENT_VPN isakmp authorization list vpnautho
crypto map CLIENT_VPN client configuration address respond
crypto map CLIENT_VPN 50 ipsec-isakmp dynamic CLIENT_MAP
!
!
ip local pool VPN_POOL 10.10.254.10 10.10.254.15
Regards.
03-26-2010 07:32 AM
I wonder if you are just trying to set up the router so a PC running the VPN client can connect. Here is an example of how to set that up. HTH
03-26-2010 12:56 PM
Wait... Steve are you setting up a site-to-site vpn or are you doing a remote-access (client)? What devices do you have on each side? If one side is DHCP you can use Dynamic VPN to establish a connection. I have vpn setup over ADSL and can send you a sample config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: