Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

How to Configure VPN on Cisco Router

Posted on 2009-04-01
4
Medium Priority
?
4,650 Views
Last Modified: 2012-05-06
Hi all,
I'm configuring a Cisco 1811 router here at work.  I need to enable VPN on the router, so that employees can connect to their work computers from home.  Not sure where I need to start.  Please assist.
Thanks.
0
Comment
Question by:P1ST0LPETE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Author Comment

by:P1ST0LPETE
ID: 24139262
Ok, followed the instructions from the 2nd link and have the following config file:

(See attached code snippet)

Currently, when I issue the following command in the CLI: "show crypto ipsec client ezvpn", I get the following reply:

Eazy VPN Remote Phase: 6
Tunnel Name: ezvpnclient
Inside interface list:
Outside interface list: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Disallowed
Current EzVPN Peer: 10.10.20.5

Does the config look like it is setup correctly, and if it does how do I test it (I've never used a VPN before.)

Thanks for the help.
!
! Last configuration change at 14:12:59 PCTime Mon Apr 13 2009 by xxxxx
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local 
!
!
aaa session-id common
clock timezone PCTime -6
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac 
!
crypto ipsec client ezvpn ezvpnclient
 connect auto
 group ezvpnclient key xxxxx
 mode client
 peer 10.10.20.5
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1 
 reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
 crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.20.200 10.10.20.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end

Open in new window

0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 2000 total points
ID: 24142300
You need a few changes to your config. I am assuming that this router will be an eazy vpn server. Remote clients will connect using cisco vpn client. With the config below when they connect all their traffic will be routed through the vpn tunnel. If you want to allow them to use their internet connection you need to configure split tunneling.

for split tunneling add this to the config below when in config mode;
crypto isakmp client configuration group rtr-remote
acl 1

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime -6
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond
crypto map static-map 100 ipsec-isakmp dynamic dynmap
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.200.200 10.10.200.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question