08-21-2010 01:11 AM - edited 02-21-2020 04:48 PM
Hi all,
Can i have a sample config of a working remote access vpn for cisco 1800 series router?
My cisco 1800 series router already has a site to site vpn, hence can i still configure a remote access vpn using existing IKE policy?
Is it true that cisco router only support 1 IKE policy? Pls advise. Thks in advance.
Solved! Go to Solution.
08-22-2010 04:00 AM
what you have is correct
the authentication line that you mentioned about is to suggest that we are using local database user authentication
if you have an external aaa server like tacacs+ or radius you can specify that instead of local, local is a keyword to suggest local authentication
so your local database would be what ever user name passwords you store on the router like
username cisco password cisco
hope this helps
if this answers your question please mark this as answered for the benifit of the users in community
08-21-2010 01:41 AM
firstly you can configure, just make sure you use the same crypto map
here is a example configuration with local authentication
you can configure as many ike policies as you wish, but u can use the same one it should not be an issue
just make sure that you do the following
-- exempt traffic from internal network to pool network from natting
-- it is recommended that you use a different subnet for vpn clients
-- ensure that you open up port udp 4500 on your outside interface of router
08-21-2010 08:16 AM
Hi jathaval ,
Thk you for your advise.
I am unable to use the link you provide.
i am referring to this link http://cisco.biz/en/US/docs/routers/access/1800/1801/software/configuration/guide/vpnezvpn.html
As i already have a site to site vpn configured, i do not need to configure the following sections found in the link right? Since i can reuse the IKE policy and ipsec transform set.
1)Configure the IKE Policy
2)Configure IPSec Transforms and Protocols
I need to apply the following with reference to the above url to enable remote access vpn on my router right?
1)Configure Group Policy Information
2)Apply Mode Configuration to the Crypto Map
3)Enable Policy Lookup
4)Configure the IPSec Crypto Method and Parameters(apply the crypto dynamic map to the existing crypto map used for site to site vpn)
5)Create an Easy VPN Remote Configuration
Thks in advance.
08-21-2010 09:01 AM
Hi Don,
First of all, the link you are referring to is Configuring 1800 as EasyVPN Server (Which is Same as Remote Access VPN Server) and Also as Easy VPN Client (the "Easy VPN Remote Configuration" Part).
1800 as Easy VPN client eliminates the use of VPN clients at the Remote Network (Brach Office PCs below).
(The link u r referring to has the following topology)
Office--- 1800 Easy VPN Server===== Internet====1800 Easy VPN Client-- Branch Office PCs.
Now, i assume that you are talking about Remote Access VPN config, where in which inddividual PCs with VPN clients come and connect to 1800.
If that's the case,
Since you already have Sit-to-Site VPN configured, all you need to configure now is (From your link):http://cisco.biz/en/US/docs/routers/access/1800/1801/software/configuration/guide/vpnezvpn.html#wp1001846
•Configure Group Policy Information
•Apply Mode Configuration to the Crypto Map
•Configure IPSec Transforms and Protocols
(U may reuse the transform set defined for Site to Site VPN)
•Configure the IPSec Crypto Method and Parameters
To be much mor precise, have a look at the link below:
http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml
Let me know if it helps.
Regards,
Praveen
08-21-2010 09:58 PM
hi don,
here is what you need
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username cisco password 0 cisco
ip local pool ippool 192.168.1.100 192.168.1.200
crypto isakmp client configuration group 3000client
key cisco123
dns 14.1.1.10
wins 14.1.1.20
domain cisco.com
pool ippoolcrypto dynamic-map dynmap 10
set transform-set
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
#you will see the crypto map that you have already configured for site to site vpn#
just pay attention to one thing here, this could effect your site to site config if you are using a wild-card
pre-shared key
so if you are using that add a key word "no-xauth" after the key
08-22-2010 03:44 AM
Hi Jathaval and praveena,
Thk you very much. i got my remote vpn to work on my 1841 router with site to site still working.
There is no wild card preshare key as a specific ip address is stated for the remote peer in my site to site vpn.
Can i verify what is the following?
aaa authentication login remotevpn_auth local? - is this a list name to specify to use local user database authentication?
aaa authorization network remotevpn_auth local?
reverse-route?
route-map?
My config is slightly different as i use the following:
crypto isakmp client configuration group test
key 245
dns 1.1.1.2
domain test.tt
pool vpnpool
acl spliltunnel
crypto isakmp profile client
match identity group test
client authentication list remotevpn_auth
isakmp authorization list remotevpn_auth
client configuration address respond
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile client
reverse-route
crypto map testvpn 65535 ipsec-isakmp dynamic dynmap (where testvpn is my crypto map applied to the external interface)
Thks in advance.
08-22-2010 04:00 AM
what you have is correct
the authentication line that you mentioned about is to suggest that we are using local database user authentication
if you have an external aaa server like tacacs+ or radius you can specify that instead of local, local is a keyword to suggest local authentication
so your local database would be what ever user name passwords you store on the router like
username cisco password cisco
hope this helps
if this answers your question please mark this as answered for the benifit of the users in community
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: