Solved

How to Configure VPN on Cisco Router

Posted on 2009-04-01
4
4,631 Views
Last Modified: 2012-05-06
Hi all,
I'm configuring a Cisco 1811 router here at work.  I need to enable VPN on the router, so that employees can connect to their work computers from home.  Not sure where I need to start.  Please assist.
Thanks.
0
Comment
Question by:P1ST0LPETE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 10

Author Comment

by:P1ST0LPETE
ID: 24139262
Ok, followed the instructions from the 2nd link and have the following config file:

(See attached code snippet)

Currently, when I issue the following command in the CLI: "show crypto ipsec client ezvpn", I get the following reply:

Eazy VPN Remote Phase: 6
Tunnel Name: ezvpnclient
Inside interface list:
Outside interface list: FastEthernet0
Current State: IDLE
Last Event: CRYPTO_SS_UNUSED
Save Password: Disallowed
Current EzVPN Peer: 10.10.20.5

Does the config look like it is setup correctly, and if it does how do I test it (I've never used a VPN before.)

Thanks for the help.
!
! Last configuration change at 14:12:59 PCTime Mon Apr 13 2009 by xxxxx
!
version 12.4
no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local 
!
!
aaa session-id common
clock timezone PCTime -6
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac 
!
crypto ipsec client ezvpn ezvpnclient
 connect auto
 group ezvpnclient key xxxxx
 mode client
 peer 10.10.20.5
 xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1 
 reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap 
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
 crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.20.200 10.10.20.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end

Open in new window

0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 500 total points
ID: 24142300
You need a few changes to your config. I am assuming that this router will be an eazy vpn server. Remote clients will connect using cisco vpn client. With the config below when they connect all their traffic will be routed through the vpn tunnel. If you want to allow them to use their internet connection you need to configure split tunneling.

for split tunneling add this to the config below when in config mode;
crypto isakmp client configuration group rtr-remote
acl 1

no service timestamps debug uptime
no service timestamps log uptime
no service password-encryption
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
!
aaa session-id common
clock timezone PCTime -6
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 480
!
crypto isakmp client configuration group rtr-remote
 key xxxxx
 dns xxx.xxx.xxx.xxx
 domain xxxxxxxx.com
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map static-map isakmp authorization list rtr-remote
crypto map static-map client configuration address respond
crypto map static-map 100 ipsec-isakmp dynamic dynmap
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.20.1 10.10.20.129
ip dhcp excluded-address 10.10.20.161 10.10.20.254
!
!
ip cef
ip domain name xxxxxxxxx.com
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username xxxxx privilege 15 password 0 xxxxx
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 description $ETH-WAN$
 ip address xxx.xxx.xxx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Dot11Radio0
 no ip address
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio1
 no ip address
 speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
 station-role root
!
interface Vlan1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.10.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan3
 ip address 10.10.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip local pool dynpool 10.10.200.200 10.10.200.220
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
!
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 1 permit 10.10.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
no cdp run
 
!
!
!
!
!
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
ntp clock-period 17180493
ntp update-calendar
ntp server xxx.xxx.xxx.xxx source FastEthernet0 prefer
ntp server xxx.xxx.xxx.xxx source FastEthernet0
ntp server xxx.xxx.xxx.xxx
ntp server xxx.xxx.xxx.xxx source FastEthernet0
 
!
webvpn cef
end
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question