Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
690
Views
0
Helpful
7
Replies

need help with vpn with ipsec56 on cisco router 2620

koreantiger
Level 1
Level 1

‎09-26-2001 12:32 PM - edited ‎02-21-2020 11:25 AM

Has anybody setup VPN with ipsec on a 2620 router without pix and concentrator? Yes you please give me some help or advise what to use and how to configure the router. I getting access to the IOS 12.2.4T soon and using VPN Client 3.0....

Labels:
0 Helpful
7 Replies 7

wjulia
Level 1
Level 1

‎09-26-2001 04:58 PM

At the moment, the VPN 3.0 client is expected to work with a minimum of 12.2(7)T code which is not available yet. As for sample configurations, when the code is released, this should be available from the TAC or on the CCO sample configurations page.

0 Helpful

tkersnick
Level 1
Level 1

‎09-27-2001 10:33 PM

I have done that with 2621's and 2610's. It is simple, here is a sample config for a real easy time:

!

!

....

crypto isakmp policy 1

encr 3des <--- Default is 56DES, if you leave blank

authentication pre-share

group 2

crypto isakmp key

...

crypto ipsec transform-set vpn1 [esp-des or esp-3des] esp-sha-hmac

...

crypto map vpn 1 ipsec-isakmp

set peer

set transform-set vpn1

match address 101

...

interface FastEthernet0/0

ip address

no ip redirects

speed 10

half-duplex

crypto map test

...

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip host host

------------

And that is it. Simply do that on both routers and you will have a tunnel. Make sure that you use the same passwords on both ends. The last access list entry is put in place to help you troubleshoot problems using an extended PING with the source interface IP. If you get a valid ping on the other end, you tunnel is UP!. Also, keep in mind that debug commands are available to help you. If you need further help, I can be made available depending on arrangments. Good luck and let me know how it turns out.

0 Helpful

koreantiger
Level 1
Level 1
In response to tkersnick

‎10-01-2001 09:59 AM

tkersnick please give me a e-mail with you contact information or e-mail address so i can see what is the arrangment is.....

0 Helpful

tkersnick
Level 1
Level 1

‎09-27-2001 10:34 PM

I have done that with 2621's and 2610's. It is simple, here is a sample config for a real easy time:

!

!

....

crypto isakmp policy 1

encr 3des <--- Default is 56DES, if you leave blank

authentication pre-share

group 2

crypto isakmp key

...

crypto ipsec transform-set vpn1 [esp-des or esp-3des] esp-sha-hmac

...

crypto map vpn 1 ipsec-isakmp

set peer

set transform-set vpn1

match address 101

...

interface FastEthernet0/0

ip address

no ip redirects

speed 10

half-duplex

crypto map test

...

access-list 101 permit ip

access-list 101 permit ip

access-list 101 permit ip host host

------------

And that is it. Simply do that on both routers and you will have a tunnel. Make sure that you use the same passwords on both ends. The last access list entry is put in place to help you troubleshoot problems using an extended PING with the source interface IP. If you get a valid ping on the other end, you tunnel is UP!. Also, keep in mind that debug commands are available to help you. If you need further help, I can be made available depending on arrangments. Good luck and let me know how it turns out.

0 Helpful

sbirn
Level 1
Level 1
In response to tkersnick

‎10-01-2001 10:48 AM

Why is it that most examples use "authentication pre-share"?

This is BAD. It's perfectly fine for testing to see if your setup works, but if your environment has the need for the security of IPSec, then you should be securing your keys properly.

With pre-shared strings, anyone sniffing your network or with access to your config backups can see your encryption key.

Also, it's not uncommon to have a router fail in a very remote location and you find yourself having to talk a low-level person through configuring it. Do you really want to read your crypto key off over the phone?

I would strongly recommend instead that people use "authentication rsa-encr" which uses manually shared (thus no PKI) RSA key-pairs. You can send them through email.

0 Helpful

tkersnick
Level 1
Level 1

‎09-27-2001 10:36 PM

Sorry, I just noticed a typo. Where I put "set peer" in the configuration, you should put "set peer ". Also under the interface configuration where I put "crypto map test", you should put "crypto map vpn".

Thanks,

--Tim

0 Helpful

wjulia
Level 1
Level 1
In response to tkersnick

‎10-09-2001 06:31 PM

What you guys have been discussing is a L2L configuration, the sample configuration for which is available here: http://www.cisco.com/warp/customer/707/overload_private.shtml,

however the original question asked about the VPN client 3.x to have a tunnel terminated on the router which is unsupported at the moment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents