Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Please help me t-shoot this config?

Hello,

I have a 1605r that I want to add VPN functionality to. It was previously working fine as a NAT router. I upgraded the IOS to 12.2.23, but, when I paste the new config in, I get errors:

Sh Ver:

Cisco Internetwork Operating System Software

IOS (tm) 1600 Software (C1600-K8OSY-M), Version 12.2(23), RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 12.0(3)T,

My config ( *=sensitive info removed ):

no service pad

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Maywoor_1605r

!

! VPN config info from

!http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

!--- Enable Authentication, Authorizing and Accounting (AAA)

!--- for user authentication and group authorization.

aaa new-model

!

!--- To enable X-Auth for user authentication,

!--- enable the aaa authentication commands.

aaa authentication login userauthen local

!--- To enable group authorization,

!--- enable the aaa authorization commands.

aaa authorization network groupauthor local

!

!--- For local authentication of the IPSec user,

!--- create the user with password.

username ****** password 0 ********

!

ip subnet-zero

!

!

!

ip audit notify log

ip audit po max-events 100

!

!--- Create an Internet Security Association and

!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

!--- Create a group that will be used to specify the

!--- Windows Internet Naming Service (WINS) and

!--- Domain Naming Service (DNS) server addresses to the client,

!--- along with the pre-shared key for authentication.

crypto isakmp client configuration group 1605rclient

key ************

dns ************

domain ********

pool ippool

!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Create a dynamic map and

!--- apply the transform set that was created above.

crypto dynamic-map dynmap 10

set transform-set myset

!

!--- Create the actual crypto map,

!--- and apply the aaa lists that were created earlier.

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

no ip source-route

ip name-server ************

ip name-server ************

!

no ip bootp server

!

!

!

!

interface Ethernet0

ip address ************* 255.255.255.0

no ip proxy-arp

ip nat outside

no cdp enable

!--- Apply the crypto map on the outside interface.

crypto map clientmap

!

interface Ethernet1

ip address 192.168.1.1 255.255.255.0

no ip proxy-arp

ip nat inside

no cdp enable

!

ip local pool ippool 192.168.1.125 192.168.1.126

ip default-gateway *************

ip nat inside source list 1 interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ***************

no ip http server

!

access-list 1 permit 192.168.1.0 0.0.0.255

no cdp run

banner login ^C

!

line con 0

password ********

login

line vty 0 4

exec-timeout 0 1

no login

no exec

transport input none

!

end

I basically cut and paste a sample config from this website into my working config and modified it to suit my environment.

These are the errors I get when I try to paste the config in after erasing the nvram, relaoding and entering con t after the restart:

Router#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Router(config)#no service pad

Router(config)#service timestamps debug uptime

Router(config)#service timestamps log uptime

Router(config)#no service password-encryption

Router(config)#!

Router(config)#hostname Maywood_1605r

Maywood_1605r(config)#!

Maywood_1605r(config)#! VPN config info from

Maywood_1605r(config)#$cts_configuration_example09186a00801c4246.shtml

Maywood_1605r(config)#$ Authentication, Authorizing and Accounting (AAA)

Maywood_1605r(config)#!--- for user authentication and group authorization.

Maywood_1605r(config)#aaa new-model

Maywood_1605r(config)#!

Maywood_1605r(config)#!--- To enable X-Auth for user authentication,

Maywood_1605r(config)#!--- enable the aaa authentication commands.

Maywood_1605r(config)#aaa authentication login userauthen local

Maywood_1605r(config)#!--- To enable group authorization,

Maywood_1605r(config)#!--- enable the aaa authorization commands.

Maywood_1605r(config)#aaa authorization network groupauthor local

Maywood_1605r(config)#!

Maywood_1605r(config)#!--- For local authentication of the IPSec user,

Maywood_1605r(config)#!--- create the user with password.

Maywood_1605r(config)#username **** password 0 ****

Maywood_1605r(config)#!

Maywood_1605r(config)#ip subnet-zero

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#ip audit notify log

^

% Invalid input detected at '^' marker.

Maywood_1605r(config)#ip audit po max-events 100

^

% Invalid input detected at '^' marker.

Maywood_1605r(config)#!

Maywood_1605r(config)#!--- Create an Internet Security Association and

Maywood_1605r(config)#$rotocol (ISAKMP) policy for Phase 1 negotiations.

Maywood_1605r(config)#crypto isakmp policy 3

Maywood_1605r(config-isakmp)#encr 3des

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#authentication pre-share

Maywood_1605r(config-isakmp)#group 2

Maywood_1605r(config-isakmp)#!

Maywood_1605r(config-isakmp)#$ a group that will be used to specify the

Maywood_1605r(config-isakmp)#!--- Windows Internet Naming Service (WINS) and

Maywood_1605r(config-isakmp)#$rvice (DNS) server addresses to the client,

Maywood_1605r(config-isakmp)#$with the pre-shared key for authentication.

Maywood_1605r(config-isakmp)#$mp client configuration group 1605rclient

crypto isakmp client configuration group 1605rclient

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#key ******

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#dns ******

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#domain ******

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#pool ippool

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#!

Maywood_1605r(config-isakmp)#$ the Phase 2 Policy for actual data encryption.

Maywood_1605r(config-isakmp)#$c transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set myset esp-3des esp-sha-hmac

^

% Invalid input detected at '^' marker.

Maywood_1605r(config-isakmp)#!

Maywood_1605r(config-isakmp)#!--- Create a dynamic map and

Maywood_1605r(config-isakmp)#$the transform set that was created above.

Maywood_1605r(config-isakmp)#crypto dynamic-map dynmap 10

Maywood_16(config-crypto-map)#set transform-set myset

ERROR: transform set with tag "myset" does not exist.

Maywood_16(config-crypto-map)#!

Maywood_16(config-crypto-map)#!--- Create the actual crypto map,

Maywood_16(config-crypto-map)#$ply the aaa lists that were created earlier.

Maywood_16(config-crypto-map)#$client authentication list userauthen

Maywood_1605r(config)#$clientmap isakmp authorization list groupauthor

Maywood_1605r(config)#$clientmap client configuration address respond

Maywood_1605r(config)#crypto map clientmap 10 ipsec-isakmp dynamic dynmap

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#no ip source-route

Maywood_1605r(config)#ip name-server ****

Maywood_1605r(config)#ip name-server ****

Maywood_1605r(config)#!

Maywood_1605r(config)#no ip bootp server

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#!

Maywood_1605r(config)#interface Ethernet0

Maywood_1605r(config-if)# ip address ***** 255.255.255.0

Maywood_1605r(config-if)# no ip proxy-arp

Maywood_1605r(config-if)# ip nat outside

Maywood_1605r(config-if)# no cdp enable

Maywood_1605r(config-if)#!--- Apply the crypto map on the outside interface.

Maywood_1605r(config-if)# crypto map clientmap

Maywood_1605r(config-if)#!

Maywood_1605r(config-if)#interface Ethernet1

Maywood_1605r(config-if)# ip address 192.168.1.1 255.255.255.0

Maywood_1605r(config-if)# no ip proxy-arp

Maywood_1605r(config-if)# ip nat inside

Maywood_1605r(config-if)# no cdp enable

Maywood_1605r(config-if)#!

Maywood_1605r(config-if)#ip local pool ippool 192.168.1.125 192.168.1.126

Maywood_1605r(config)#ip default-gateway *****

Maywood_1605r(config)#$de source list 1 interface Ethernet0 overload

Maywood_1605r(config)#ip classless

Maywood_1605r(config)#ip route 0.0.0.0 0.0.0.0 *****

Maywood_1605r(config)#no ip http server

Maywood_1605r(config)#!

Maywood_1605r(config)#access-list 1 permit 192.168.1.0 0.0.0.255

Maywood_1605r(config)#no cdp run

Maywood_1605r(config)#banner login ^C

Enter TEXT message. End with the character '^'.

Maywood_1605r(config)#!

Maywood_1605r(config)#line con 0

Maywood_1605r(config-line)# password ******

Maywood_1605r(config-line)# login

% Incomplete command.

Maywood_1605r(config-line)#line vty 0 4

Maywood_1605r(config-line)# exec-timeout 0 1

Maywood_1605r(config-line)# no login

% Incomplete command.

Maywood_1605r(config-line)# no exec

Maywood_1605r(config-line)# transport input none

Maywood_1605r(config-line)#!

Maywood_1605r(config-line)#end

Thanks for any help you can provide!

4 REPLIES
Silver

Re: Please help me t-shoot this config?

The IPSec images for the 1605 only support DES, not 3DES, so that is why your getting some of the error messages.

If you need 3DES, and that is the minimum encryption recommended these days, then you would need to look at the 1700 or 800 series.

New Member

Re: Please help me t-shoot this config?

Thank you very much for taking the time to look at my problem and help me. It is greatly appreciated.

I will search the site for a config using DES instead of 3DES as I can not afford a 1721 and the vpn I am building is for learning purposes, not a production environment.

Thanks again!

Anyone know where I can find a VPN config appropriate for a 1605R?

Silver

Re: Please help me t-shoot this config?

i didn't really look at your config, but just try replacing every instance of "3des" with "des".

New Member

Re: Please help me t-shoot this config?

I noticed the first hiccup occured after this command:

ip audit notify log

Is that also invalid on the 1605?

Thank you all again.

120
Views
5
Helpful
4
Replies
CreatePlease to create content