Cisco 851W IpSec VPN

Kjartane
Kjartane used Ask the Experts™
on
I have a Cisco 851W installed with all basic settings configured. My internal network is natted out on a leased fiber with static ip-address.
Can anybody please guide me in the right direction to get an ipsec vpn up and running that I can use to connect via other (external) computers and an iphone?
I know there are lots of other ways to get access to my network, but for educational reasons I would like to try to get this to work.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
John MeggersNetwork Architect

Commented:
You want to do a remote-access IPSec VPN to connect to the 851.  The first questions are what code are you running and what feature set is it?  Let's start there.

Author

Commented:
show running-config and show version attached.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
clock timezone GMT+1 1
clock summer-time summertime recurring last Sun Mar 2:00 last Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-3070607387
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3070607387
 revocation-check none
 rsakeypair TP-self-signed-3070607387
!
!
crypto pki certificate chain TP-self-signed-3070607387
 certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303630 36303730 3837301E 170D3130 30383135 31353034
  34315A17 0F323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30363036
  30373038 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A7A8 E9A2276E DAE16C81 7D338776 324E95D2 2BDE27F7 319867E9 92EC638D
  F4DAF666 25D401E1 3CA53D2D 80A15B83 4CB7D4F8 512394B1 389E9BEF AA86548A
  61821DD4 7079E89F 390C6C8C 2C3D116A A99B50EF DB28A094 64ADB781 1C4F6FB0
  52857590 09E83439 28FD0624 DB9956AE AC519C4D E4CDED31 CD416B56 804AF6ED
  9E6F0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 05436973 636F301F 0603551D 23041830 16801467 1B431CDF
  B174FDAA AB6CB878 5DC467EA 3C1BBB30 1D060355 1D0E0416 0414671B 431CDFB1
  74FDAAAB 6CB8785D C467DA3C 1BBB300D 06092A86 4886F70D 01010405 00038181
  008BD510 2B96F510 02A650A7 3F993502 3E03D0AB 78CDF89A DAFAAB76 28A6006C
  0AC49D7D 53684042 204E0CFB 74ACB429 F30375BA AEB80BDD EFF451AE 7CFD6967
  6A399298 FF739D51 DD5C6272 8BFD8F74 756F1064 46C56F5E 23E78825 9FA2CC55
  F6F67C0A A0F29F44 19052279 AEF68965 A63A1747 693BA09E 21923770 0B6049F2 EF
        quit
dot11 syslog
!
dot11 ssid SPDA
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 123456789ABCDEF
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool sdm-pool1
   network 192.168.1.0 255.255.255.0
   domain-name example.com
   dns-server 192.168.1.20
   default-router 192.168.1.1
!
ip dhcp pool static
   host 192.168.1.2 255.255.255.0
   client-identifier 0120.cf30.1f3c.28
   client-name Main
!
ip dhcp pool sec
   host 192.168.1.3 255.255.255.0
   client-identifier 0100.0e7f.1f3c.ad
   client-name Sec
!
ip dhcp pool pico
   host 192.168.1.7 255.255.255.0
   client-identifier 0100.0e7f.4abe.9a
   client-name Pico
!
ip dhcp pool iphone
   host 192.168.1.99 255.255.255.0
   client-identifier 0104.1e64.3f1a.4f
   client-name iPhone3GS
!
!
ip cef
!
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
archive
 log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description WAN LINK
 ip address 192.168.2.100 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 description Wireless LAN
 no ip address
 !
 encryption mode ciphers aes-ccm tkip
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid SPDA
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2437
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 bridge-group 1
!
interface BVI1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.1.50 80 interface FastEthernet4 80
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password 7 xxxxxxxxxx
 logging synchronous
 login local
 no modem enable
line aux 0
line vty 0 4
 password 7 xxxxxxxxxxx
 logging synchronous
 login local
 transport preferred ssh
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
sntp server 4.2.2.2 version 3
end



Show version:

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 15-Sep-09 01:49 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Cisco uptime is 9 weeks, 3 days, 13 hours, 9 minutes
System returned to ROM by reload at 17:03:30 summert Sun Aug 15 2010
System restarted at 17:04:11 summertime Sun Aug 15 2010
System image file is "flash:c850-advsecurityk9-mz.124-15.T10.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 851W (MPC8272) processor (revision 0x300) with 59392K/6144K bytes of memory.
Processor board ID FCZ1353C191
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
5 FastEthernet interfaces
1 802.11 Radio
128K bytes of non-volatile configuration memory.
20480K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2102

Open in new window

Network Architect
Commented:
I'm not an expert on the wireless side of the 851W, but basically what you want to do is EZ VPN server, which is very easy on the client side, but not really quite so easy on the server side.  You should take a look at the configuration guide for 12.4 IOS, specifically in the security section.  There's a chapter on setting up EZVPN server in there.  There's information you may have to enter that you wouldn't normally enter as part of a site-to-site VPN setup, but it's because you have clients connecting to you and you may have to give them information on things like DNS and WINS.  Also, you need to know what you're going to do with user authentication in addition to the tunnel authentication.  The example below uses RADIUS.

But here's a sample config from the guide:


! Enable policy look-up via AAA. For authentication and authorization, send requests to
! RADIUS first, then try local policy.
aaa new-model
aaa authentication login userlist group radius local
aaa authorization network grouplist group radius local
!
username cisco password 0 cisco

! Configure IKE policies, which are assessed in order so that the first policy that matches the proposal of the client will be used.
crypto isakmp policy 1
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp identity hostname
!
! Define "cisco" group policy information for mode config push.
crypto isakmp client configuration group cisco
 key cisco
 dns 10.2.2.2 10.2.2.3
 wins 10.6.6.6
 domain cisco.com
 pool green
 acl 199
! Define default group policy for mode config push.
crypto isakmp client configuration group default
 key cisco
 dns 10.2.2.2 10.3.2.3
 pool green
 acl 199
!
!
crypto ipsec transform-set dessha esp-des esp-sha-hmac
!
crypto dynamic-map mode 1
 set transform-set dessha
!
! Apply mode config and xauth to crypto map "mode." The list names that are defined here
! must match the list names that are defined in the AAA section of the config.
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode
!
!
controller ISA 1/1
!
!        
interface FastEthernet0/0
 ip address 10.6.1.8 255.255.0.0
 ip route-cache
 ip mroute-cache
 duplex auto
 speed auto
 crypto map mode
!
interface FastEthernet0/1
 ip address 192.168.1.28 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
! Specify IP address pools for internal IP address allocation to clients.
ip local pool green 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.6.0.1
!
! Define access lists for each subnet that should be protected.
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.3.0 0.0.0.255 any
!
! Specify a RADIUS server host and configure access to the server.
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key XXXXX
radius-server retransmit 3
!

I know there's a lot here to digest.  But basically, once you have this in place, you install the IPSec client on the computer and create a connection using the information you've configured on the server.


Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Hi. Appreciate the response. I will try use your suggestion.
About installing the ipsec client on a computer; that is not a problem, however, will it work with an iphone where installing the client would be a harder task?
Will get back to you when I'm done.
John MeggersNetwork Architect

Commented:
IPSec VPN will work from an iPhone.  See http://support.apple.com/kb/ht1424.  

Author

Commented:
Thanks jmeggers. It worked for me. Sorry that it took so long to assign points.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial