Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote access vpn for cisco1841

Hi all,

Can i have a sample config of a working remote access vpn for cisco 1800 series router?

My cisco 1800 series router already has a site to site vpn, hence can i still configure a remote access vpn using existing IKE policy?

Is it true that cisco router only support 1 IKE policy? Pls advise. Thks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Remote access vpn for cisco1841

what you have is correct

the authentication line that you mentioned about is to suggest that we are using local database user authentication

if you have an external aaa server like tacacs+ or radius you can specify that instead of local, local is a keyword to suggest local authentication

so your local database would be what ever user name passwords you store on the router like

username cisco password cisco

hope this helps

if this answers your question please mark this as answered for the benifit of the users in community

6 REPLIES
Cisco Employee

Re: Remote access vpn for cisco1841

firstly you can configure, just make sure you use the same crypto map

here is a example configuration with local authentication

http://www.cisco.com/en/US/partner/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

you can configure as many ike policies as you wish, but u can use the same one it should not be an issue

just make sure that you do the following

-- exempt traffic from internal network to pool network from natting

-- it is recommended that you use a different subnet for vpn clients

-- ensure that you open up port udp 4500 on your outside interface of router

New Member

Re: Remote access vpn for cisco1841

Hi jathaval ,

Thk you for your advise.

I am unable to use the link you provide.

i am referring to this link http://cisco.biz/en/US/docs/routers/access/1800/1801/software/configuration/guide/vpnezvpn.html

As i already have a site to site vpn configured, i do not need to configure the following sections found in the link right? Since i can reuse the IKE policy and ipsec transform set.

1)Configure the IKE Policy

2)Configure IPSec Transforms and Protocols

I need to apply the following with reference to the above url to enable remote access vpn on my router right?

1)Configure Group Policy Information

2)Apply Mode Configuration to the Crypto Map

3)Enable Policy Lookup

4)Configure the IPSec Crypto Method and Parameters(apply the crypto dynamic map to the existing crypto map used for site to site vpn)

5)Create an Easy VPN Remote Configuration

Thks in advance.

Re: Remote access vpn for cisco1841

Hi Don,

First of all, the link you are referring to is Configuring 1800 as EasyVPN Server (Which is Same as Remote Access VPN Server) and Also as Easy VPN Client (the "Easy VPN  Remote Configuration" Part).

1800 as Easy VPN client eliminates the use of VPN clients at the Remote Network (Brach Office PCs below).

(The link u r referring to has the following topology)

Office--- 1800 Easy VPN Server===== Internet====1800 Easy VPN Client-- Branch Office PCs.

Now, i assume that you are talking about Remote Access VPN config, where in which inddividual PCs with VPN clients come and connect to 1800.

If that's the case,

Since you already have Sit-to-Site VPN configured, all you need to configure now is (From your link):http://cisco.biz/en/US/docs/routers/access/1800/1801/software/configuration/guide/vpnezvpn.html#wp1001846

Configure Group Policy Information

Apply Mode Configuration to the Crypto Map

Enable Policy Lookup

Configure IPSec Transforms and Protocols

(U may reuse the transform set defined for Site to Site VPN)

Configure the IPSec Crypto Method and Parameters

To be much mor precise, have a look at the link below:

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a00809c7171.shtml

Let me know if it helps.

Regards,

Praveen

Cisco Employee

Re: Remote access vpn for cisco1841

hi don,

here is what you need

aaa new-model

aaa authentication login userauthen local
aaa authorization network groupauthor local

username cisco password 0 cisco

ip local pool ippool 192.168.1.100 192.168.1.200

crypto isakmp client configuration group 3000client
key cisco123
dns 14.1.1.10
wins 14.1.1.20
domain cisco.com
pool ippool

crypto dynamic-map dynmap 10
set transform-set 
set reverse-route

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap


#you will see the crypto map that you have already configured for site to site vpn#

just pay attention to one thing here, this could effect your site to site config if you are using a wild-card
pre-shared key

so if you are using that add a key word "no-xauth" after the key


New Member

Re: Remote access vpn for cisco1841

Hi Jathaval and praveena,

Thk you very much. i got my remote vpn to work on my 1841 router with site to site still working.

There is no wild card preshare key as a specific ip address is stated for the remote peer in my site to site vpn.

Can i verify what is the following?

aaa authentication login remotevpn_auth local? - is this a list name to specify to use local user database authentication?

aaa authorization network remotevpn_auth local?

reverse-route?

route-map?

My config is slightly different as i use the following:

crypto isakmp client configuration group test
key 245
dns 1.1.1.2
domain test.tt
pool vpnpool
acl spliltunnel
crypto isakmp profile client
   match identity group test
   client authentication list remotevpn_auth
   isakmp authorization list remotevpn_auth
   client configuration address respond

crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile client
reverse-route

crypto map testvpn 65535 ipsec-isakmp dynamic dynmap (where testvpn is my crypto map applied to the external interface)

Thks in advance.

Cisco Employee

Re: Remote access vpn for cisco1841

what you have is correct

the authentication line that you mentioned about is to suggest that we are using local database user authentication

if you have an external aaa server like tacacs+ or radius you can specify that instead of local, local is a keyword to suggest local authentication

so your local database would be what ever user name passwords you store on the router like

username cisco password cisco

hope this helps

if this answers your question please mark this as answered for the benifit of the users in community

4151
Views
0
Helpful
6
Replies