09-26-2001 12:32 PM - edited 02-21-2020 11:25 AM
Has anybody setup VPN with ipsec on a 2620 router without pix and concentrator? Yes you please give me some help or advise what to use and how to configure the router. I getting access to the IOS 12.2.4T soon and using VPN Client 3.0....
09-26-2001 04:58 PM
At the moment, the VPN 3.0 client is expected to work with a minimum of 12.2(7)T code which is not available yet. As for sample configurations, when the code is released, this should be available from the TAC or on the CCO sample configurations page.
09-27-2001 10:33 PM
I have done that with 2621's and 2610's. It is simple, here is a sample config for a real easy time:
!
!
....
crypto isakmp policy 1
encr 3des <--- Default is 56DES, if you leave blank
authentication pre-share
group 2
crypto isakmp key
...
crypto ipsec transform-set vpn1 [esp-des or esp-3des] esp-sha-hmac
...
crypto map vpn 1 ipsec-isakmp
set peer
set transform-set vpn1
match address 101
...
interface FastEthernet0/0
ip address
no ip redirects
speed 10
half-duplex
crypto map test
...
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip host
------------
And that is it. Simply do that on both routers and you will have a tunnel. Make sure that you use the same passwords on both ends. The last access list entry is put in place to help you troubleshoot problems using an extended PING with the source interface IP. If you get a valid ping on the other end, you tunnel is UP!. Also, keep in mind that debug commands are available to help you. If you need further help, I can be made available depending on arrangments. Good luck and let me know how it turns out.
10-01-2001 09:59 AM
tkersnick please give me a e-mail with you contact information or e-mail address so i can see what is the arrangment is.....
09-27-2001 10:34 PM
I have done that with 2621's and 2610's. It is simple, here is a sample config for a real easy time:
!
!
....
crypto isakmp policy 1
encr 3des <--- Default is 56DES, if you leave blank
authentication pre-share
group 2
crypto isakmp key
...
crypto ipsec transform-set vpn1 [esp-des or esp-3des] esp-sha-hmac
...
crypto map vpn 1 ipsec-isakmp
set peer
set transform-set vpn1
match address 101
...
interface FastEthernet0/0
ip address
no ip redirects
speed 10
half-duplex
crypto map test
...
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip host
------------
And that is it. Simply do that on both routers and you will have a tunnel. Make sure that you use the same passwords on both ends. The last access list entry is put in place to help you troubleshoot problems using an extended PING with the source interface IP. If you get a valid ping on the other end, you tunnel is UP!. Also, keep in mind that debug commands are available to help you. If you need further help, I can be made available depending on arrangments. Good luck and let me know how it turns out.
10-01-2001 10:48 AM
Why is it that most examples use "authentication pre-share"?
This is BAD. It's perfectly fine for testing to see if your setup works, but if your environment has the need for the security of IPSec, then you should be securing your keys properly.
With pre-shared strings, anyone sniffing your network or with access to your config backups can see your encryption key.
Also, it's not uncommon to have a router fail in a very remote location and you find yourself having to talk a low-level person through configuring it. Do you really want to read your crypto key off over the phone?
I would strongly recommend instead that people use "authentication rsa-encr" which uses manually shared (thus no PKI) RSA key-pairs. You can send them through email.
09-27-2001 10:36 PM
Sorry, I just noticed a typo. Where I put "set peer" in the configuration, you should put "set peer
Thanks,
--Tim
10-09-2001 06:31 PM
What you guys have been discussing is a L2L configuration, the sample configuration for which is available here: http://www.cisco.com/warp/customer/707/overload_private.shtml,
however the original question asked about the VPN client 3.x to have a tunnel terminated on the router which is unsupported at the moment.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: