10-11-2006 08:51 PM - edited 03-05-2019 12:12 PM
Hi guys,
I'm trying to configure a 2611 router (IOS 12.2) for vpn, so that vpn clients can connect to it.
As of now, my int e0/1 is using the 10.0.0.0/24 subnet, and I also have a dhcp pool that assigns address for that same subnet.
Hence, for the pool of addresses that I define for my vpn group, can the addresses overlap with an existing subnet?.. Or do I have to use an unused subnet?
Please enlighten me.
Thanks in advance.
10-11-2006 10:37 PM
Use a different pool for VPN Clients.
Use the configuration below as a reference;
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
no logging on
!
username gfullage password 7 0201024E070A0E2649
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
!
!--- Keyring that defines wildcard pre-shared key.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
!--- VPN Client configuration for group "testgroup"
!--- (this name is configured in the VPN Client).
crypto isakmp client configuration group testgroup
key cisco321
dns 1.1.1.1 2.2.2.2
wins 3.3.3.3 4.4.4.4
domain cisco.com
pool ippool
!
!--- Profile for VPN Client connections, that matches
!--- the "testgroup" group and defines the Xauth properties.
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!--- Two instances of the dynamic crypto map
!--- reference the two previous IPsec profiles.
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
!
!
!--- Crypto-map only references the
!--- instances of the previous dynamic crypto map.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Outside interface
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet0/1
description Inside interface
ip address 10.1.1.1 255.255.254.0
duplex auto
speed auto
no keepalive
!
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.48.66.181
!
!
call rsvp-sync
!
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
escape-character 27
line aux 0
line vty 0 4
password 7 121A0C041104
!
!
end
HTH
--Leon
* Please rate ALL posts.
10-12-2006 03:35 AM
hi.. thanks for your sample config, on my second attempt to fix the error.. seems that I should have defined a seperate address pool, and also, I forgot one line, which is client configuration address respond.
Thanks once again.
p/s sorry for voting 2.0.. couldn't change after I solved the problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide