Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA540 VPN Config - Confused

Getting stuck on some of the basics of configuring IPsec for remote users.  Can someone send me examples? The Administration Guide hasn't been much help...

Everyone's tags (4)
10 REPLIES
Green

Re: SA540 VPN Config - Confused

Hi Kevin, there are 2 options from Cisco, using QVPN or the Cisco VPN client (5.x). The QVPN is very basic set up, only needing to set up an user and have remote management on 443.

The Cisco VPN client 5.x the first thing you want to do is create the Xauth user. Next the following...

VPN - IPSEC - Dynamic IP Range

Toggle the split tunnel or full tunnel and specify the IP address and DNS servers preferred for the router to issue out

Next, configure the VPN Wizard with an example like mine at VPN - VPN WIZARD

This is all of the router set up required.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

SA540 VPN Config - Confused

The dynamic IP range addresses - Do these need to be addresses that are accessible on my corporate network?  If so, my SA will not allow them -

The subnet specified is same as LAN/VLAN subnet, Please specify a different subnet.

Example: If I make my SA - 192.168.1.1 and my Dynamic IP Address range - 192.168.1.56 - 72, I get the above error.

Thanks for examples!

Green

SA540 VPN Config - Confused

Kevin, no, the IP range assigned is sort of like a vlan. If the vlan 1 is 192.168.1.1 and the vlan 2 is 192.168.3.1 (or in your case the vpn connection) the router will build route to communicate.

Now, I haven't tested, but you may be able to try to trick router. Try to set the SA to be 192.168.2.1, create the dynamic IP range to be 192.168.1.x then change the LAN IP of the SA back to 192.168.1.1 and see if you may overlap this way Le me know if that works, I never tried.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

SA540 VPN Config - Confused

If the SA builds a route between the VLANs, then I don't need to try and trick the SA - correct?

In your example, you use "local.com" as the Local WAN's IP Address/FQDN.  Not sure if I leave that local.com or do I need to change?  Not sure what I would change it to...

Also, I am running Mac computers.  Has anyone successfully created and used the VPN interface of type Cisco IPSec (System preferences, Network, add interface) to connect to a SA540?  From what I read, the QVPN will not work with a Mac.

Green

Re: SA540 VPN Config - Confused

Kevin, the MAC vpn client is the same as the Cisco 5.x client. Same configuration applies to the router. And also correct. If you look at the policies created through the wizard, you will see the 0.0.0.0 routes sending the traffic any destination requested.

The most common issue people overlook is not the routing aspect. It's the LAN security aspect, in the sense, any inbound connection from an "outside" subnet is viewed as a security risk, therefore, most security suites and implementation block this traffic until told not to.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

Re: SA540 VPN Config - Confused

Tom,

You are awesome!  My VPN connected.

Now that I'm connected, I'm having a different problem.  I can't get to anything on my network. I can't see any of my servers, files, browse internet, etc...  Any ideas?

Also, I have noticed that my network appears to have slowed down (eg. loading web pages).

Re: SA540 VPN Config - Confused

Although I am still trying to get this working myself, I was told that your servers/computers etc. will need static routes because SA is (more or less) on different subnet.

New Member

Re: SA540 VPN Config - Confused

Qasim,

Do you have your's working?

If I understand Tom's comments above you would not need to build static routes becuase the SA should do that for you automagically.  However; I still am having problems with my configuration.  I can connect, but can't seem to "see" anything inside my network.

Tom, if you are still out there I don't think my VLAN and VPN are communicating.  I can see in the logs that my SA assigned one of my dynamic IP addresses.  I also see these items in my logs that might help:

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] WARNING:  Ignored attribute 5

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] ERROR:  Cannot open "/etc/motd"

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] ERROR:  Ignored attribute 28674

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] WARNING:  Ignored attribute 28678

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] ERROR:  Ignored attribute 28680

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] ERROR:  Ignored attribute 28681

Tue Sep 04 16:27:36 2012 (GMT -0400): [Cisco] [IKE] WARNING:  Ignored attribute 28683

I finished reading the manual yesterday.  Now I need some real life practical knowledge....

Green

Re: SA540 VPN Config - Confused

Hi Kevin, I set up a lab for Qasim last week and it remains in tact. When assigning the dynamic IP range, did you put the DNS server (they are optional, but needed if you want DNS). What about IP communication?

Right now if I connect to my SSL lab I have no issue to access the SA540 or the single computer I left there.

-Tom
Please rate helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

Re: SA540 VPN Config - Confused

Spoke with tech support last night and apparently my SA540 VPN connects just fine.  However; if the subnet that your VPN is connecting to is the same as the subnet you are connecting from, this device will not allow access to resources on the receiving end.  So, to get access to my servers, files, web, etc... I would have to rework all my network devices, servers with new IP addresses. 

Has anyone else had this problem?

2215
Views
10
Helpful
10
Replies