Solved

Cisco 828 to Netscreen VPN issue

Posted on 2004-09-15
3
1,302 Views
Last Modified: 2011-09-20
Hello there,

I am trying to setup a VPN connection between our Cisco 828 ghdsl router and a customers Netscreen device. However all sources on the web and the documnet that I have been provided arent helping!

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122limit/122y/122ya/122ya4/ftezvpcm.htm#65547

The guide shows that you connect to the IOS then login, enter password, and enter configure terminal mode.

I'm assuming this sub heading is the correct one: Configuring and Assigning the Cisco Easy VPN Remote Configuration

so i type in the first command:-

worldtelecom(config)#crypto ipsec client ezvpn name
                                  ^
% Invalid input detected at '^' marker.

worldtelecom(config)#

and it doesnt work, I've been reading all afternoon getting frustrated. I'm sure its not this hard!

Here is the setup example information i've been given to work from:

The following configuration information sets up the basic network informationfor the Cisco for the test environment.

!
interface Ehternet0
 ipaddress 10.5.2.2 255.255.255.0
 no ip directed-broadcast
!
interface Ethernet1
 ip address 10.1.1.60 255.255.255.0
 no ip directed-broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.5.2.1
!

Cisco VPN and IKE Parameters

The following configuration information sets up the IPSEC and IKE information.
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key ihopethisworks address 10.5.2.1
!
!
crypto ipsec transform-set ciscotrans esp-des esp-md5-hmac
!
!
crypto map test 10 ipsec-isakmp
 set peer 10.5.2.1
 set transform-set ciscotrans
 match address 101
!

Setting the policy on the Cisco

!
Interface Ethernet0
 ip address 10.5.2.2 255.255.255.0
 no ip directed-broadcast
 crypto map test
!
!
access-list 101 permit ip 10.5.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 10.5.1.0 0.0.0.255
!

and heres what my show command gives:
worldtelecom(config)#sh run
Building configuration...

Current configuration : 1603 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname worldtelecom
!
enable secret 5 $1$ka08$fmNjlfN.tCNrWaxBp8P7C0
!
username easynet privilege 15 password 7 1059060B54414359
ip subnet-zero
no ip domain lookup
ip name-server 212.100.160.51
ip name-server 212.100.160.52
!
ip dhcp pool pool-name
!
ip dhcp pool hsodhcppool
!
!        
!
!
interface Ethernet0
 ip address 81.188.8.65 255.255.255.224
 ip nat inside
 load-interval 30
 no keepalive
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl equipment-type CPE
 dsl operating-mode GSHDSL symmetric annex B
 dsl linerate AUTO
 hold-queue 224 in
!        
interface Dialer1
 ip address negotiated
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 60
 no cdp enable
 ppp chap hostname worldtelecom@ull.easynet.be
 ppp chap password 7 094341011112101819
 ppp pap sent-username worldtelecom@ull.easynet.be password 7 130A181A031B032039
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 113 permit ip 212.100.160.0 0.0.0.255 any
access-list 113 permit ip 212.100.163.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 101
!
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 113 in
 exec-timeout 0 0
 login local
!
scheduler max-task-time 5000
end

Any and ALL help is greatly appreciated. I'd really like someone to say 'just type this' but then i'm sure that would all be too easy:))

Thanks alot,
Richard

0
Comment
Question by:richardwalton
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12068215
>worldtelecom(config)#crypto ipsec client ezvpn name
                                    ^

try this one step at a time. If you fail at any step to get the listings, post result of "sho ver" - you may not have the IPSEC feature set...

worldtelecom(config)#(config)#crypto ?
  ca           Certification authority
  dynamic-map  Specify a dynamic crypto map template
  identity     Enter a crypto identity list
  ipsec        Configure IPSEC policy
  isakmp       Configure ISAKMP policy
  key          Long term key operations
  keyring      Key ring commands
  map          Enter a crypto map
  mib          Configure Crypto-related MIB Parameters
  xauth        X-Auth parameters
worldtelecom(config)#crypto ipsec ?
  client                Configure a client
  df-bit                Handling of encapsulated DF bit.
  fragmentation         Handling of fragmentation of near-MTU sized packets
  nat-transparency      IPsec NAT transparency model
  optional              Enable optional encryption for IPSec
  profile               Configure an ipsec policy profile
  security-association  Security association parameters
  transform-set         Define transform and settings
worldtelecom(config)#crypto ipsec client ?
  ezvpn  Configure an EzVPN client

Look for this line in your "show version":
    System image file is "flash:c2600-ik9o3s3-mz.123-1a.bin"
                                                      ^^^^^
                                                  Designates IPSEC feature set w/3DES
If yours looks like:
   System image file is "flash:c2600-y-mz.122.bin"
   System image file is "flash:c2600-is-mz.122.bin"
                                                     ^  NO IPSEC feature set

0
 

Author Comment

by:richardwalton
ID: 12072727
I fear the worst.. :)

worldtelecom(config)#crypto ?

% Unrecognized command

Heres the output requested. Its very similar to those specified

worldtelecom#show version
Cisco Internetwork Operating System Software
IOS (tm) C828 Software (C828-OY6-M), Version 12.2(8)YM, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(11.2u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Fri 23-Aug-02 08:12 by ealyon
Image text-base: 0x80013170, data-base: 0x80766ADC

ROM: System Bootstrap, Version 12.2(1r)XE2, RELEASE SOFTWARE (fc1)
ROM: C828 Software (C828-OY6-M), Version 12.2(8)YM, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

worldtelecom uptime is 13 weeks, 3 days, 25 minutes
System returned to ROM by power-on
System image file is "flash:c828-oy6-mz.122-8.YM.bin"

CISCO C828 (MPC855T) processor (revision 0x401) with 31744K/1024K bytes of memory.
Processor board ID FOC07420RV8 (2904575692), with hardware revision 0000
CPU rev number 5
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

worldtelecom#

Is it possible to upgrade the image? I've just created an account at Cisco and am reading up on it now.

Thanks,
Richard.
0
 

Author Comment

by:richardwalton
ID: 12073051
I have been informed that there is not enough memory on the router to support the required IOS firmware and told to upgrade the memory or purchase a dedicated VPN server unit.

Neither are options those above will allow... I guess i will have to wait for the answer to my email to Draytek as to why it cant connect a VPN to the Netscreen firewall, again firmware issues i think.

Thanks for your support,

Kind Regards,
Richard.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question