[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1607
  • Last Modified:

Setting up VPN between Cisco UC520 and Cisco 877w

Hi all,

I want to setup VPN between UC520 in Australia and 877w in India.

Configuration for UC520 is attached.

Let me know what configuration needs to be done on 877w.

Thanks in advance.

Regards,

Vikas




UC520.txt
0
kavinagpur
Asked:
kavinagpur
  • 41
  • 18
19 Solutions
 
kavinagpurAuthor Commented:
Just to inform you i have static IP for Australia.

NO static IP in India.
0
 
GuruChiuCommented:
crypto ipsec client ezvpn AustraliaVPN
 connect auto
 group EZVPN_GROUP_1 key coinopsolutions.com
 mode client
 peer xxx.xxx.xxx.xxx
 username xxxxx password xxxxx
 xauth userid mode local
interface FastEthernet4
 crypto ipsec client ezvpn AustraliaVPN
interface Vlan1
 crypto ipsec client ezvpn AustraliaVPN inside
0
 
kavinagpurAuthor Commented:
Thanks for you reply

Whats AustraliaVPN?

Is this the setting that needs to be configured on 877w in India?

Thanks in advance.
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
kavinagpurAuthor Commented:
Please also explain

peer xxx.xxx.xxx.xxx ----?
 username xxxxx password xxxxx-----?
0
 
kavinagpurAuthor Commented:
I ran the command as it is.
all went right
it came up with -----ISAKMP ON

But the VPN light on 877 is not on

Any suggestion?
0
 
kavinagpurAuthor Commented:
I am attaching the configuration for 877w to which i made the above changes
877w.txt
0
 
GuruChiuCommented:
Sorry for the late reply, I am in a different time zone.

AustraliaVPN is just an arbitary name given to the VPN profile, so that you can refer to it in subsequent configuration.

peer xxx.xxx.xxx.xxx ----replace xxx.xxx.xxx.xxx with the static IP for UC520.
 username xxxxx password xxxxx----- user name and password you want to use. You need to configure that in your UC520.
0
 
kavinagpurAuthor Commented:
I did the configuration.

But seems VPN not working. I am attaching the configuration of 877.

Let me know what went wrong.

Thanks in advance.


877w-config.txt
0
 
GuruChiuCommented:
Have a quick look and already see these problem:

In UC520, you have this defined:
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any

It should be
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.2.0 0.0.0.255 any

In the 877, you have these defined:
interface Tunnel0                
...
which doesn't make any sense and interfere with the VPN operation.

Your 877 have 192.168.1.0 for local LAN, yet your UC520 uses the same for client VPN. Those should use different.

If you do not have enough experience, it help to draw a diagram and list out the addressing space to help yourself organize.

Good luck.
0
 
kavinagpurAuthor Commented:
Hi,

Please suggest me what need to change on 877.

Thanks
0
 
GuruChiuCommented:
no interface Tunnel0

interface Vlan1
  ip address 192.168.3.250 255.255.255.0                                      

If changing the IP address on the 877 is not desirable, you can also keep the IP address of the 877 but change the pool address in the UC520.

Please describe how you plan to use your addressing space.
0
 
kavinagpurAuthor Commented:
Hello Expert, Verry verry Thanks for reply,

Site-1 (UC520):  192.168.2.0/24 (Main Site - Allready Configured as VPN Server)
                           IP for LAN- 192.168.2.2 to 192.168.2.254
                           Router IP - 192.168.2.1
                          TFTP server -10.1.1.1
                          Outer interface : Dialer(Fastethernet 0/0)
                          Static IP
 

Site-2 (871 W):  192.168.1.0/24 (Remote Site)
                          IP for LAN- 192.168.1.2 to 192.168.1.254 for switch
                          IP for LAN- 192.168.2.2 to 192.168.2.254 for Wireless
                          Router IP - 192.168.1.1 also 192.168.1.250
                          Dynamic IP

When i connect VPN through Dial up from any system of site-2 it running fine, also i am able to ping TFTP server,
i want to connect VPN from Router of Site 2 it's for VOIP, also i should  able to ping TFTP without create Dialup
This configuration is Current Configuration of Both Side, it will be a great if keep the current configuration of Site-1
Let me know what configuration needs to be done on 877w.

Thanks
0
 
kavinagpurAuthor Commented:
Also,

when i create  Easy VPN remote through SDM it was connect,  i got status from VPN light on Router but i did  not able to ping TFTP server.

Thanks
0
 
kavinagpurAuthor Commented:
Hi Exert,

Now i try to create Easy VPN remote through SDM, Everything is Successfull but Tunnel status is Down on site-2

Thanks
0
 
kavinagpurAuthor Commented:
Hello expert,

I still waiting for your reply, please do the needfull

Thanks
0
 
GuruChiuCommented:
A lot have changed since you last post the config. Do you mind posting those again. Before you do that, please correct these:
Site 2 is using the same 192.168.1.0 and 192.168.2.0 that site 1 use. Pls use something else, e.g. 192.168.4.0 and 192.168.5.0. I choose those instead of 192.168.3.0 so that you can easily define the subnets in site 2 as 192.168.4.0/23.
Once you change all these, post the config again and I can help from there.
0
 
kavinagpurAuthor Commented:
Hello Expert, Lot's of  Thanks for your reply,
I did change the router configuation of site-2, as per requirment now detail mention below

Site-1 (UC520):  192.168.2.0/24 (Main Site - Allready Configured as VPN Server)
                           IP for LAN- 192.168.2.2 to 192.168.2.254
                           Router IP - 192.168.2.1
                          TFTP server -10.1.1.1
                          Outer interface : Dialer(Fastethernet 0/0)
                          Static IP
 

Site-2 (871 W):  192.168.4.0/23 (Remote Site)
                          Router IP                  : 192.168.4.1
                          Router Secondary IP :192.168.4.250
                          Router Ip For wireless : 192.168.6.1          
                          IP for LAN- 192.168.4.2 to 192.168.2.254
                          IP for Wireless- 192.168.6.2 to 192.168.6.254 for Wireless  

Please give me a suggestion

Thanks

0
 
kavinagpurAuthor Commented:
Hi Expert,

I ran the commnd as per above(ID:26094835) after changin IP of Inteface, all went right but when  i ran
Interface fastethernet 1
Crypto ipsc EZVPN Australia
that time i found error: Crypto EZVPN Currently supports only one Tunnel,  i dont know how to remove exsting tunel please suggest me, now what should i do ?

Thanks

0
 
GuruChiuCommented:
looks like you have some other configuration in there that interfere. Can you pls post complete configuration for uc520 & 877w? you should remove public IP as well as any user/password for your own protection.
0
 
kavinagpurAuthor Commented:
Hello Expert,

herwith please find the attachment for Knowing Configuration of Boyh Router.

Thanks
Cisco-871-W.txt
Cisco-UC520.txt
0
 
kavinagpurAuthor Commented:
Hello expert,

when i ran no crypto ipsec client ezvpn Australia that time i found the error Error: crypto Ezvpn Australia is in use by an outersideinterface;can't delete
i am not sure what is this please suggest

Thanks
0
 
GuruChiuCommented:
I looked at Cisco-871-W.txt and the file mixed with a lot of other garbage. Can you please post a clean configuration again.

From what I can see in the file, you seems very mix up with what VPN policy to use, and what interface is inside, which is outside.

Inside is where you connect your internal computers. In this case, look like is VLAN1.

Outside is where you connect to the internet, which looks to me is ATM0.1.

Neither FastEthernet0 nor FastEthernet1 should be outside. If I overlook something, please let me know.

If what I observe is true, then you need:
interface FastEthernet0                      
no crypto ipsec client ezvpn Australia                                    
!
interface FastEthernet1                      
no crypto ipsec client ezvpn AustraliaVPN                                      
interface VLAN1
no crypto ipsec client ezvpn Australia inside
exit                                      
no crypto ipsec client ezvpn Australia
interface ATM0.1 point-to-point                              
 crypto ipsec client ezvpn AustraliaVPN                                      
0
 
kavinagpurAuthor Commented:
Hello Expert,

Sorry for delay, i had physical problem about router

Herewith please find the attachment new configuration of Cisco 877.

Let me know what need to be done on it

Thanks

Vikas
New-Conf-Cisco-877.txt
0
 
GuruChiuCommented:
You need to add these:

crypto ipsec client ezvpn AustraliaVPN
 connect auto
 group EZVPN_GROUP_1 key coinopsolutions.com
 mode client
 peer xxx.xxx.xxx.xxx
 username xxxxx password xxxxx
 xauth userid mode local
interface VLAN1
 crypto ipsec client ezvpn AustraliaVPN  inside
exit                                      
interface ATM0.1 point-to-point                              
 crypto ipsec client ezvpn AustraliaVPN                                      
0
 
kavinagpurAuthor Commented:
Hello Expert,

I ran the command as per mention above but i am not able to ping UC 520 (192.168.2.1) also TFTP server & Light of VPN on router is also down for more details i attached a Conf. of 877 please give me a guidence

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Sorry

Herewith please find the Attachment of Configuration after Configure VPN on 877 W

Thanks
VPN.txt
0
 
kavinagpurAuthor Commented:
If i connet to UC520 from DialUp VPN, I am able to ping UC520 also TFTP server

Thanks
0
 
kavinagpurAuthor Commented:
Hello,

When I tried to create VPN through SDM, everything went to Fine but only Tunnel Status was down.

Please suggest me what need to be done on both router.

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Hi,

Please look this error of  Sdm

Download Attached file.

Thanks

Vikas

Vpn-Error.jpg
0
 
kavinagpurAuthor Commented:
Hello Expert,

I am stil Waiting your reply??

Thanks

VIkas
0
 
kavinagpurAuthor Commented:
hi Expert

When i open the hyperTerminal that time followinf error conti... running

*Aug 24 19:57:13.039: EZVPN(VPN) Server does not allow save password option,
enter your username and password manually
*Aug 24 19:57:13.039: EZVPN(VPN): *** Logic Error ***
*Aug 24 19:57:13.039: EZVPN(VPN): Current State: READY
*Aug 24 19:57:13.039: EZVPN(VPN): Event: MODE_CONFIG_REPLY
*Aug 24 19:57:13.039: EZVPN(VPN): Resetting the EZVPN state machine to recover
*Aug 24 19:57:13.043: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZ
VPN_GROUP_1 Client_public_addr=XXXXXX Server_public_addr=YYYYY

please give me a guidence

Thanks

VIkas
0
 
GuruChiuCommented:
In the 877 config, under

crypto ipsec client ezvpn AustraliaVPN

Do you have this line:
 username xxxxx password xxxxx

where xxxx are valid username and password?

Anyway, you can also add these lines in UC520 config:
crypto isakmp profile sdm-ike-profile-1
save-password
0
 
kavinagpurAuthor Commented:
Hello expert,

I got error after entering above command on UC520

coinop-uc520(config)#crypto isakmp profile sdm-ike-profile-1
% A profile is deemed incomplete until it has match identity statements
coinop-uc520(conf-isa-prof)#exit
coinop-uc520(config)#crypto isakmp profile sdm-ike-profile-1
% A profile is deemed incomplete until it has match identity statements
coinop-uc520(conf-isa-prof)#sav
coinop-uc520(conf-isa-prof)#save
coinop-uc520(conf-isa-prof)#save pass
coinop-uc520(conf-isa-prof)#save password
                             ^
% Invalid input detected at '^' marker.

coinop-uc520(conf-isa-prof)#save-pa
coinop-uc520(conf-isa-prof)#save-password
                             ^
% Invalid input detected at '^' marker.

coinop-uc520(conf-isa-pro

Where is wrong  pls suggest me

Thanks

Vikas
0
 
GuruChiuCommented:
which version of UC520 you are running? Can you pls post
sh ver
0
 
GuruChiuCommented:
Sorry I just saw my typo. The correct commands are:

crypto isakmp client configuration group EZVPN_GROUP_1
save-password

I was copy and paste using your config and I select the wrong line. Sorry about the confusion.
0
 
kavinagpurAuthor Commented:
hi ,

I found this error in UC520

000473: Dec 29 07:15:51.036: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressi
ve mode failed with peer at 59.99.58.100

pls suggest

Thanks
0
 
kavinagpurAuthor Commented:
Hello

When I create a VPn through SDM  all went to good but i found 1 error on Tunnel (easyVpn is responding but Tunnel is not established.

Pls suggest

Thanks
0
 
kavinagpurAuthor Commented:
Hello expert,

If mode of Cisco 877 w is Client so what will be a mode of UC520. pls suggest me

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Hi,

Error is cont.. going on 877 W

*Aug 24 21:53:04.214: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=EZ
VPN_GROUP_1 Client_public_addr=59.99.58.100 Server_public_addr=58.108.208.65

*Aug 24 21:53:05.858: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational m
ode failed with peer at 58.108.208.65

Pls suggest

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Hi Expert,

Now VPN status is Up but i am unable to ping TFTP server.

Pls suggest me

Thanks

Vikas
0
 
GuruChiuCommented:
Pls post
sh cry ip sa
0
 
GuruChiuCommented:
on both the UC520 & 877.
0
 
kavinagpurAuthor Commented:
Hello Expert,


Please download the Attchment for knowing of SA of both router

please suggest me how to ping TFTP from Cisco 877 also both router from both site.

TFTP configure on UC520
interface BVI1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly

Thanks

Vikrant
SA-UC520.txt
SA-Cisco-877-W.Txt
0
 
kavinagpurAuthor Commented:
Hi, Expert,

I still waiting your reply, please it's verry Urgent .
for more clarification i attached the running configuration of Both Router

Thanks

VIkas
30-Dec-UC520.Txt
30-Dec-877-W.Txt
0
 
GuruChiuCommented:
I look at your output for sh cry ip sa. The problem is you have multiple virtual access that try to establish VPN at the same time.

I further look at your configuration. I saw that you have many conflicting VPN configurations:

You have EzVPN
You have DMVPN
You have vpdn

How many different VPN you need to support? How many sites you need to support? Do you need to support client VPN as well?

Pls make up your mind before I can help you further.
0
 
kavinagpurAuthor Commented:
Hello Expert,

VPDN is for dial up vpn we have Esoft phone for that i used  VPDN. and  EZVPN is for Router to router VPN for Using VOIP hardware device, let me know this is possible or not i want keep both connection & DMVPN is Unnecesary i did remove it

please give me a suggestion what should i do now

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
If we can create Router to router VPN by usin VPDN so pls give a configuration of VPDN for 877 W router

suggest me how to configure VPND on 877 W

Thanks

Vikas
0
 
GuruChiuCommented:
So far I never have VPDN & EzVPN co-exist. Let me do some research and get back to you.
0
 
kavinagpurAuthor Commented:
OK

plese let me know can we create Router to router VPN by usin VPDN. if yes  .... How?

Thanks

VIkas
0
 
kavinagpurAuthor Commented:
Hello Expert,

I still doing wait for your reply

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Hello Expert,

I got some link, there is information about VPDN co EZVPN, i saw it but i have lot's of confusion please suggest me how to configure VPDN co EZVPN, that link are mention below

http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/sampconf.pdf

http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/configuration/guide/sampconf.pdf

Thanks

Vikas
0
 
kavinagpurAuthor Commented:
Hello Expert,

I remove VPDN although i am unable to ping UC520 from here please give me a proper solution

Thanks
0
 
GuruChiuCommented:
Sorry been tied up the last few days. Will try to look into this again.
0
 
kavinagpurAuthor Commented:
Lot's of Thanks Expert

Now i believe my issue will be completed
Please suggest how to configure VPDN & EZVPN Co-exist, we have allready done VPN configuration through EZVPN between the two routers & VPDN for Dialup user.

there are two types of VPN configure on UC520,

VPDN is configured for Dialup user they access internet from USB stick & connect VPN (UC520) through Dial up.

EZVPN is configured for Branch Office means Router to router VPN (Cisco UC 520 to Cisco 877)

but we have some issue, when I connect VPN server(UC520) through dial up every thing is running fine also i am able to ping Uc520 & that Interface from any System
But when i am on router to router VPN, i am unable to ping UC520 & that interface but i saw on Cisco 877 W router VPN status is UP...
I want to keep both VPN (VPDN also EZVPN).

Thanks

Vikas


0
 
kavinagpurAuthor Commented:
Hello expert,

what happend  why you take a more time, I keep hope on you for  resolve this issue please suggest me

Thanks
0
 
GuruChiuCommented:
It is difficult for me. I have a demanding full time job and I am not get paid to answer question in EE. My priority is to serve my paying customers.

Working on this problem is actually more difficult than working w/ my customers' routers. I do not have access to your routers. All I have is configuration which sometimes have poor formating make it difficult to read and I have to guess. I have not give up yet, but it may help if we start from something clean:

remove all IPSec configuration, you can keep the vpdn configuration.
I will give you clean commands to input.

Pls let me know what do you think.
0
 
kavinagpurAuthor Commented:
Ok i want to remove VPDN also EZVPN & i want to configure only router to router VPN pls suggest

i will become your pay customer, pls suggest me what should i do for that ?

Thanks
0
 
GuruChiuCommented:
I don't mean you have to pay. I just want to help you solve your problem. Pls email me ktchiu@cland.com so that you can give me real IP addresses and login credential so that I can troubleshoot the problem live.

I don't mean to remove VPDN either. I think they can co-exist. Just think that the best way to sovle the problem is start from begining - without any EzVPN and/or site to site IPSec VPN.
0
 
kavinagpurAuthor Commented:
Thanks Expert
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 41
  • 18
Tackle projects and never again get stuck behind a technical roadblock.
Join Now