I've got a 2651xm router acting as an easy VPN server to allow me access onto my network - all works great.
I'm living abroad and want to be able to configure the router to allow 'internet on a stick' functionality - by adding a loopback interface etc etc.
My question is - can I have multiple (and I dont know if the word is policies, group-maps, crypto map's etc etc) so that I can connect one way so that I can still get on my internal network, and connect another way for when I want to use 'internet on a stick' ?
I dont know at which level I need the additional configuration - is it a new crypto isakmp policy, is it a new crypto map ?? My current VPN configuration is as follows...
crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group ezvpn key XXX pool SDM_POOL_1 max-users 5 max-logins 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set security-association idle-time 3600 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! ! interface FastEthernet0/0 description Interface$ETH-WAN$ ip address 126.96.36.199 255.255.248.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map SDM_CMAP_1 !
Yes, you are correct in your confirmation of what I want to do, but I dont understand what I need to add to the configuration to allow me to do this.....
Do I basically replicate the configuration that I already have but point it at the loopback interface, or are there elements of the existing configuration that I can reuse so I'm not doubling up on items?
I can not open the link that you have provided me - its coming up with 'forbidden file or application' - even though I have a full smart net contract !!
crypto isakmp client configuration group ezvpn key XXX pool SDM_POOL_1 max-users 5 max-logins 1
You can create another group (will be another PCF file)
crypto isakmp client configuration group new_tunnel key new_tunnel123 pool SDM_POOL_2 max-users 5 max-logins 1
With the above configuration, you can connect using two VPN groups. The first group will connect with group name ezvpn and password XXX The second group will connnect with group name new_tunnel and password new_tunnel123
When you apply an ACL to a group, for example, to the second group:
crypto isakmp client configuration group new_tunnel key new_tunnel123 pool SDM_POOL_2 max-users 5 max-logins 1 acl 101
The ACL 101 will indicate which traffic is to be encrypted through the tunnel (split-tunneling) So, pretty much based on the ACLs and the VPN groups, you can manipulate what the VPN clients can do.
About the ISAKMP profiles, you can search on Google for an explanation as well.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :