Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN between two sites one only have public ip another not using cisco 1841 , 877 ISR

Dear All ,

I want to ask how to make vpn connection between two sites one of them has public ip and 1841 cisco router

and another has DSL connection and router 877 cisco ??

5 REPLIES
New Member

VPN between two sites one only have public ip another not using

Hi Amr,

configure the 1841 router as EasyVpn server , and the cisco 877 as a clien to that server using ( Client mode or Network-extension mode)

NOTE: use the modern VTI method to ease the configuration and troubleshooting

Regards

New Member

VPN between two sites one only have public ip another not using

Hi Medhat ,

I Tried to configure but some errors appeared

my configuration as below ..

EZ-SERVER#
Building configuration...

Current configuration : 1368 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!
!
aaa authentication login cisco local
aaa authorization network cisco local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
username XXXX password 0 XXXX
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key cisco
!
!
crypto ipsec transform-set cisco esp-3des esp-sha-hmac
!
crypto dynamic-map cisco 10
!
!
crypto map cisco client authentication list cisco
crypto map cisco isakmp authorization list cisco
crypto map cisco 10 ipsec-isakmp dynamic cisco
!
!
!
interface Loopback1
ip address 30.30.30.30 255.255.255.0
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
negotiation auto
!
interface GigabitEthernet0/1
ip address 62.150.168.222 255.255.255.0
duplex auto
speed auto
media-type rj45
negotiation auto
crypto map cisco
!
ip default-gateway 62.150.168.1
ip classless
ip route 0.0.0.0 0.0.0.0 62.150.168.1
!
ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
!
scheduler allocate 20000 1000
!
end

EZ-Client#


Building configuration...

Current configuration : 1286 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EZ-Client
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 20
!
!
dot11 syslog
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username XXXX password 0 XXXX
!
!
!
!
!
!
crypto ipsec client ezvpn cisco
connect auto
group cisco key cisco
mode network-extension
peer 62.150.168.222
xauth userid mode interactive
!
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 20.20.20.20 255.255.255.0
crypto ipsec client ezvpn cisco inside
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address dhcp
crypto ipsec client ezvpn cisco
!
ip forward-protocol nd
ip route 30.30.30.0 255.255.255.0 62.150.168.222
!
no ip http server
no ip http secure-server
!
!
control-plane
!
!
line con 0
exec-timeout 15 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
exec-timeout 15 0
logging synchronous
login local
!
scheduler max-task-time 5000
end

and this is the error message

%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=cisco  Client_public_addr=10.237.101.131  Server_public_addr=62.150.168.222

note : in error message (Client_public_addr=10.237.101.131) this is not public ip for client it is private ip router toke from DHCP server because in client side i dont have dedicated public ip for vpn because it is dsl ..

as i mentioned in first discussion i have only 1 public ip in the side of 1841 router

New Member

VPN between two sites one only have public ip another not using

Hi Amr,

this errors means that the client is trying to initiate an IPSec connection to the server and it fails.

%CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=cisco  Client_public_addr=10.237.101.131  Server_public_addr=62.150.168.222

Have you noticed that the client couldn't reach the server as i am not seeing a default route configured on the client side !!!!, Configure a default static route pointing to your internet connection with admin distance of  2 and let me know the result.

i am waiting your feedback

Regards.

New Member

VPN between two sites one only have public ip another not using

Dear Medhat ,

as u see there are static route in client side !!

ip route 30.30.30.0 255.255.255.0 62.150.168.222

New Member

VPN between two sites one only have public ip another not using

Hi Amr,

your IPSec peer is 62.150.168.222 SO the client must has a route to reach this ip address.

you do not need to configure a static route to reach 30.30.30.0/24 as when the IPsec tunnel established, the EasyVpn server will inject a default route pointing to the IPSEC tunnel itself, SO i have asked you to add a default route with AD 2.

OR you can add a more specific route to 62.150.168.222 instead of the default route.

Please let me know if that works with you .

Regards.

680
Views
0
Helpful
5
Replies