Solved

Cisco 828 to Netscreen VPN issue

Posted on 2004-09-15
3
1,293 Views
Last Modified: 2011-09-20
Hello there,

I am trying to setup a VPN connection between our Cisco 828 ghdsl router and a customers Netscreen device. However all sources on the web and the documnet that I have been provided arent helping!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122ya/122ya4/ftezvpcm.htm#65547

The guide shows that you connect to the IOS then login, enter password, and enter configure terminal mode.

I'm assuming this sub heading is the correct one: Configuring and Assigning the Cisco Easy VPN Remote Configuration

so i type in the first command:-

worldtelecom(config)#crypto ipsec client ezvpn name
                                  ^
% Invalid input detected at '^' marker.

worldtelecom(config)#

and it doesnt work, I've been reading all afternoon getting frustrated. I'm sure its not this hard!

Here is the setup example information i've been given to work from:

The following configuration information sets up the basic network informationfor the Cisco for the test environment.

!
interface Ehternet0
 ipaddress 10.5.2.2 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet1
 ip address 10.1.1.60 255.255.255.0
 no ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.5.2.1
!

Cisco VPN and IKE Parameters

The following configuration information sets up the IPSEC and IKE information.
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ihopethisworks address 10.5.2.1
!
!
crypto ipsec transform-set ciscotrans esp-des esp-md5-hmac
!
!
crypto map test 10 ipsec-isakmp
 set peer 10.5.2.1
 set transform-set ciscotrans
 match address 101
!

Setting the policy on the Cisco

!
Interface Ethernet0
 ip address 10.5.2.2 255.255.255.0
 no ip directed-broadcast
 crypto map test
!
!
access-list 101 permit ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.5.1.0 0.0.0.255
!

and heres what my show command gives:
worldtelecom(config)#sh run
Building configuration...

Current configuration : 1603 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname worldtelecom
!
enable secret 5 $1$ka08$fmNjlfN.tCNrWaxBp8P7C0
!
username easynet privilege 15 password 7 1059060B54414359
ip subnet-zero
no ip domain lookup
ip name-server 212.100.160.51
ip name-server 212.100.160.52
!
ip dhcp pool pool-name
!
ip dhcp pool hsodhcppool
!
!        
!
!
interface Ethernet0
 ip address 81.188.8.65 255.255.255.224
 ip nat inside
 load-interval 30
 no keepalive
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO
 hold-queue 224 in
!        
interface Dialer1
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 60
 no cdp enable
 ppp chap hostname worldtelecom@ull.easynet.be
 ppp chap password 7 094341011112101819
 ppp pap sent-username worldtelecom@ull.easynet.be password 7 130A181A031B032039
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 212.100.160.0 0.0.0.255 any
access-list 113 permit ip 212.100.163.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 101
!
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 113 in
 exec-timeout 0 0
 login local
!
scheduler max-task-time 5000
end

Any and ALL help is greatly appreciated. I'd really like someone to say 'just type this' but then i'm sure that would all be too easy:))

Thanks alot,
Richard

0
Comment
Question by:richardwalton
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12068215
>worldtelecom(config)#crypto ipsec client ezvpn name
                                    ^

try this one step at a time. If you fail at any step to get the listings, post result of "sho ver" - you may not have the IPSEC feature set...

worldtelecom(config)#(config)#crypto ?
  ca           Certification authority
  dynamic-map  Specify a dynamic crypto map template
  identity     Enter a crypto identity list
  ipsec        Configure IPSEC policy
  isakmp       Configure ISAKMP policy
  key          Long term key operations
  keyring      Key ring commands
  map          Enter a crypto map
  mib          Configure Crypto-related MIB Parameters
  xauth        X-Auth parameters
worldtelecom(config)#crypto ipsec ?
  client                Configure a client
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings
worldtelecom(config)#crypto ipsec client ?
  ezvpn  Configure an EzVPN client

Look for this line in your "show version":
    System image file is "flash:c2600-ik9o3s3-mz.123-1a.bin"
                                                      ^^^^^
                                                  Designates IPSEC feature set w/3DES
If yours looks like:
   System image file is "flash:c2600-y-mz.122.bin"
   System image file is "flash:c2600-is-mz.122.bin"
                                                     ^  NO IPSEC feature set

0
 

Author Comment

by:richardwalton
ID: 12072727
I fear the worst.. :)

worldtelecom(config)#crypto ?

% Unrecognized command

Heres the output requested. Its very similar to those specified

worldtelecom#show version
Cisco Internetwork Operating System Software
IOS (tm) C828 Software (C828-OY6-M), Version 12.2(8)YM, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(11.2u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 23-Aug-02 08:12 by ealyon
Image text-base: 0x80013170, data-base: 0x80766ADC

ROM: System Bootstrap, Version 12.2(1r)XE2, RELEASE SOFTWARE (fc1)
ROM: C828 Software (C828-OY6-M), Version 12.2(8)YM, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

worldtelecom uptime is 13 weeks, 3 days, 25 minutes
System returned to ROM by power-on
System image file is "flash:c828-oy6-mz.122-8.YM.bin"

CISCO C828 (MPC855T) processor (revision 0x401) with 31744K/1024K bytes of memory.
Processor board ID FOC07420RV8 (2904575692), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

worldtelecom#

Is it possible to upgrade the image? I've just created an account at Cisco and am reading up on it now.

Thanks,
Richard.
0
 

Author Comment

by:richardwalton
ID: 12073051
I have been informed that there is not enough memory on the router to support the required IOS firmware and told to upgrade the memory or purchase a dedicated VPN server unit.

Neither are options those above will allow... I guess i will have to wait for the answer to my email to Draytek as to why it cant connect a VPN to the Netscreen firewall, again firmware issues i think.

Thanks for your support,

Kind Regards,
Richard.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now