Solved

Add a new VPN on a router

Posted on 2003-11-20
9
571 Views
Last Modified: 2010-03-19
I have Router A with an internet VPN to Router B.  Now I want to add a second internet VPN to Router C.

Are these commands correct, and are they all I need?  Specifically, is it correct to use a new transform-set name with the added lines of crypto map nolan 15 text?

Here are the commands I want to input (in the order I plan to input them):

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan


The existing router configuration follows in the next comment.
0
Comment
Question by:gateguard
  • 5
  • 4
9 Comments
 

Author Comment

by:gateguard
ID: 9786726
Here is the existing configuration:

Current configuration : 2500 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname h0st
!
boot system flash c2600-ik8o3s-mz.122-8.t5.bin
enable secret 5 ******************
enable password 7 ****************
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 13
 hash md5
 authentication pre-share
crypto isakmp key connectk address 199.188.29.253
!
!
crypto ipsec transform-set h0st esp-des esp-md5-hmac
!
crypto map nolan 13 ipsec-isakmp
 set peer 199.188.29.253
 set transform-set h0st
 match address 160
!
call rsvp-sync
!
!
!
interface FastEthernet0/0
 ip address 10.105.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
 priority-group 4
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 100
 ip address 205.68.28.100 255.255.255.0
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 priority-group 4
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 205.100.115.119 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 31 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 ip address 205.105.11.200 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 32 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 150 interface Serial0/0.2 overload
ip nat inside source static tcp 10.105.1.2 3389 205.68.28.101 3389 extendable
ip nat inside source static tcp 10.105.1.1 3389 205.68.28.102 3389 extendable
ip nat inside source static tcp 10.105.1.254 23 205.68.28.102 23 extendable
ip nat outside source static 10.110.100.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 205.105.11.199
ip http server
ip pim bidir-enable
!
access-list 150 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 150 deny   ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 150 permit ip 10.105.1.0 0.0.255.255 any
access-list 160 permit ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 160 permit ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 160 deny   ip 10.105.1.0 0.0.255.255 any
access-list 170 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 170 permit ip 10.105.1.0 0.0.255.255 any
priority-list 4 protocol ip high tcp telnet
priority-list 4 protocol ip high tcp 3389
route-map nonat permit 10
 match ip address 170
!
!
snmp-server community limitles RW
snmp-server community tristatestart1 RW
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
Any unauthorized use will be prosecuted.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 ***********
 login
line vty 5
 password 7 ********
 login
!
end
0
 

Author Comment

by:gateguard
ID: 9786734
And I guess I need one more line:

crypto ipsec transform-set new1 esp-des esp-md5-hmac


So that the commands I input in order will be like this:

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101
crypto ipsec transform-set new1 esp-des esp-md5-hmac

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 500 total points
ID: 9788373
Here are the configs with documentation for two Cisco 1700 series routers doing VPN.  You should be able to match them up with your config.  

Let me know if something is unclear.

--------------------

hostname Central
!
logging rate-limit all 1000
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
!
no ip dhcp-client network-discovery
!
!

// The next four lines determine the type of encryption the clients will use //

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  The next three lines describe the IP address and shared key of the three routers //
crypto isakmp key <DELETED> address 100.100.100.10
crypto isakmp key <DELETED> address 110.110.110.11
crypto isakmp key <DELETED> address 120.120.120.12

// The next line is for at home user VPN //
crypto isakmp key <DELETED> address 0.0.0.0 0.0.0.0

// This line tells the client to get an IP address from the address pool “ourpool” //
crypto isakmp client configuration address-pool local ourpool
!
!

//  Create a crypto transform set and dynamic map for encryption policy //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap

// Set up a tunnel matching access-list 150  //
crypto map mymap 20 ipsec-isakmp  
 set peer 100.100.100.10
 set transform-set myset
 match address 150

// Set up a tunnel matching access-list 151 //
crypto map mymap 21 ipsec-isakmp  
 set peer 110.110.110.11
 set transform-set myset
 match address 151

// Set up a tunnel matching access-list 152 //
crypto map mymap 22 ipsec-isakmp  
 set peer 120.120.120.12
 set transform-set myset
 match address 152
!
!
!
!
// Set up Outside Interface  - uses encryption //

interface Ethernet0
 ip address 130.130.130.13 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map mymap
!        

//  Set up Inside Interface – uses encryption //

interface FastEthernet0
 ip address 10.10.7.3 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!

// Define address pool for VPN clients //
ip local pool ourpool 172.16.1.1 172.16.1.254

// Set up NAT //
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 130.130.130.1
no ip http server
!


// Define “interesting traffic” for each tunnel. //

access-list 150 permit ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 151 permit ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 152 permit ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255

//   Deny NAT for interesting traffic.  //
access-list 160 deny   ip 10.10.0.0 0.0.255.255 172.16.1.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255
access-list 160 permit ip 10.10.0.0 0.0.255.255 any
!
!

// Define NAT permitted traffic //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
 
-**- REMOTE DEVICE
!
hostname Remote
!
logging rate-limit console 10 except errors
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
no ip dhcp conflict logging

// Set up local DHCP Scope and exclude range ( Next 8 lines) //
ip dhcp excluded-address 10.10.131.1 10.10.131.5
ip dhcp excluded-address 10.10.131.51 10.10.131.59
ip dhcp excluded-address 10.10.131.81 10.10.131.254
!        
ip dhcp pool edmonton
   network 10.10.131.0 255.255.255.0
   domain-name hostname.com
   default-router 10.10.131.2
   dns-server 10.10.7.1
!
no ip dhcp-client network-discovery
!
!

// Set up crypto policy parameters.  Must match other end of tunnel //
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  Define other end of tunnel IP and shared key //

crypto isakmp key <DELETED> address 130.130.130.13
!
!

// Set up transform set parameters. Must match other end of tunnel //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

// Define other end of tunnel ip address and local crypto policy to use. //
crypto map mymap 10 ipsec-isakmp  
 set peer 130.130.130.13
 set transform-set myset
 match address 150
!        
!
!
!

// Set up outside interface – uses encryption //
interface Ethernet0
 ip address 120.120.120.12 255.255.255.224
 ip nat outside
 half-duplex
 crypto map mymap
!

// Set up inside interface – does not use encryption //
interface FastEthernet0
 ip address 10.10.131.2 255.255.255.0
 ip nat inside
 speed auto
!
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 120.120.120.1
no ip http server
!

//  Define VPN “interesting traffic”. //
access-list 150 permit ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255

// Define NAT traffic //
access-list 160 deny   ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 160 permit ip 10.10.131.0 0.0.0.255 any
!        
!
// Allow NAT traffic as per definition above //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
0
 

Author Comment

by:gateguard
ID: 9806340
I have a question about this:

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

Are the words "initiate" and "respond" keywords?
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 7

Expert Comment

by:Robing66066
ID: 9813577
I believe so, yes.  
0
 

Author Comment

by:gateguard
ID: 9831550
Because I have an existing VPN, already working, and I'm not using those initiate and respond statements.  So I'm not sure what they do and whether I need them and if I do need them, how am I getting along without them on the existing VPN.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9835173
You only really need them if you are doing dynamic addressing for your VPN.  If all your endpoints are static, you're ok without them.  (At least, that is how I understand it)
0
 

Author Comment

by:gateguard
ID: 9839051
thanks
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9839542
You're welcome.  Thanks for the points and the grade!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now