Multiple VPN profiles on single router

Unanswered Question
Nov 1st, 2005
User Badges:

Currently i have a router that is setup to accept inbound connections from users using the cisco software vpn client, which is working fine. Now i need to expand this routers capabilities. I need it to support a tunnel to another router as well. The requirements of the new vpn connection are as follows:


Phase-1:

AES-256

SHA

Group 2

Default Lifetime


Phase-2:

AES-256

SHA

Default Lifetime


What i am looking for is a configuration example. I have no idea what to look for, or even what this is called to search cisco's site. Any advice is appreciated, i am really new to vpns.


Thanks much


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
thisisshanky Tue, 11/01/2005 - 21:54
User Badges:
  • Purple, 4500 points or more

How is your existing router configuration look like ? Do you have a dynamic crypto map configured on the router, which in turn is referenced by a static crypto map ? If yes, each static crypto map has an instance number and you can define multiple instances of the same static crypto map, as follows.



aaa new-model

!

!


aaa authentication login VPN-CLIENTS group radius



crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!


crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha



crypto ipsec transform-set test-set esp-3des esp-sha-hmac


crypto isakmp client configuration group test-vpn-group

key

dns

domain

pool VPN-POOL




crypto dynamic-map test-map 10

set transform-set test-set



crypto map radius-map client authentication list VPN-CLIENTS

crypto map radius-map isakmp authorization list group-auth

crypto map radius-map client configuration address respond

crypto map radius-map 10 ipsec-isakmp dynamic test-map


crypto map radius-map 20 (For site to site vpn)




Crypto instance 20 will define site to site vpn settings, while crypto instance 10 will take care of vpn clients.


HTH

jeffdanderson Wed, 11/02/2005 - 17:26
User Badges:

Not sure what you call the setup that is currently on the router. I pasted the relevant parts below. I am a complete newbie when it comes to vpns. I have setup a few following some configuration examples, but my understanding is lacking. If you could show me how to integrate the 2 VPN together, that would be great.



aaa authentication login userauth local

aaa authentication login line line enable

aaa authorization network groupauthor local

aaa session-id common



crypto isakmp policy 3

hash md5

authentication pre-share

group 2

no crypto isakmp ccm




crypto isakmp client configuration group mycompanyvpn

key supersecretvpnkey

domain mycompany.domain.com

pool mycompanypool

acl 105





crypto ipsec transform-set mycompanyset esp-3des esp-md5-hmac



crypto dynamic-map mycompany-dynamic-map 10

set transform-set mycompanyset




crypto map mycompanymap client authentication list userauth

crypto map mycompanymap isakmp authorization list groupauthor

crypto map mycompanymap client configuration address respond

crypto map mycompanymap 10 ipsec-isakmp dynamic mycompany-dynamic-map




interface Serial0/0

crypto map mycompanymap



ip local pool mycompanypool 172.17.0.1 172.17.0.100


route-map nonat permit 102

match ip address 102



access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.11.12.0 0.0.0.255 any



access-list 105 permit ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255



On the other side of the tunnel is the following private network 10.0.46.0/24. Let pretend that the VPN peer of the terminating router is 1.2.3.4


jackko Wed, 11/02/2005 - 18:21
User Badges:
  • Gold, 750 points or more

you can pretty much leave the existing config, except acl 102. the reason being this acl is used for no nat, so you need to add the 10.0.46.0/24.


e.g.

crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha


crypto ipsec transform-set newset esp-aes esp-sha-hmac



crypto isakmp key

 address 1.2.3.4 no-xauth


access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255

access-list 102 deny ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255

access-list 102 permit ip 10.11.12.0 0.0.0.255 any


access-list 107 permit ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255


crypto map mycompanymap 20 ipsec-isakmp

set peer 1.2.3.4

set transform-set newset

match address 107

jeffdanderson Sat, 11/05/2005 - 18:17
User Badges:

Well i have added the appropriate commmands to the router and the tunnel isnt coming up. It hits the ACL and tries to bring up the tunnel but it fails. I have captured the output from a debug crypto isakmp. If i am reading the debug properly i think the key exchange is failing. I dont have access to the remote end so i want to confirm this before i contact the company supporting the other side. I have attached the output from the debug. Please advise.


I forgot to add the attachment and it wont let me do it after the fact. Please see the next post for the debug output.


Thanks


jackko Sat, 11/05/2005 - 21:27
User Badges:
  • Gold, 750 points or more

it would be helpful if you post the latest config.

jeffdanderson Sat, 11/05/2005 - 22:31
User Badges:

See attached. This should be all the relevent info. The actual config is really extensive and i dont want to make it public friendly unless i absolutely have to.




Attachment: 
jeffdanderson Tue, 11/08/2005 - 16:57
User Badges:

Nobody has any suggestions? If i cant get this working soon i am going to have to resort to TAC, which i am trying to avoid.

Actions

This Discussion