Re: vpn

carl_townshend · ‎11-01-2005

How would I set up a simple vpn between 2 1700 routers in my home lab, I would like to set up a proper vpn,not ip sec tunnel, thats if there is any difference ?

JASON WELCH · ‎11-01-2005

I have a 1760 that I lan2lan (IPSec tunnel) into another gw. Below are the sections of my config that pertain to the tunnel:

crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key blahblah address a.b.c.d no-xauth

!

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

!

crypto map to_vpn 10 ipsec-isakmp

set peer a.b.c.d

set transform-set to_vpn

match address 100

!

interface Ethernet1/0

ip address w.x.y.z 255.255.255.0

crypto map to_vpn

!

access-list 100 remark LAN2LAN Match Address

access-list 100 permit ip w.x.y.z 0.0.0.255 a.b.c.d 0.0.255.255

Duplicate this config on both 1700's, changing the information where applicable, and you should be good to go.

HTH,

Jason

carl_townshend · ‎11-02-2005

Hi Jason

If possible I would be very grateful if you could tell me what the different statements mean on this configuration.

Thanks

Carl

JASON WELCH · ‎11-02-2005

You bet:

crypto isakmp policy 1

---this command creates the isakmp policy '1'---

hash md5

---this command sets the crypto hash to 'md5'---

authentication pre-share

---This command sets the tunnel authentication type to 'pre-share' (since we are using a key)---

crypto isakmp key blahblah address a.b.c.d no-xauth

--This command sets the isakmp key to for your peer to 'blahblah' (it can be anything you want, you just have to match it on the other side of the tunnel)---

!

crypto ipsec transform-set to_vpn esp-des esp-md5-hmac

---This command sets the ipsec transform set named 'to_vpn' (it can be any name you want). These transform sets are the encryption and hash types allowed for this tunnel; i.e. 3des, des, md5, etc. Thes transform-sets have to match on both sides of the tunnel---

!

crypto map to_vpn 10 ipsec-isakmp

---This command creats the crypto map 'to_vpn'it can be any name you choose. 10 is the map sequence number and ipsec-isakmp is the type of crypto map---

set peer a.b.c.d

---This is your set statement for the peer, you configure this with the IP address of your router at the other end of the tunnel---

set transform-set to_vpn

---This command sets the transform set to the above configured transform-set 'to_vpn'---

match address 100

--This is the map match statement that applies the above set statements to what matches the ACL created below---

!

interface Ethernet1/0

ip address w.x.y.z 255.255.255.0

---IP address of your outside interface---

crypto map to_vpn

---This is your router external interface config. The 'crypto map to_vpn' statement applies the crypto map 'to_vpn' to the outside interface of your router---

!

access-list 100 remark LAN2LAN Match Address

access-list 100 permit ip w.x.y.z 0.0.0.255 a.b.c.d 0.0.255.255

---This is an ACL that the crypto map uses to match what addresses to 'tunnel'. This is an advanced ACL so it has to match source and destination---

Also, here is a link that may help you if you want to do dynamic client tunnels as well as lan2lan tunnels: http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800949ef.shtml#configs

and another

http://www.cisco.com/en/US/customer/products/ps6350/products_configuration_guide_chapter09186a008049d04c.html

HTH,

Jason

carl_townshend · ‎11-02-2005

thanks a million for that. !!

carl