Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Cisco 1811 & Shrewsoft client 2.10

Hi,

I'm a total Cisco / networking novice that has inherited responsibilities for our small office network and I am in need of help to setup up a VPN that office staff or clients can access from home or from a clients office. We have a number of public facing IP addresses, currently one of them is unused and we would like to use it for our VPN (lets say the address is 44.55.66.77 GW is 44.55.66.78 and Mask is 255.255.255.252 and uses Xauth and Mutual PSK) to access our internal network (192.168.1.1 thru 192.168.1.254) an internal DHCP server hands out addresses from 192.168.1.100 thru 192.168.1.199.

I have tried copying quite a few router configs I've found by googling but I have had no luck whatsoever, so I'm really hoping someone can post a working config for the 1811 router and setup for the Shrewsoft client. An explanation (tutorial) as well would really be helpful but I'd happy settle for something that works.

Thanks in Advance

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Brad,

The remaining Fast 2-8 ports are layer 2 ports (switch ports), so cannot be assigned an IP.
You can configure an Interface VLAN to associate the ports and create different IP subnets.

The VPN connection creates a VPN virtual adapter (network connection) that reports an IP from the pool
as you mentioned (you should see this information if the client is connected succesfully).

To be able to access other subnets via the VPN, you should include those networks in the ACL 101.

Federico

15 REPLIES

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Brad,

The configuration that I can send you most likely are the ones you've found and tried.

Why don't you just share a copy of your config (change the real IPs) and we help you see what are you missing.

Federico.

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Thanks for the offer of help!

I've attached my config files

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Brad,

Sorry to reply with a link:

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

But here's the deal...

You're configuring the remote access client IPsec VPN connection with a static crypto map:

crypto map IPSEC 45 ipsec-isakmp

set peer 44.55.66.77

set security-association lifetime seconds 7200

set transform-set L2TP-LNS

set pfs group2

You need to change that to a dynamic crypto map (explained in the link).

Also, the ''mode'' should be tunnel and not transport in the transform-set.

Please try it and let us know any problems.

Federico.

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Do you have another link or example? I can't access that link.

Re: VPN Cisco 1811 & Shrewsoft client 2.10

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Federico,

Thanks I can get to the page now, in fact it is one I found before. Maybe I'm not looking in the right place but I don't see any explanations for tunnels, crypto maps, or encryption. This is the page the link tok me to.

Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication

Document Id: 21060.

As  first posted I'm a complete novice to all things Cisco and could really use a working example for the 1811.

Thanks for the help and will be back after the weekend.

Re: VPN Cisco 1811 & Shrewsoft client 2.10

That's the correct link.

It shows the configuration where it says: 

Configure the 2621XM Router

Follow that configuration (just change the IPs to the right ones).

You see that the crypto map is a dynamic-map and not a static as your original configuration.

What you can do is the following...

Follow the steps on that link to configure the router and try to connect... if it fails... we should be closer to having it correct.

The only real difference from the link (besides the IPs) are that you're going to use the local databased authentication instead of a Radius server to authenticate the VPN clients.

Federico.

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Hi Federico,

I've attempted to follow the suggested configuration from the link but there is still no vpn connection. I've attached the new 1811 config file, the shrewsoft client config remains the same.

Thanks

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Fredrico,

In the link you provide one of the lines contains the following.

crypto isakmp client configuration group 3000client

In the same link I can see this value "3000client" gets set as a group name in the cisco vpn client, what is the correspounding entry for the Shrewsoft client?

Thanks

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Federico,

My apologies, I noticed I misplelt your name in previous posts. I'm still unable to get my VPN to work I tried another config yesterday and have included both the 1811 config as well as the client config. I see this error at the console of the 1811

%CRYPTO-6-VPN_TUNNEL_STATUS: Group:  does not exist

Thanks

Brad

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Brad,

Please do the following:

Enable ISAKMP debugs on the router:

debug cry isa

debug cry ipsec

term mon

From the VPN client connect using the following:

Group name: vpnclient

Group password: mypresharekeystring

Post the output of the debugs above.

Federico.

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Federico,

I was able to get my VPN established using the attached config files. I still really don't understand how this stuff all works though. In order to complete my setup I need to be able to connect to a few servers on different sub nets after I establish the VPN connection. Can you provide some additional direction on how to do this?

I have 3 subnets 192.168.1.0 - 192.168.1.255 NM 255.255.255.0

                        192.168.2.0 - 192.168.1.255 NM 255.255.255.0

                        10.0.1.0 - 10.0.1.255 NM 255.255.255.-0

       

The subnets are on HP procurve switches model 2900-24G

In my posted config I tried to setup a VLAN of 192.168.5.0 and NM 255.255.255.0 and use FastEthernet 1.

Can I use the remaining FastEthernet ports 2 - 8 to physically connect to the other subnets? How do I set this up?

Also I have a question about the VPN itself. I expected to see an assigned address in the range  192.168.5.100 192.168.5.119 when I type ipconfig /all

on the client workstation. Client is win 7 and Shrewsoft VPN however I don't see this.

Thanks for all the help

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Brad,

The remaining Fast 2-8 ports are layer 2 ports (switch ports), so cannot be assigned an IP.
You can configure an Interface VLAN to associate the ports and create different IP subnets.

The VPN connection creates a VPN virtual adapter (network connection) that reports an IP from the pool
as you mentioned (you should see this information if the client is connected succesfully).

To be able to access other subnets via the VPN, you should include those networks in the ACL 101.

Federico

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Can you verify these commands ?

(config)#int FastEthernet 2

(config-if)#sw mode access

(config-if)#sw access vl 2

(config)#int vl 2

!192.168.0.249 is unused on the subnet

(config-if)#ip address 192.168.0.249 255.255.255.0

(config-if)#no shut

config)#access-list 101 permit ip 192.168.5.0 0.0.0.255 any
(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 any
(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Thanks

Edit:

The above commands don't allow me to ping a device at 192.168.1.1. Is there something I need to add for routing as well?

Edit 2:

I can ping the device at 192.168.1.1 from the console of the 1811 but not from the remote end of the tunnel. Does that make it a routing issure?

Thanks

New Member

Re: VPN Cisco 1811 & Shrewsoft client 2.10

Federico,

I've continued to work on trying to ping a device (192.168.0.1 or 192.168.0.249) at the other end of the tunnel to no avail. Here is what I've added to the last config I posted

interface Vlan1
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip route-cache flow
ip virtual-reassembly
ip helper-address 192.168.0.249
ip helper-address 192.168.1.249

interface Vlan2
ip address 192.168.0.249 255.255.255.0
ip nat inside
ip route-cache flow
ip virtual-reassembly

interface Vlan3
ip address 192.168.1.249 255.255.255.0
ip nat inside
ip route-cache flow
ip virtual-reassembly

interface FastEthernet2
switchport access vlan 2
no shutdown

interface FastEthernet3
switchport access vlan 3
no shutdown

ip route 0.0.0.0 0.0.0.0 44.55.66.78

ip route 192.168.0.0 255.255.255.0 192.168.0.1

ip route 192.168.1.0 255.255.255.0 192.168.1.1

ip routing

access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 44.0.0.0 0.255.255.255 any

Thanks

Brad

Edit:

My VPN connection get established so the last config I posted for that is correct, the configs don't let me ping a remote device though.

Thanks for all the help

Brad

3100
Views
0
Helpful
15
Replies