Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Add a new VPN on a router

Posted on 2003-11-20
9
Medium Priority
?
621 Views
Last Modified: 2010-03-19
I have Router A with an internet VPN to Router B.  Now I want to add a second internet VPN to Router C.

Are these commands correct, and are they all I need?  Specifically, is it correct to use a new transform-set name with the added lines of crypto map nolan 15 text?

Here are the commands I want to input (in the order I plan to input them):

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan


The existing router configuration follows in the next comment.
0
Comment
Question by:gateguard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 

Author Comment

by:gateguard
ID: 9786726
Here is the existing configuration:

Current configuration : 2500 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname h0st
!
boot system flash c2600-ik8o3s-mz.122-8.t5.bin
enable secret 5 ******************
enable password 7 ****************
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 13
 hash md5
 authentication pre-share
crypto isakmp key connectk address 199.188.29.253
!
!
crypto ipsec transform-set h0st esp-des esp-md5-hmac
!
crypto map nolan 13 ipsec-isakmp
 set peer 199.188.29.253
 set transform-set h0st
 match address 160
!
call rsvp-sync
!
!
!
interface FastEthernet0/0
 ip address 10.105.1.254 255.255.0.0
 ip accounting output-packets
 ip nat inside
 duplex auto
 speed auto
 priority-group 4
!
interface FastEthernet0/0.1
 no ip redirects
 shutdown
!
interface FastEthernet0/0.2
 encapsulation isl 100
 ip address 205.68.28.100 255.255.255.0
 no ip redirects
!
interface Serial0/0
 no ip address
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 priority-group 4
 frame-relay lmi-type ansi
 crypto map nolan
!
interface Serial0/0.1 point-to-point
 ip address 205.100.115.119 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 shutdown
 frame-relay interface-dlci 31 IETF
 crypto map nolan
!
interface Serial0/0.2 point-to-point
 ip address 205.105.11.200 255.255.255.0
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 frame-relay interface-dlci 32 IETF
 crypto map nolan
!
ip nat translation timeout 300
ip nat translation tcp-timeout 360
ip nat inside source list 150 interface Serial0/0.2 overload
ip nat inside source static tcp 10.105.1.2 3389 205.68.28.101 3389 extendable
ip nat inside source static tcp 10.105.1.1 3389 205.68.28.102 3389 extendable
ip nat inside source static tcp 10.105.1.254 23 205.68.28.102 23 extendable
ip nat outside source static 10.110.100.79 10.0.0.0
ip classless
ip route 0.0.0.0 0.0.0.0 205.105.11.199
ip http server
ip pim bidir-enable
!
access-list 150 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 150 deny   ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 150 permit ip 10.105.1.0 0.0.255.255 any
access-list 160 permit ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 160 permit ip 10.105.1.0 0.0.255.255 172.16.9.0 0.0.0.255
access-list 160 deny   ip 10.105.1.0 0.0.255.255 any
access-list 170 deny   ip 10.105.1.0 0.0.255.255 10.110.0.0 0.0.255.255
access-list 170 permit ip 10.105.1.0 0.0.255.255 any
priority-list 4 protocol ip high tcp telnet
priority-list 4 protocol ip high tcp 3389
route-map nonat permit 10
 match ip address 170
!
!
snmp-server community limitles RW
snmp-server community tristatestart1 RW
snmp-server enable traps tty
!
dial-peer cor custom
!
!
!
!
banner motd ^C
Any unauthorized use will be prosecuted.^C
!
line con 0
line aux 0
line vty 0 4
 password 7 ***********
 login
line vty 5
 password 7 ********
 login
!
end
0
 

Author Comment

by:gateguard
ID: 9786734
And I guess I need one more line:

crypto ipsec transform-set new1 esp-des esp-md5-hmac


So that the commands I input in order will be like this:

int s0/0
no crypto map nolan

int s0/0.1
no crypto map nolan

int 0/0.2
no crypto map nolan

access-list 180 permit ip 10.105.1.0 0.0.255.255 10.120.0.0 255.255.255.0
access-list 180 deny   ip 10.105.1.0 0.0.255.255 any

crypto isakmp key ****** address 173.209.55.101
crypto ipsec transform-set new1 esp-des esp-md5-hmac

crypto map nolan 15 ipsec-isakmp
 set peer 173.209.55.101
 set transform-set new1
 match address 180

interface Serial0/0
crypto map nolan

interface Serial0/0.1
crypto map nolan

interface Serial0/0.2
crypto map nolan
0
 
LVL 7

Accepted Solution

by:
Robing66066 earned 2000 total points
ID: 9788373
Here are the configs with documentation for two Cisco 1700 series routers doing VPN.  You should be able to match them up with your config.  

Let me know if something is unclear.

--------------------

hostname Central
!
logging rate-limit all 1000
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
!
no ip dhcp-client network-discovery
!
!

// The next four lines determine the type of encryption the clients will use //

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  The next three lines describe the IP address and shared key of the three routers //
crypto isakmp key <DELETED> address 100.100.100.10
crypto isakmp key <DELETED> address 110.110.110.11
crypto isakmp key <DELETED> address 120.120.120.12

// The next line is for at home user VPN //
crypto isakmp key <DELETED> address 0.0.0.0 0.0.0.0

// This line tells the client to get an IP address from the address pool “ourpool” //
crypto isakmp client configuration address-pool local ourpool
!
!

//  Create a crypto transform set and dynamic map for encryption policy //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap

// Set up a tunnel matching access-list 150  //
crypto map mymap 20 ipsec-isakmp  
 set peer 100.100.100.10
 set transform-set myset
 match address 150

// Set up a tunnel matching access-list 151 //
crypto map mymap 21 ipsec-isakmp  
 set peer 110.110.110.11
 set transform-set myset
 match address 151

// Set up a tunnel matching access-list 152 //
crypto map mymap 22 ipsec-isakmp  
 set peer 120.120.120.12
 set transform-set myset
 match address 152
!
!
!
!
// Set up Outside Interface  - uses encryption //

interface Ethernet0
 ip address 130.130.130.13 255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map mymap
!        

//  Set up Inside Interface – uses encryption //

interface FastEthernet0
 ip address 10.10.7.3 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!

// Define address pool for VPN clients //
ip local pool ourpool 172.16.1.1 172.16.1.254

// Set up NAT //
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 130.130.130.1
no ip http server
!


// Define “interesting traffic” for each tunnel. //

access-list 150 permit ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 151 permit ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 152 permit ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255

//   Deny NAT for interesting traffic.  //
access-list 160 deny   ip 10.10.0.0 0.0.255.255 172.16.1.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.129.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.130.0 0.0.0.255
access-list 160 deny   ip 10.10.0.0 0.0.255.255 10.10.131.0 0.0.0.255
access-list 160 permit ip 10.10.0.0 0.0.255.255 any
!
!

// Define NAT permitted traffic //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
 
-**- REMOTE DEVICE
!
hostname Remote
!
logging rate-limit console 10 except errors
enable password <deleted>
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
no ip dhcp conflict logging

// Set up local DHCP Scope and exclude range ( Next 8 lines) //
ip dhcp excluded-address 10.10.131.1 10.10.131.5
ip dhcp excluded-address 10.10.131.51 10.10.131.59
ip dhcp excluded-address 10.10.131.81 10.10.131.254
!        
ip dhcp pool edmonton
   network 10.10.131.0 255.255.255.0
   domain-name hostname.com
   default-router 10.10.131.2
   dns-server 10.10.7.1
!
no ip dhcp-client network-discovery
!
!

// Set up crypto policy parameters.  Must match other end of tunnel //
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share

//  Define other end of tunnel IP and shared key //

crypto isakmp key <DELETED> address 130.130.130.13
!
!

// Set up transform set parameters. Must match other end of tunnel //

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

// Define other end of tunnel ip address and local crypto policy to use. //
crypto map mymap 10 ipsec-isakmp  
 set peer 130.130.130.13
 set transform-set myset
 match address 150
!        
!
!
!

// Set up outside interface – uses encryption //
interface Ethernet0
 ip address 120.120.120.12 255.255.255.224
 ip nat outside
 half-duplex
 crypto map mymap
!

// Set up inside interface – does not use encryption //
interface FastEthernet0
 ip address 10.10.131.2 255.255.255.0
 ip nat inside
 speed auto
!
ip nat inside source route-map internet interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 120.120.120.1
no ip http server
!

//  Define VPN “interesting traffic”. //
access-list 150 permit ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255

// Define NAT traffic //
access-list 160 deny   ip 10.10.131.0 0.0.0.255 10.10.0.0 0.0.255.255
access-list 160 permit ip 10.10.131.0 0.0.0.255 any
!        
!
// Allow NAT traffic as per definition above //
route-map internet permit 10
 match ip address 160
!
!
line con 0
 transport input none
line aux 0
line vty 0 4
 password <deleted>
 login
!
end
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:gateguard
ID: 9806340
I have a question about this:

//  Allow this router to both initiate a tunnel and respond to a tunnel request //
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond

Are the words "initiate" and "respond" keywords?
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9813577
I believe so, yes.  
0
 

Author Comment

by:gateguard
ID: 9831550
Because I have an existing VPN, already working, and I'm not using those initiate and respond statements.  So I'm not sure what they do and whether I need them and if I do need them, how am I getting along without them on the existing VPN.
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9835173
You only really need them if you are doing dynamic addressing for your VPN.  If all your endpoints are static, you're ok without them.  (At least, that is how I understand it)
0
 

Author Comment

by:gateguard
ID: 9839051
thanks
0
 
LVL 7

Expert Comment

by:Robing66066
ID: 9839542
You're welcome.  Thanks for the points and the grade!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question