Solved

How to Configure VPN on Cisco Router

Posted on 2009-04-01
4
4,622 Views
Last Modified: 2012-05-06
Hi all,
I'm configuring a Cisco 1811 router here at work.  I need to enable VPN on the router, so that employees can connect to their work computers from home.  Not sure where I need to start.  Please assist.
Thanks.
0
Comment
Question by:P1ST0LPETE
  • 2
4 Comments
 
LVL 7

Expert Comment

by:mitrushi
ID: 24041314
0
 
LVL 10

Author Comment

by:P1ST0LPETE
ID: 24139262
Ok, followed the instructions from the 2nd link and have the following config file:

(See attached code snippet)

Currently, when I issue the following command in the CLI: "show crypto ipsec client ezvpn", I get the following reply:

Eazy VPN Remote Phase: 6
Tunnel Name: ezvpnclient
Inside interface list:
Outside interface list: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Disallowed
Current EzVPN Peer: 10.10.20.5

Does the config look like it is setup correctly, and if it does how do I test it (I've never used a VPN before.)

Thanks for the help.
!
! Last configuration change at 14:12:59 PCTime Mon Apr 13 2009 by xxxxx
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local 
!
!
aaa session-id common
clock timezone PCTime -6
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac 
!
crypto ipsec client ezvpn ezvpnclient
 connect auto
 group ezvpnclient key xxxxx
 mode client
 peer 10.10.20.5
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1 
 reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
 crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.20.200 10.10.20.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end

Open in new window

0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
ID: 24142300
You need a few changes to your config. I am assuming that this router will be an eazy vpn server. Remote clients will connect using cisco vpn client. With the config below when they connect all their traffic will be routed through the vpn tunnel. If you want to allow them to use their internet connection you need to configure split tunneling.

for split tunneling add this to the config below when in config mode;
crypto isakmp client configuration group rtr-remote
acl 1

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime -6
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond
crypto map static-map 100 ipsec-isakmp dynamic dynmap
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.200.200 10.10.200.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your computer hacked? learn how to detect and delete malware in your PC
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question