Solved

How to Configure VPN on Cisco Router

Posted on 2009-04-01
4
4,609 Views
Last Modified: 2012-05-06
Hi all,
I'm configuring a Cisco 1811 router here at work.  I need to enable VPN on the router, so that employees can connect to their work computers from home.  Not sure where I need to start.  Please assist.
Thanks.
0
Comment
Question by:P1ST0LPETE
  • 2
4 Comments
 
LVL 7

Expert Comment

by:mitrushi
Comment Utility
0
 
LVL 10

Author Comment

by:P1ST0LPETE
Comment Utility
Ok, followed the instructions from the 2nd link and have the following config file:

(See attached code snippet)

Currently, when I issue the following command in the CLI: "show crypto ipsec client ezvpn", I get the following reply:

Eazy VPN Remote Phase: 6
Tunnel Name: ezvpnclient
Inside interface list:
Outside interface list: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Disallowed
Current EzVPN Peer: 10.10.20.5

Does the config look like it is setup correctly, and if it does how do I test it (I've never used a VPN before.)

Thanks for the help.
!

! Last configuration change at 14:12:59 PCTime Mon Apr 13 2009 by xxxxx

!

version 12.4

no service timestamps debug uptime

no service timestamps log uptime

no service password-encryption

!

hostname xxxxx

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login rtr-remote local

aaa authorization network rtr-remote local 

!

!

aaa session-id common

clock timezone PCTime -6

!

!

! 

!

crypto isakmp policy 1

 encr 3des

 hash md5

 authentication pre-share

 group 2

 lifetime 480

!

crypto isakmp client configuration group rtr-remote

 key xxxxx

 dns xxx.xxx.xxx.xxx

 domain xxxxxxxx.com

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac 

!

crypto ipsec client ezvpn ezvpnclient

 connect auto

 group ezvpnclient key xxxxx

 mode client

 peer 10.10.20.5

 xauth userid mode interactive

!

!

crypto dynamic-map dynmap 1

 set transform-set vpn1 

 reverse-route

!

!

crypto map dynmap isakmp authorization list rtr-remote

crypto map dynmap client configuration address respond

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap 

!

!

!

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 10.10.20.1 10.10.20.129

ip dhcp excluded-address 10.10.20.161 10.10.20.254

!

!

ip cef

ip domain name xxxxxxxxx.com

ip name-server xxx.xxx.xxx.xxx

ip name-server xxx.xxx.xxx.xxx

no ipv6 cef

!

multilink bundle-name authenticated

!

!

username xxxxx privilege 15 password 0 xxxxx

archive

 log config

  hidekeys

!

!

!

!

!

interface FastEthernet0

 description $ETH-WAN$

 ip address xxx.xxx.xxx.xxx 255.255.255.248

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 crypto map static-map

 crypto ipsec client ezvpn ezvpnclient

!

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet2

 switchport access vlan 2

!

interface FastEthernet3

 switchport access vlan 3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Dot11Radio0

 no ip address

 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

 station-role root

!

interface Dot11Radio1

 no ip address

 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

 station-role root

!

interface Vlan1

 ip address 10.10.10.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

!

interface Vlan2

 ip address 10.10.20.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Vlan3

 ip address 10.10.30.1 255.255.255.0

 ip nat inside

 ip virtual-reassembly

!

interface Async1

 no ip address

 encapsulation slip

!

ip local pool dynpool 10.10.20.200 10.10.20.220

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0 overload

!

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 1 permit 10.10.20.0 0.0.0.255

access-list 1 permit 10.10.30.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.7

no cdp run
 

!

!

!

!

!

!

!

line con 0

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

line vty 0 4

 access-class 23 in

 privilege level 15

 transport input telnet ssh

line vty 5 15

 access-class 23 in

 privilege level 15

 transport input telnet ssh

!

ntp clock-period 17180493

ntp update-calendar

ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer

ntp server xxx.xxx.xxx.xxx source FastEthernet0

ntp server xxx.xxx.xxx.xxx

ntp server xxx.xxx.xxx.xxx source FastEthernet0
 

!

webvpn cef

end

Open in new window

0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
Comment Utility
You need a few changes to your config. I am assuming that this router will be an eazy vpn server. Remote clients will connect using cisco vpn client. With the config below when they connect all their traffic will be routed through the vpn tunnel. If you want to allow them to use their internet connection you need to configure split tunneling.

for split tunneling add this to the config below when in config mode;
crypto isakmp client configuration group rtr-remote
acl 1

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime -6
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond
crypto map static-map 100 ipsec-isakmp dynamic dynmap
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.200.200 10.10.200.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Wifi(LAN) GW being picked up 2 33
VOIP Setup through a Watchguard BOVPN 4 26
Low Cost Managed Switch 19 85
Sophos UTM Endpoint VPN 2 26
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now