07-18-2003 06:55 AM - edited 02-21-2020 12:40 PM
Hi,
I have a Cisco 837 at HQ. A Cisco 827H at the branch office. The Cisco 837 was set up for the easy vpn client so that remote users could connect.
With the Cisco 837 i want to set up a site-to-site VPN.
I succeed in it throught the Ezvpn hardware client.
However there are some disadvantages.
1. because of the configuration at HQ for the easy vpn clients with Xauth - the site-to-site vpn has also to authenticate. Is there a way that this is not needed.
2. i let the user setup the vpn connection by CRWS (so he need to login to the router ! with an level 15 account).
Every time the VPN connection is setup the CRWS removes NAT so he cannot access internet
3. The VPN connection shuts down after 60 min of inactivity. Is there a way to extend this ?
This is the setup at branch office 827H :
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxxxxx
!
logging queue-limit 100
logging buffered 4096 informational
enable secret secretpass
!
username xxxxxx xxxxx
ip subnet-zero
ip name-server 10.1.1.10
ip name-server 195.238.2.21
ip name-server 195.238.2.22
ip dhcp excluded-address 10.1.3.254
!
ip dhcp pool CLIENT
import all
network 10.1.3.0 255.255.255.0
default-router 10.1.3.254
lease 0 2
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
crypto ipsec client ezvpn crws-client
connect auto
group xxxxxxx key xxxxxxxxxx
mode network-extension
peer x.x.x.x
!
!
partition flash 2 6 2
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete
this:10.1.3.254-255.255.255.0
ip address 10.1.3.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1348
crypto ipsec client ezvpn crws-client inside
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1348
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxxxx
ppp pap sent-username xxxxx password 7 xxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto ipsec client ezvpn crws-client
!
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
access-list 23 permit 10.1.3.0 0.0.0.255
access-list 102 deny ip 10.1.3.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 102 permit ip 10.1.3.0 0.0.0.255 any
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
This is the setup at HQ 837 :
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
logging buffered 4096 informational
enable secret xxxxxxxxxx
!
username xxxxxx xxxxx
aaa new-model
!
!
aaa authentication login vws group radius local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip domain name xxxxxx
ip name-server 10.1.1.10
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip urlfilter alert
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxx (easy vpn clients)
key xxxxxxxx
dns 10.1.1.10
domain xxxxxxxxx
pool ippool
acl 101
!
crypto isakmp client configuration group xxxxxxx (site-to-site vpn)
key xxxxxxxx
dns 10.1.1.10
domain xxxxxxx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list vws
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 10.1.1.254 255.255.255.0
ip nat inside
no ip mroute-cache
load-interval 30
no keepalive
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
dsl power-cutback 0
!
interface ATM0.1 point-to-point
ip address x.x.x.x x.x.x.x
ip access-group 111 in
ip nat outside
ip inspect myfw out
pvc 8/35
encapsulation aal5snap
!
crypto map clientmap
!
ip local pool ippool 10.1.2.1 10.1.2.5
ip nat inside source list 102 interface ATM0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip pim bidir-enable
!
!
ip access-list extended dns-servers
ip access-list extended key-exchange
ip access-list extended save-password
ip access-list extended service
!
logging 10.1.1.10
access-list 1 permit 10.1.1.10
access-list 23 permit 10.1.0.0 0.0.255.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 102 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 102 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip 10.1.3.0 0.0.0.255 any
access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit ip 10.1.3.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any log
no cdp run
snmp-server community vwssnmp RO
snmp-server enable traps tty
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key 7
11041C29371C5B5
C093A2121
radius-server authorization permit missing Service-Type
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
transport input ssh
!
scheduler max-task-time 5000
end
07-22-2003 09:13 AM
You've listed 3 disadvantages.
Numbers 1 & 2 can be eliminated if you change your connection from the Client setup to a true Site-to-Site setup. Your hub will allow for both types to exist. However, if you plan on adding more Site-to-Site connectivity you should seriously consider upgrading your Hub end router, a 827 doesn't have much VPN horsepower. Here is a link that will help. http://www.cisco.com/warp/public/707/ios_hub_spoke2.html
Number 3 can be addressed by keeping some recurring traffic on the link like SNMP polling or a routing protocol. Here is an example of how to setup a routing protocol. http://www.cisco.com/warp/customer/707/gre_ipsec_ospf.html
Using a routing protocol also has nice benefits when you decide to add options like ISDN backup and want to make true routing decisions.
Hope this helps.
~ron
07-23-2003 01:46 AM
Hi Ron,
Thx for the information. I only have a problem by setting up a real site-to-site VPN. Because the router in the branch office is receiving an dynamic ip-address i have to add on the HQ router something like
crypto isakmp key **** address 0.0.0.0
when i do this the remote users with the easy vpn clients cannot connect anymore. I suppose because of the 0.0.0.0 (which means everybody including remote users)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide