Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Existing L2L IPSEC VPN config, want to add VPN client support on Cisco 887

Hi,

A customer who already has 2x site-to-site IPSEC VPN-s on a particular Cisco 887 router, wants to enable couple of remote workers to use Cisco VPN Client to remote access LAN resources on the same router.

Is this technically possible?

I found IOS configuration to enable remote access using Cisco VPN Client on a workstation,

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/29760-ios-ipsec-nat-vpnclient.html

and

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

 

but then realized it might conflict with the existing IPSEC config, 

in particular in "crypto map CARRUM_MAP"

Please find the existing 2 IPSEC VPN router config in next post...

Everyone's tags (1)
1 REPLY
New Member

Router config: GW#sh

Router config:

 

GW#sh run
Building configuration...

Current configuration : 8662 bytes
!
! Last configuration change at 20:23:57 UTC Mon Jul 21 2014 by admin
! NVRAM config last updated at 02:53:49 UTC Sun Jul 13 2014 by admin
! NVRAM config last updated at 02:53:49 UTC Sun Jul 13 2014 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3233424923
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3233424923
 revocation-check none
 rsakeypair TP-self-signed-3233424923
!
!
crypto pki certificate chain TP-self-signed-3233424923
...
...
        quit
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1
!
!
no ip bootp server
no ip domain lookup
ip domain name domain.net
ip name-server 8.8.8.8

no ipv6 cef
!
!
license udi pid C887VA-W-A-K9 sn ...
!
!
!

shutdown vlan 100
          
username admin privilege 15 secret 4 

blabalbal
!
!
!
!
controller VDSL 0
!

!
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
!
crypto isakmp policy 15
 encr aes
 authentication pre-share
 group 2
!


crypto isakmp key keykeykey1 address 1.1.1.1
crypto isakmp key keykeykey2 address 2.2.2.2 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set SYDMEL esp-3des 
!
crypto map CARRUM_MAP 10 ipsec-isakmp 
 set peer 1.1.1.1
 set security-association lifetime seconds 28800
 set transform-set ESP-3DES-SHA 
 set pfs group5
 match address 101
crypto map CARRUM_MAP 11 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set SYDMEL 
 set pfs group5
 match address 155
!
!
!
!
!
interface ATM0
 no ip address
 no ip route-cache
 load-interval 30
 no atm ilmi-keepalive
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
...
!
interface FastEthernet3
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!
...
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.200.11.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
...
!
interface Dialer0
 description ADSL Link FNN xxxxxxx
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname REMOTESYSTEM
 ppp chap password 7 06082014
 no cdp enable
 crypto map CARRUM_MAP
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NO-NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 22 permit 3.3.3.3

access-list 101 permit ip 10.200.11.0 0.0.0.255 192.168.200.0 0.0.3.255
access-list 101 permit ip 10.200.11.0 0.0.0.255 192.168.204.0 0.0.3.255
access-list 105 deny   ip 10.200.11.0 0.0.0.255 192.168.200.0 0.0.3.255
access-list 105 deny   ip 10.200.11.0 0.0.0.255 192.168.204.0 0.0.3.255
access-list 105 deny   ip 10.200.11.0 0.0.0.255 10.212.12.0 0.0.0.255
access-list 105 permit ip 10.200.11.0 0.0.0.255 any
access-list 155 permit ip 10.200.11.0 0.0.0.255 10.212.12.0 0.0.0.255
access-list 155 permit ip 10.200.15.0 0.0.0.255 10.212.12.0 0.0.0.255
no cdp run
!
!
!
!
route-map NO-NAT permit 10
 match ip address 105
!
route-map nat permit 10
 match ip address test
!
banner exec ^C
...
end

 

566
Views
0
Helpful
1
Replies