11-01-2005 04:28 PM
Currently i have a router that is setup to accept inbound connections from users using the cisco software vpn client, which is working fine. Now i need to expand this routers capabilities. I need it to support a tunnel to another router as well. The requirements of the new vpn connection are as follows:
Phase-1:
AES-256
SHA
Group 2
Default Lifetime
Phase-2:
AES-256
SHA
Default Lifetime
What i am looking for is a configuration example. I have no idea what to look for, or even what this is called to search cisco's site. Any advice is appreciated, i am really new to vpns.
Thanks much
11-01-2005 09:54 PM
How is your existing router configuration look like ? Do you have a dynamic crypto map configured on the router, which in turn is referenced by a static crypto map ? If yes, each static crypto map has an instance number and you can define multiple instances of the same static crypto map, as follows.
aaa new-model
!
!
aaa authentication login VPN-CLIENTS group radius
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
hash sha
crypto ipsec transform-set test-set esp-3des esp-sha-hmac
crypto isakmp client configuration group test-vpn-group
key
dns
domain
pool VPN-POOL
crypto dynamic-map test-map 10
set transform-set test-set
crypto map radius-map client authentication list VPN-CLIENTS
crypto map radius-map isakmp authorization list group-auth
crypto map radius-map client configuration address respond
crypto map radius-map 10 ipsec-isakmp dynamic test-map
crypto map radius-map 20 (For site to site vpn)
Crypto instance 20 will define site to site vpn settings, while crypto instance 10 will take care of vpn clients.
HTH
11-02-2005 05:26 PM
Not sure what you call the setup that is currently on the router. I pasted the relevant parts below. I am a complete newbie when it comes to vpns. I have setup a few following some configuration examples, but my understanding is lacking. If you could show me how to integrate the 2 VPN together, that would be great.
aaa authentication login userauth local
aaa authentication login line line enable
aaa authorization network groupauthor local
aaa session-id common
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
no crypto isakmp ccm
crypto isakmp client configuration group mycompanyvpn
key supersecretvpnkey
domain mycompany.domain.com
pool mycompanypool
acl 105
crypto ipsec transform-set mycompanyset esp-3des esp-md5-hmac
crypto dynamic-map mycompany-dynamic-map 10
set transform-set mycompanyset
crypto map mycompanymap client authentication list userauth
crypto map mycompanymap isakmp authorization list groupauthor
crypto map mycompanymap client configuration address respond
crypto map mycompanymap 10 ipsec-isakmp dynamic mycompany-dynamic-map
interface Serial0/0
crypto map mycompanymap
ip local pool mycompanypool 172.17.0.1 172.17.0.100
route-map nonat permit 102
match ip address 102
access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255
access-list 102 permit ip 10.11.12.0 0.0.0.255 any
access-list 105 permit ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255
On the other side of the tunnel is the following private network 10.0.46.0/24. Let pretend that the VPN peer of the terminating router is 1.2.3.4
11-02-2005 06:21 PM
you can pretty much leave the existing config, except acl 102. the reason being this acl is used for no nat, so you need to add the 10.0.46.0/24.
e.g.
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
hash sha
crypto ipsec transform-set newset esp-aes esp-sha-hmac
crypto isakmp key
access-list 102 deny ip 10.11.12.0 0.0.0.255 172.17.0.0 0.0.0.255
access-list 102 deny ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255
access-list 102 permit ip 10.11.12.0 0.0.0.255 any
access-list 107 permit ip 10.11.12.0 0.0.0.255 10.0.46.0 0.0.0.255
crypto map mycompanymap 20 ipsec-isakmp
set peer 1.2.3.4
set transform-set newset
match address 107
11-05-2005 06:17 PM
Well i have added the appropriate commmands to the router and the tunnel isnt coming up. It hits the ACL and tries to bring up the tunnel but it fails. I have captured the output from a debug crypto isakmp. If i am reading the debug properly i think the key exchange is failing. I dont have access to the remote end so i want to confirm this before i contact the company supporting the other side. I have attached the output from the debug. Please advise.
I forgot to add the attachment and it wont let me do it after the fact. Please see the next post for the debug output.
Thanks
11-05-2005 06:23 PM
11-05-2005 09:27 PM
it would be helpful if you post the latest config.
11-05-2005 10:31 PM
11-08-2005 04:57 PM
Nobody has any suggestions? If i cant get this working soon i am going to have to resort to TAC, which i am trying to avoid.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: