12-24-2005 03:24 PM
Hi,
I have a cisco 1750 router with 2 VPN profiles/dynamic map for mobile users with cisco vpn client software.
Now i want to give these mobile users acess to 2 servers behind a cisco 3000 VPN concentrator. I dont have the access to 3000 VPN concentrator and have configured the 1750 to match with it (key and encryption types).
I am facing problems When i try to access these servers behind VPN concentrator by first connectiong to 1750 with cisco vpn client software.
When i do a "sh crypto isakmp sa" i get MMO_NO_STATE for the site to site VPN.
My configuration is as follows
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
crypto isakmp key xxx address x.x.x.x
crypto isakmp keepalive 10 4
!
crypto isakmp client configuration group VPN001
key xxxx
domain xyz.com
pool dynpool
acl 150
!
crypto isakmp client configuration group VPN002
key xxxx
domain xyz.com
pool dynpool2
acl 151
crypto isakmp profile VPN002
description VPN002 Client VPN profile
match identity group VPN002
isakmp authorization list client-vpn
client configuration address initiate
client configuration address respond
crypto isakmp profile vpn001
description Innitial VPN access Profile
match identity group VPN001
isakmp authorization list client-vpn
client configuration address initiate
client configuration address respond
crypto isakmp profile sitetosite
description Site to Site VPN
match identity address 200.200.200.200 255.255.255.255
!
!
crypto ipsec transform-set ts001 esp-3des esp-md5-hmac
crypto ipsec transform-set ts002 esp-3des esp-sha-hmac
crypto ipsec nat-transparency spi-matching
!
crypto dynamic-map dynmap 1
set transform-set ts001
set isakmp-profile vpn001
crypto dynamic-map dynmap 2
set transform-set ts001
!
!
crypto map TestVPN 1 ipsec-isakmp dynamic dynmap
crypto map TestVPN 2 ipsec-isakmp
set peer 200.200.200.200
set transform-set ts002
match address sitetositeACL
!
!
!
interface Ethernet0
ip address 100.100.100.1 255.255.255.248
ip access-group 111 in
ip nat outside
ip inspect E0 in
full-duplex
crypto map TestVPN
!
interface FastEthernet0
ip address 192.168.100.254 255.255.255.0
ip access-group 110 in
ip nat inside
ip inspect Fa0 in
ip route-cache flow
speed auto
!
I appriciate your expert help on this.I have also attached the config file with this.
Thanks
Wasantha
12-25-2005 07:18 PM
Hello There,
If there is a configuration example for configuring site-to-site and remote access on the same router,
please let me know. I have tried searching this site and google without a success.
Thanks gain.
12-27-2005 02:27 PM
below are the sample codes with both lan-lan vpn and remote vpn access on a single router:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address
crypto isakmp client configuration group vpngroup
key xxxxxxxx
pool vpnpool
acl 130
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set vpnset
crypto map vpnmap client authentication list vpnauthen
crypto map vpnmap isakmp authorization list vpnauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap 20 ipsec-isakmp
set peer
set transform-set superset
match address 140
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Dialer0
ip address
ip nat outside
crypto map vpnmap
ip local pool vpnpool 10.1.1.1 10.1.1.10
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
route-map nonat permit 10
match ip address 101
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: