Solved

How to Configure VPN on Cisco Router

Posted on 2009-04-01
4
4,627 Views
Last Modified: 2012-05-06
Hi all,
I'm configuring a Cisco 1811 router here at work.  I need to enable VPN on the router, so that employees can connect to their work computers from home.  Not sure where I need to start.  Please assist.
Thanks.
0
Comment
Question by:P1ST0LPETE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24041314
0
 
LVL 10

Author Comment

by:P1ST0LPETE
ID: 24139262
Ok, followed the instructions from the 2nd link and have the following config file:

(See attached code snippet)

Currently, when I issue the following command in the CLI: "show crypto ipsec client ezvpn", I get the following reply:

Eazy VPN Remote Phase: 6
Tunnel Name: ezvpnclient
Inside interface list:
Outside interface list: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Disallowed
Current EzVPN Peer: 10.10.20.5

Does the config look like it is setup correctly, and if it does how do I test it (I've never used a VPN before.)

Thanks for the help.
!
! Last configuration change at 14:12:59 PCTime Mon Apr 13 2009 by xxxxx
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local 
!
!
aaa session-id common
clock timezone PCTime -6
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac 
!
crypto ipsec client ezvpn ezvpnclient
 connect auto
 group ezvpnclient key xxxxx
 mode client
 peer 10.10.20.5
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1 
 reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
 crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.20.200 10.10.20.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end

Open in new window

0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 500 total points
ID: 24142300
You need a few changes to your config. I am assuming that this router will be an eazy vpn server. Remote clients will connect using cisco vpn client. With the config below when they connect all their traffic will be routed through the vpn tunnel. If you want to allow them to use their internet connection you need to configure split tunneling.

for split tunneling add this to the config below when in config mode;
crypto isakmp client configuration group rtr-remote
acl 1

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime -6
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond
crypto map static-map 100 ipsec-isakmp dynamic dynmap
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.200.200 10.10.200.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Simple Router Management, Subnets and VLANs e.g. RV0xx 7 101
ASA 5506 Port Forward 4 63
auto connect vpn 17 74
TZ400 VPN Clients 5 40
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question