06-20-2014 08:00 PM
I am a newb to cisco routing and learn as the need comes up. So the time has come for me to create a LAN to LAN VPN from my house to my mother in laws house (2 doors down). I have a 2611xm with a ADSL WIC running 12.4(25)d and my in-laws have a 2620xm with a ADSL WIC running 12.4(25)c, both router configs are identical with a few respective minor changes. Both LANs use a 10.0.x.x IP range but they do not conflict if they were joined. My purpose for this VPN is to maintain their UBNT WAP with my UBNT WAP Controller, and perform SNMP monitoring and Net-Flow statistics. So it would just be easier for me to have an all port open VPN between the two instead of having to map ports that I need as I need them. You can see my config below, I have started to create the VPN but decided to stop and get advice before I moved on. Both DSL Modems use DHCP so I can't set a static IP, however I do have them both updating a no-ip.com redirect. My router config is below, if anyone is willing to help me learn this I would greatly appreciate it.
Kurt
version 12.4
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging buffered
no logging rate-limit
no logging console
no logging monitor
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
enable password XXXXXX
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address XXXXXX 0.0.0.255
!
ip dhcp pool insideDHCP
network XXXXXX 0.0.0.255
default-router XXXXXX
dns-server XXXXXX XXXXXX
!
!
ip flow-cache timeout active 1
no ip bootp server
no ip domain lookup
ip domain name XXXXXX.no-ip.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ddns update method no-ip
HTTP
add http://XXXXXX@XXXXXX.xxx:XXXXXX@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
interval maximum 0 0 5 0
!
vpdn enable
!
vpdn-group pppoe
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3030517303
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3030517303
revocation-check none
rsakeypair TP-self-signed-3030517303
!
!
username kluchtman privilege 15 password 0 XXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key vpnuser address XXXXXX
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto map mymap 10 ipsec-isakmp
! Incomplete
set peer XXXXXX
set transform-set myset
match address 100
!
!
!
!
interface ATM0/0
no ip address
no ip mroute-cache
atm restart timer 300
no atm ilmi-keepalive
dsl operating-mode auto
dsl enable-training-log
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
description NOT USED
ip address dhcp
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN
ip address XXXXXX 0.0.0.255
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dialer1
ip ddns update hostname XXXXXX.no-ip.com
ip ddns update no-ip
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname XXXXXX@xxx.xxx
ppp chap password 0 XXXXXX
crypto map mymap
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip flow-export source Dialer1
ip flow-export version 5
ip flow-export destination XXXXXX 9996
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 3600
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server ifindex persist
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps envmon
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps cnpd
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps vtp
snmp-server host XXXXXX public
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
password XXXXXX
login
line aux 0
password XXXXXX
login
line vty 0 4
access-class 1 in
exec-timeout 30 0
privilege level 15
password XXXXXX
login local
transport preferred none
transport input ssh
!
ntp clock-period 17208416
ntp server 17.171.4.13
!
end
Solved! Go to Solution.
06-21-2014 04:07 AM
Well, since you are using NO-IP you would need to configure DNS server IPs on your router so that it is able to resolve the FQDN you set as your VPN peer.
for example:
ip name-server 4.2.2.2
Under you isakmp policy you should configure an encryption aswell, and I would change MD5 to SHA as it is more secure...but that is up to you.
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
You will also need a crypto ACL that defines interesting traffic...or traffic that is to be encrypted.
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
the remote end will need an ACL that is the mirror image of the above (of course the ACL number can be different).
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto isakmp key vpnuser address XXX.no-ip.com
crypto map mymap 10 ipsec-isakmp
set peer XXX.no-ip.com
set transform-set myset
match address 100
interface Dialer1
crypto map mymap
Looks like you are off to a good start
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 04:07 AM
Well, since you are using NO-IP you would need to configure DNS server IPs on your router so that it is able to resolve the FQDN you set as your VPN peer.
for example:
ip name-server 4.2.2.2
Under you isakmp policy you should configure an encryption aswell, and I would change MD5 to SHA as it is more secure...but that is up to you.
crypto isakmp policy 10
encryption aes
hash md5
authentication pre-share
You will also need a crypto ACL that defines interesting traffic...or traffic that is to be encrypted.
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
the remote end will need an ACL that is the mirror image of the above (of course the ACL number can be different).
access-list 100 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto isakmp key vpnuser address XXX.no-ip.com
crypto map mymap 10 ipsec-isakmp
set peer XXX.no-ip.com
set transform-set myset
match address 100
interface Dialer1
crypto map mymap
Looks like you are off to a good start
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 11:42 AM
Thanks for the reply, this has helped me get further than I expected I would be at this point.
I have a few problems:
When I type in set peer xxx.no-ip.com I get an error the following error:
Translating "xxx.no-ip.com"
% Unable to resolve xxx.no-ip.com -- can not set/unset peer
I have set IP-name server as 8.8.8.8, any ideas?
06-21-2014 12:47 PM
If you do an nslookup xxx.no-ip.com does it resolve to an IP?
for the set command you can try to issue the following command:
crypto map mymap 10 ipsec-isakmp
set peer XXX.no-ip.com dynamic
--
Please remember to select a correct answer and rate helpful posts
06-21-2014 01:39 PM
06-21-2014 02:13 PM
Let us know how it goes.
--
Please remember to select a correct answer and rate helpful posts
06-22-2014 11:54 AM
It went great on my side where I am running advanced enterprise, but I can't do almost anything on my mother in laws side, she is running ip base (with crypto). But if I type in crypto map xxxx I get invalid input detected at the word map. Does she need to be running advanced enterprise too?
06-22-2014 12:34 PM
You need to have the security license installed to be able to do encryption and VPN. You will not be able to do this without the security license.
--
Please remember to select a correct answer and rate helpful posts
06-22-2014 04:56 PM
If I haven't looked like a newb yet I should now. How do I get a security license?
06-22-2014 09:34 PM
06-23-2014 06:54 PM
Ok, so how about this as a alternate work around. What if I created a VPN in the 2600, and put a box in her house that would automatically connect to my vpn?
06-24-2014 12:11 AM
That depends on what you mean by putting a box in the house? if you mean a PC and that you configure a remote access VPN on your 2600 then that PC would need to be the one initiating the VPN connection.
--
Please remember to select a correct answer and rate helpful posts
06-24-2014 07:32 AM
Yes, exactly. I am building a Cent OS box to put at my mother in laws house to initiate the VPN connection back to my house, I might not be able to maintain the WAP which is what I was originally wanting to do, but I should be able to monitor it and the router. Correct?
06-25-2014 02:29 AM
This is something I have never tried, but if it is a regular remote access VPN you are setting up from the Cent OS then I do not believe you will be able to monitor or even have access to the network...unless you are able to remote desktop to the Cent OS box...or similar. Once you have access to the box then you should be able to monitor the network and manage it from there.
What you could do, and maybe this is what you were thinking initially, is set up the Cent Box as a logging server, and have the router send logging to the server via snmp or just plain old syslog.
When you say you might not be able to maintain the WAP what exactly do you mean...you might not be able to maintain it directly from your own network...but you should be able to maintain it from your mother's network...ie via the Cent OS box.
--
Please remember to select a correct answer and rate helpful posts
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: