Solved

Add a new VPN on a router

Posted on 2003-11-20
9
614 Views
Last Modified: 2010-03-19
I have Router A with an internet VPN to Router B.  Now I want to add a second internet VPN to Router C.

Are these commands correct, and are they all I need?  Specifically, is it correct to use a new transform-set name with the added lines of crypto map nolan 15 text?

Here are the commands I want to input (in the order I plan to input them):

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan


The existing router configuration follows in the next comment.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:gateguard
ID: 9786726
Here is the existing configuration:

Current configuration : 2500 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname h0st
!
boot system flash c2600-ik8o3s-mz.122-8.t5.bin
enable secret 5 ******************
enable password 7 ****************
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 13
 hash md5
 authentication pre-share
crypto isakmp key connectk address 199.188.29.253
!
!
crypto ipsec transform-set h0st esp-des esp-md5-hmac
!
crypto map nolan 13 ipsec-isakmp
 set peer 199.188.29.253
 set transform-set h0st
 match address 160
!
call rsvp-sync
!
!
!
interface FastEthernet0/0
 ip address 10.105.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
 priority-group 4
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 100
 ip address 205.68.28.100 255.255.255.0
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 priority-group 4
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 205.100.115.119 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 31 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 ip address 205.105.11.200 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 32 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 150 interface Serial0/0.2 overload
ip nat inside source static tcp 10.105.1.2 3389 205.68.28.101 3389 extendable
ip nat inside source static tcp 10.105.1.1 3389 205.68.28.102 3389 extendable
ip nat inside source static tcp 10.105.1.254 23 205.68.28.102 23 extendable
ip nat outside source static 10.110.100.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 205.105.11.199
ip http server
ip pim bidir-enable
!
access-list 150 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 150 deny   ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 150 permit ip 10.105.1.0 0.0.255.255 any
access-list 160 permit ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 160 permit ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 160 deny   ip 10.105.1.0 0.0.255.255 any
access-list 170 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 170 permit ip 10.105.1.0 0.0.255.255 any
priority-list 4 protocol ip high tcp telnet
priority-list 4 protocol ip high tcp 3389
route-map nonat permit 10
 match ip address 170
!
!
snmp-server community limitles RW
snmp-server community tristatestart1 RW
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
Any unauthorized use will be prosecuted.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 ***********
 login
line vty 5
 password 7 ********
 login
!
end
0
 

Author Comment

by:gateguard
ID: 9786734
And I guess I need one more line:

crypto ipsec transform-set new1 esp-des esp-md5-hmac


So that the commands I input in order will be like this:

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101
crypto ipsec transform-set new1 esp-des esp-md5-hmac

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 500 total points
ID: 9788373
Here are the configs with documentation for two Cisco 1700 series routers doing VPN.  You should be able to match them up with your config.  

Let me know if something is unclear.

--------------------

hostname Central
!
logging rate-limit all 1000
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
!
no ip dhcp-client network-discovery
!
!

// The next four lines determine the type of encryption the clients will use //

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  The next three lines describe the IP address and shared key of the three routers //
crypto isakmp key <DELETED> address 100.100.100.10
crypto isakmp key <DELETED> address 110.110.110.11
crypto isakmp key <DELETED> address 120.120.120.12

// The next line is for at home user VPN //
crypto isakmp key <DELETED> address 0.0.0.0 0.0.0.0

// This line tells the client to get an IP address from the address pool “ourpool” //
crypto isakmp client configuration address-pool local ourpool
!
!

//  Create a crypto transform set and dynamic map for encryption policy //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap

// Set up a tunnel matching access-list 150  //
crypto map mymap 20 ipsec-isakmp  
 set peer 100.100.100.10
 set transform-set myset
 match address 150

// Set up a tunnel matching access-list 151 //
crypto map mymap 21 ipsec-isakmp  
 set peer 110.110.110.11
 set transform-set myset
 match address 151

// Set up a tunnel matching access-list 152 //
crypto map mymap 22 ipsec-isakmp  
 set peer 120.120.120.12
 set transform-set myset
 match address 152
!
!
!
!
// Set up Outside Interface  - uses encryption //

interface Ethernet0
 ip address 130.130.130.13 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map mymap
!        

//  Set up Inside Interface – uses encryption //

interface FastEthernet0
 ip address 10.10.7.3 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!

// Define address pool for VPN clients //
ip local pool ourpool 172.16.1.1 172.16.1.254

// Set up NAT //
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 130.130.130.1
no ip http server
!


// Define “interesting traffic” for each tunnel. //

access-list 150 permit ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 151 permit ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 152 permit ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255

//   Deny NAT for interesting traffic.  //
access-list 160 deny   ip 10.10.0.0 0.0.255.255 172.16.1.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255
access-list 160 permit ip 10.10.0.0 0.0.255.255 any
!
!

// Define NAT permitted traffic //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
 
-**- REMOTE DEVICE
!
hostname Remote
!
logging rate-limit console 10 except errors
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
no ip dhcp conflict logging

// Set up local DHCP Scope and exclude range ( Next 8 lines) //
ip dhcp excluded-address 10.10.131.1 10.10.131.5
ip dhcp excluded-address 10.10.131.51 10.10.131.59
ip dhcp excluded-address 10.10.131.81 10.10.131.254
!        
ip dhcp pool edmonton
   network 10.10.131.0 255.255.255.0
   domain-name hostname.com
   default-router 10.10.131.2
   dns-server 10.10.7.1
!
no ip dhcp-client network-discovery
!
!

// Set up crypto policy parameters.  Must match other end of tunnel //
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  Define other end of tunnel IP and shared key //

crypto isakmp key <DELETED> address 130.130.130.13
!
!

// Set up transform set parameters. Must match other end of tunnel //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

// Define other end of tunnel ip address and local crypto policy to use. //
crypto map mymap 10 ipsec-isakmp  
 set peer 130.130.130.13
 set transform-set myset
 match address 150
!        
!
!
!

// Set up outside interface – uses encryption //
interface Ethernet0
 ip address 120.120.120.12 255.255.255.224
 ip nat outside
 half-duplex
 crypto map mymap
!

// Set up inside interface – does not use encryption //
interface FastEthernet0
 ip address 10.10.131.2 255.255.255.0
 ip nat inside
 speed auto
!
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 120.120.120.1
no ip http server
!

//  Define VPN “interesting traffic”. //
access-list 150 permit ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255

// Define NAT traffic //
access-list 160 deny   ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 160 permit ip 10.10.131.0 0.0.0.255 any
!        
!
// Allow NAT traffic as per definition above //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:gateguard
ID: 9806340
I have a question about this:

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

Are the words "initiate" and "respond" keywords?
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9813577
I believe so, yes.  
0
 

Author Comment

by:gateguard
ID: 9831550
Because I have an existing VPN, already working, and I'm not using those initiate and respond statements.  So I'm not sure what they do and whether I need them and if I do need them, how am I getting along without them on the existing VPN.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9835173
You only really need them if you are doing dynamic addressing for your VPN.  If all your endpoints are static, you're ok without them.  (At least, that is how I understand it)
0
 

Author Comment

by:gateguard
ID: 9839051
thanks
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9839542
You're welcome.  Thanks for the points and the grade!
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question