Multiple VPN profiles on single router

Unanswered Question
Nov 1st, 2005

Currently i have a router that is setup to accept inbound connections from users using the cisco software vpn client, which is working fine. Now i need to expand this routers capabilities. I need it to support a tunnel to another router as well. The requirements of the new vpn connection are as follows:

Phase-1:

AES-256

SHA

Group 2

Default Lifetime

Phase-2:

AES-256

SHA

Default Lifetime

What i am looking for is a configuration example. I have no idea what to look for, or even what this is called to search cisco's site. Any advice is appreciated, i am really new to vpns.

Thanks much

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2 (1 ratings)
thisisshanky Tue, 11/01/2005 - 21:54

How is your existing router configuration look like ? Do you have a dynamic crypto map configured on the router, which in turn is referenced by a static crypto map ? If yes, each static crypto map has an instance number and you can define multiple instances of the same static crypto map, as follows.

aaa new-model

!

!

aaa authentication login VPN-CLIENTS group radius

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha

crypto ipsec transform-set test-set esp-3des esp-sha-hmac

crypto isakmp client configuration group test-vpn-group

key

dns

domain

pool VPN-POOL

crypto dynamic-map test-map 10

set transform-set test-set

crypto map radius-map client authentication list VPN-CLIENTS

crypto map radius-map isakmp authorization list group-auth

crypto map radius-map client configuration address respond

crypto map radius-map 10 ipsec-isakmp dynamic test-map

crypto map radius-map 20 (For site to site vpn)

Crypto instance 20 will define site to site vpn settings, while crypto instance 10 will take care of vpn clients.

HTH

jeffdanderson Wed, 11/02/2005 - 17:26

Not sure what you call the setup that is currently on the router. I pasted the relevant parts below. I am a complete newbie when it comes to vpns. I have setup a few following some configuration examples, but my understanding is lacking. If you could show me how to integrate the 2 VPN together, that would be great.

aaa authentication login userauth local

aaa authentication login line line enable

aaa authorization network groupauthor local

aaa session-id common

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

no crypto isakmp ccm

crypto isakmp client configuration group mycompanyvpn

key supersecretvpnkey

domain mycompany.domain.com

pool mycompanypool

acl 105

crypto ipsec transform-set mycompanyset esp-3des esp-md5-hmac

crypto dynamic-map mycompany-dynamic-map 10

set transform-set mycompanyset

crypto map mycompanymap client authentication list userauth

crypto map mycompanymap isakmp authorization list groupauthor

crypto map mycompanymap client configuration address respond

crypto map mycompanymap 10 ipsec-isakmp dynamic mycompany-dynamic-map

interface Serial0/0

crypto map mycompanymap

ip local pool mycompanypool 172.17.0.1 172.17.0.100

route-map nonat permit 102

match ip address 102

access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255

access-list 102 permit ip 10.11.12.0 0.0.0.255 any

access-list 105 permit ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255

On the other side of the tunnel is the following private network 10.0.46.0/24. Let pretend that the VPN peer of the terminating router is 1.2.3.4

jackko Wed, 11/02/2005 - 18:21

you can pretty much leave the existing config, except acl 102. the reason being this acl is used for no nat, so you need to add the 10.0.46.0/24.

e.g.

crypto isakmp policy 2

encr aes

authentication pre-share

group 2

hash sha

crypto ipsec transform-set newset esp-aes esp-sha-hmac

crypto isakmp key

 address 1.2.3.4 no-xauth

access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255

access-list 102 deny ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255

access-list 102 permit ip 10.11.12.0 0.0.0.255 any

access-list 107 permit ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255

crypto map mycompanymap 20 ipsec-isakmp

set peer 1.2.3.4

set transform-set newset

match address 107

jeffdanderson Sat, 11/05/2005 - 18:17

Well i have added the appropriate commmands to the router and the tunnel isnt coming up. It hits the ACL and tries to bring up the tunnel but it fails. I have captured the output from a debug crypto isakmp. If i am reading the debug properly i think the key exchange is failing. I dont have access to the remote end so i want to confirm this before i contact the company supporting the other side. I have attached the output from the debug. Please advise.

I forgot to add the attachment and it wont let me do it after the fact. Please see the next post for the debug output.

Thanks

jackko Sat, 11/05/2005 - 21:27

it would be helpful if you post the latest config.

jeffdanderson Sat, 11/05/2005 - 22:31

See attached. This should be all the relevent info. The actual config is really extensive and i dont want to make it public friendly unless i absolutely have to.

Attachment: 
jeffdanderson Tue, 11/08/2005 - 16:57

Nobody has any suggestions? If i cant get this working soon i am going to have to resort to TAC, which i am trying to avoid.

Actions

Login or Register to take actions

This Discussion

Posted November 1, 2005 at 4:28 PM
Stats:
Replies:8 Avg. Rating:2
Views:508 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard