Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How can I set up a VPN with 1 cisco router?

I have a remote branch I wish to connect to a VPN with our cisco router.  Which is the best protocol to do this?  How can I set it up?

10 REPLIES

Re: How can I set up a VPN with 1 cisco router?

Yes, you can. And you can use IPSec (You nedd check your router (IOS) support IPSec.)

Do you need site-to-site vpn ou remote access (client to site)?

New Member

Re: How can I set up a VPN with 1 cisco router?

Show version reports:

Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)

It would be from one site to this one, but there is no cisco router on the other end.  But this is the only link I need a VPN on

Re: How can I set up a VPN with 1 cisco router?

This IOS have not support for IPSec, and you need a device for each site, or users can use a client vpn.

See this link with example of the config VPN between router and ASA http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

Regards.

New Member

Re: How can I set up a VPN with 1 cisco router?

What is this ASA? What I've done in the past is used cisco's VPN software on a windows machine to connect to a VPN.  Can I not set that up?

Remote site will connect with software to VPN server enabled on my router.  Is this possible? Is this what your link is meaning?

Re: How can I set up a VPN with 1 cisco router?

This is a sample only, for VPN site-to-site.

Do have your remote site another device (like ASA, router or a linux server)? If yes this device will connect in router.

If not the users can use a vpn client installed in computers.

Regards.

New Member

Re: How can I set up a VPN with 1 cisco router?

I have a problem with this.  It seems my route has no "crypto" command:

(config)#     

#crypto ?

% Unrecognized command
(config)#crypto ?
% Unrecognized command

EDIT: Our other router which is the same as this one has the crypto command.  a show version notes that the flash image is different!

Router not working:

System image file is "flash:c1841-ipbase-mz.124-1c.bin"

Router crypto is there:
System image file is "flash:c1841-advsecurityk9-mz.124-3g.bin"

New Member

Re: How can I set up a VPN with 1 cisco router?

Okay I have just finished updating the image and reconfiguring the router.  From the looks of this, I need to generate a key or something.  This is a bit confusing... for example the guide mentions hard-coding a static IP address on the client end.  My client is DHCP enabled... so is there another way I can configure this?

The "ASA" device... you say that can be any old router..? why is there a CLI shown?

Re: How can I set up a VPN with 1 cisco router?

See two samples:

      Site A                                   SITE B

LAN---ROUTER----INTERNET----ROUTER---LAN

SITE A

R0#sh run

Building configuration...

Current configuration : 1610 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R0

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$/Uap$KYw5T9RRj2Iqw7YRnybUp.

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.1 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

description Conexao R2 F0/0

ip address 10.10.10.1 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R1 S1/0

bandwidth 2048

ip address 1.1.1.2 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao com R1 S1/1

ip address 1.1.1.6 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 10.10.10.0 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

!

ip access-list extended ACL_VPN

permit icmp 0.0.0.2 255.255.255.252 host 10.10.10.6

permit icmp host 10.10.10.2 host 10.10.10.6

!

!

control-plane

!

!

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

============================================================

SITE B

R1#sh run

Building configuration...

Current configuration : 1571 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$zRJc$5ba6iIHxQzlIVZROagEWa0

!

no aaa new-model

memory-size iomem 5

!

!

ip cef

!

!

crypto isakmp policy 10

authentication pre-share

crypto isakmp key cisco address 1.1.1.2 255.255.255.252

!

!

crypto ipsec transform-set teste_set esp-3des esp-sha-hmac

!

crypto map TESTE_MAP 10 ipsec-isakmp

set peer 1.1.1.2

set transform-set teste_set

match address ACL_VPN

!

!

interface FastEthernet0/0

ip address 10.10.10.5 255.255.255.252

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial1/0

description Conexao com R0 S1/0

bandwidth 2048

ip address 1.1.1.1 255.255.255.252

serial restart-delay 0

crypto map TESTE_MAP

!

interface Serial1/1

description Conexao R0 S1/1

bandwidth 128

ip address 1.1.1.5 255.255.255.252

shutdown

serial restart-delay 0

!

interface Serial1/2

no ip address

shutdown

serial restart-delay 0

!

interface Serial1/3

no ip address

shutdown

serial restart-delay 0

!

router ospf 10

log-adjacency-changes

network 1.1.1.0 0.0.0.3 area 0

network 1.1.1.4 0.0.0.3 area 0

network 10.10.10.4 0.0.0.3 area 0

!

ip http server

no ip http secure-server

!

ip access-list extended ACL_VPN

permit icmp host 10.10.10.6 host 10.10.10.2

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

password cisco

login

!

!

end

R1#

==============================================

Second sample:

any place

USERS--- INTERNET----ROUTER---LAN

aaa new-model

!

!

aaa authentication login vpnauthen local

aaa authorization network vpnautho local

!

crypto isakmp policy 50

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group CANOPUS_GROUP

key c4n0pu5

domain canopus.com.br

pool VPN_POOL

include-local-lan

split-dns canopus.com.br

pfs

!

!

crypto ipsec transform-set CLIENT_SET esp-3des esp-md5-hmac

!

crypto dynamic-map CLIENT_MAP 50

set transform-set CLIENT_SET

reverse-route

!

!

crypto map CLIENT_VPN client authentication list vpnauthen

crypto map CLIENT_VPN isakmp authorization list vpnautho

crypto map CLIENT_VPN client configuration address respond

crypto map CLIENT_VPN 50 ipsec-isakmp dynamic CLIENT_MAP

!

!

ip local pool VPN_POOL 10.10.254.10 10.10.254.15

Regards.

Silver

Re: How can I set up a VPN with 1 cisco router?

I wonder if you are just trying to set up the router so a PC running the VPN client can connect.  Here is an example of how to set that up.  HTH

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bdf.pdf

New Member

Re: How can I set up a VPN with 1 cisco router?

Wait... Steve are you setting up a site-to-site vpn or are you doing a remote-access (client)?  What devices do you have on each side? If one side is DHCP you can use Dynamic VPN to establish a connection. I have vpn setup over ADSL and can send you a sample config.

1168
Views
0
Helpful
10
Replies