Solved

IPSEC VPN Between Cisco 1841 and Cisco 3030 VPN Conentrator

Posted on 2006-07-12
8
691 Views
Last Modified: 2008-02-01
I'm trying to establish a VPN between a Cisco 1841 router and a Cisco 3030 VPN Concentrator. The 3030 is our vendor and they currently have a number of VPNs set up to their other customers. So in my mind the 3030 is good to go, but I'm not sure if my side is set up correctly. Here is what the vendor requested me to set the router configuration to:

Peer ( Outside public address ):    166.241.43.132
C.P. Encryption Network: 166.241.41.100(VIP for following), 166.241.41.101, 166.241.41.102
Pre-shared key - Assign at setup.
Perfect Forward Secrecy =  Disabled
Negotiation = Main Mode
Diffie Helman group II
Encryption/Authentication:  3DES/SHA
IKE Proposal:- ESP-3DES-SHA-DSA
IPSec re-negotiate ( time ) = 28800
IKE re-negotiate ( time ) = 86400

The 1841 is set up on a DMZ switch. My plan is to have the firewall route to the 1841 any VPN address destinations. Here is the config on the 1841 router.

Building configuration...
Current configuration : 2541 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ChoicePoint-VPN
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$TBSl$abG9uAkhQJi/sv7fHD8OK.
no aaa new-model
resource policy
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip multicast-routing
username cisco privilege 15 secret 5 $1$mFIc$1u1qmgtNbISUoPzTieT5A.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp client configuration group rtr-remote

crypto isakmp client configuration group rtr-remo

 dns 10.214.251.16
 domain extranet.ds.sbu

crypto isakmp client configuration group rtr-rem
 key Str633EcpT

crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set choicepointvpn esp-3des esp-sha-hmac

crypto dynamic-map dynmap 1
 set transform-set choicepointvpn
 reverse-route
crypto map static-map 1 ipsec-isakmp dynamic dynmap
interface Tunnel1
 ip address 10.0.0.254 255.255.255.0
 tunnel source FastEthernet0/1
 tunnel destination 66.241.43.232
interface FastEthernet0/0
 ip address 10.214.251.1 255.255.255.0
 duplex auto
 speed auto
 crypto map static-map
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
interface Serial0/1/0
 no ip address
 shutdown
ip route 0.0.0.0 0.0.0.0 10.214.251.250
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000

Does the configuration on the 1841 look right? Thanks.
0
Comment
Question by:mpopal
  • 3
  • 3
8 Comments
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
You will need to create crypto map for the Concentrator. Also need to create ACLs to define traffic that needs to go through the VPN tunnel. Have a look at the following document and let us know if you need further help.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

It looks like you are using VPN clients to connect to the router? And there is a GRE tunnel on it also?

It doesn't have a public IP Address, so you will need to configure 10.214.251.250 to forward IPSec traffic to the router.
0
 
LVL 3

Author Comment

by:mpopal
Comment Utility
They crypto map is set up for the concentrator. I added access lists that need to go through the vpn.
I'm not using using vpn clients to connect to the router. I want to set up a site to site vpn.

After reading the cisco link, I have a new configuration. There is no more GRE tunnel either. It still doesn't work. Here the configuration after using the referenced link:

Building configuration...
Current configuration : 2566 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ChoicePoint-VPN
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$TBSl$abG9uAkhQJi/sv7fHD8OK.
no aaa new-model
resource policy
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip multicast-routing
username 5435 privilege 15 secret 5 $1$mFIc$1u1qmgtNbISUoPzTieT5A.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Str8!inEcpT address 66.241.43.232

crypto ipsec security-association lifetime seconds 28800

crypto ipsec transform-set choicepointvpn esp-3des esp-sha-hmac

crypto map choicepointvpn 10 ipsec-isakmp
 set peer 66.241.43.132
 set transform-set choicepointvpn

 match address 101

interface FastEthernet0/0
 ip address 10.214.251.1 255.255.255.0

 duplex auto

 speed auto

 crypto map choicepointvpn

interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto

interface Serial0/1/0
 no ip address
 shutdown

ip route 0.0.0.0 0.0.0.0 10.214.251.250

ip http server
ip http authentication local
no ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

access-list 101 permit ip 10.214.251.0 0.0.0.255 10.214.248.0 0.0.0.255
access-list 101 permit ip 10.214.251.0 0.0.0.255 66.241.43.0 0.0.0.255
access-list 101 permit ip 10.214.251.0 0.0.0.255 66.241.41.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.214.251.0 0.0.0.255 host 66.241.43.232

control-plane

banner login ^C
-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm

line con 0
line aux 0
line vty 0 4
 privilege level 15
 password $%$%
 login
 transport input telnet
line vty 5 15
 privilege level 15
 login
 transport input telnet

scheduler allocate 20000 1000

end

I don't see how this will work since there is no route statements for the other side of the vpn.
0
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
The access lists are used to direct traffic.

Before we continue futher, what is between this router and the internet, and have you forwarded the IPSec port on the middle device?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 3

Author Comment

by:mpopal
Comment Utility
I figured out the problem. The router on my side was behind two firewalls and for some reason the packets were being fragmented. That is what I could tell from an Ethereal pakcet capture.  I could not resolve the fragmentation issue so I bypassed both firewall and hooked the firewall directly to the Internet on an unprotected switch. That worked instantly.
0
 
LVL 10

Expert Comment

by:naveedb
Comment Utility
So, the issue is resolved and you do not require any more assistance?
0
 
LVL 3

Author Comment

by:mpopal
Comment Utility
Yes. Thanks.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
Comment Utility
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now