?
Solved

Cisco 1841 EasyVPN set-up

Posted on 2011-05-02
19
Medium Priority
?
419 Views
Last Modified: 2012-06-27
I have Cisco 1841 router and I need some help on EasyVPN set-up.
Can someone walk me through the configuration process?
0
Comment
Question by:stasila2010
  • 11
  • 7
19 Comments
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35505182
I assume you mean EzVPN server setup. This is an example from Cisco:

version 12.3
!--- For local authentication of the IPSec user,
!--- create the user with password.

username remoteuser1 password 0 remotepass1
username cisco password 0 cisco
!--- Enable the authentication, authorization, and accounting (AAA)
!--- access control model.

aaa new-model
!
!
!--- Enable X-Auth for user authentication.
aaa authentication login userauthen local

!--- Enable group authorization.
aaa authorization network StorageGroup local
aaa session-id common
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP)
!--- policy for Phase 1 negotiations for the hardware client.

crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
ip access-list extended SplitTunnel
permit ip 10.1.101.0 0.0.0.255 any
!--- Create a pool of addresses to be assigned to the VPN Clients.
ip local pool pool100 10.1.100.100 10.1.100.127

!--- Create a group that will be used to specify the
!--- Windows Internet Name Service (WINS) and Domain Name System (DNS)
!--- servers' addresses to the hardware client for authentication.
crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.101.11
wins 10.1.101.10
domain cland.com
pool pool100
!
!
!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created above.
!--- Reverse Route Injection

crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!--- Create the actual crypto map, and apply  
!--- the aaa lists that were created earlier.

crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT

0
 

Author Comment

by:stasila2010
ID: 35505808
Thank you for your quick reply. In your example which FE# is outside interface?
I am a bit confused with the internal subnets and DHCP pool.

my LAN subnet is 10.1.1.0 - I am assuming I have to change the DHCP pool to match my LAN subnet?








0
 
LVL 3

Expert Comment

by:tlrjohn
ID: 35506031
Yes, you will have to adjust the DHCP pool to match your internal network address.  Do not overlap existing DHCP addresses.  Also update WINS, DNS and domain as needed.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
LVL 13

Expert Comment

by:GuruChiu
ID: 35506047
This is just an example. Pls use your own names, subnets, pre-share key etc.
"StorageGroup, aessha, SplitTunnel, BypassNAT, ra-net, vpnmap" are all example for names which you can freely change.

In this example,  FastEthernet0/0 is the public interface.

This example is a little complicated due to it need to bypass NAT for static NAT for VPN traffic. If you do not have this need, you can remove those related cfg.

0
 

Author Comment

by:stasila2010
ID: 35506084
here is my running-config so far


username remoteuser1 password 0 remotepass1
username cisco password 0 cisco

aaa new-model

aaa authentication login userauthen local

aaa authorization network StorageGroup local
aaa session-id common

crypto isakmp policy 10
hash sha
enc aes 128
authentication pre-share
group 2
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2

ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any

ip local pool pool100 10.1.1.200 10.1.1.240

crypto isakmp client configuration group StorageGroup
acl SplitTunnel
key smart
save-password
dns 10.1.1.11
wins 10.1.1.13
domain cland.com
pool pool100


crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac


crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route


crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

and I am stuck here. I am confused with the IP addresses and which interface is outside in this example.

interface FastEthernet0/0
!--- Apply the crypto map on the outside interface.
crypto map vpnmap
!
!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT

0
 

Author Comment

by:stasila2010
ID: 35506117
Yes, I do understand that this is an example. I will change all the names, passwords, etc after confirming that it's working.
0
 

Author Comment

by:stasila2010
ID: 35506278
so if I don't use a NAT then I am assuming that I don't need that part?

!--- Forward VPN traffic to Loopback to bypass NAT
ip access-list extended ra-net
 permit ip 10.10.10.0 0.0.0.255 10.10.100.0 0.0.0.255
interface Loopback1
 ip address 10.1.1.1 255.255.255.252
route-map BypassNAT permit 10
 match ip address ra-net
 set interface Loopback1
interface FastEthernet0/1
 ip policy route-map BypassNAT
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35507273
Yes, you do need those if you do not have nat.

The example assume you already have IP address, default route etc. configure for your public interface. In the example it is using FastEthernet0/0 as the outside interface, which the crypto map will applied. Change it to whatever you are using.
0
 

Author Comment

by:stasila2010
ID: 35698009
VPN clients are receiving IP address with the subnet mask but not a default gateway. therefore I can't ping any PC on the office LAN.
Here is my config.


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker

aaa new-model

aaa authentication login userauthen local
aaa authorization network StorageGroup local
!
!
aaa session-id common
ip cef

ip name-server 206.200.0.140
!
multilink bundle-name authenticated

username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key smart
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain.local
 pool pool100
 acl SplitTunnel
 save-password
 include-local-lan
 backup-gateway 10.1.1.13
 backup-gateway 10.1.1.18
 netmask 255.255.255.0

crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route remote-peer 10.1.1.18

crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.x 255.255.255.248
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.1.200 10.1.1.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
!
ip access-list extended SplitTunnel
 permit ip 10.0.0.0 0.255.255.255 any

control-plane
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35699221
Client will not receive default gateway. It will still have the same default gateway to access internet locally. The only gateway it will have is for the subnets in the SplitTunnel. You should see a new route to 10.0.0.0/8.

However your pool is not correct. The pool should be a new subnet not overlap w/ any of your existing subnets.
e.g.
ip local pool pool100 10.1.2.200 10.1.2.240
0
 

Author Comment

by:stasila2010
ID: 35708286
I have changed the IP pool as you suggested but I still can't ping any host on my local subnet. Please advice.
0
 

Author Comment

by:stasila2010
ID: 35731498
I cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.
0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35731846
Did you have a route to the new pool you created?

I also notice that you have:
interface FastEthernet0/0
 ip nat inside

Are you sure you do not have nat? With nat, there are some details need to take care.
0
 

Author Comment

by:stasila2010
ID: 35731909
Please take a look at my full config.


hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain castgroup.local
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip default-gateway 10.1.1.13
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 permit ip 10.1.2.0 0.0.0.255 any

0
 
LVL 13

Expert Comment

by:GuruChiu
ID: 35731969
Your access-list 100 should be:
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
0
 

Author Comment

by:stasila2010
ID: 35732067
I am still unable to ping any host on my network 10.1.1.0
Here is the output from sh cryp ip sa & sh ip route

Router#sh cryp ip sa

interface: FastEthernet0/1
    Crypto map tag: vpnmap, local addr 173.206.x.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.255/0/0)
   current_peer 66.49.137.44 port 60273
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 48, #pkts decrypt: 48, #pkts verify: 48
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 173.206.x.11, remote crypto endpt.: 66.49.137.44
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xB4616E5F(3026284127)

     inbound esp sas:
      spi: 0x9CA7EFE8(2628251624)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4523731/3540)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB4616E5F(3026284127)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4523739/3532)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

sh ip route

Gateway of last resort is 173.206.x.9 to network 0.0.0.0

     173.206.0.0/29 is subnetted, 1 subnets
C       173.206.x.8 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
S       10.1.2.200/32 [1/0] via 66.49.137.44
S*   0.0.0.0/0 [1/0] via 173.206.x.9

0
 
LVL 13

Accepted Solution

by:
GuruChiu earned 2000 total points
ID: 35734326
From your output, I know these:

The VPN is negotiated correctly.
Your network is sending traffic to you, but did not get anything back.

The problem is your internal hosts are nat, even for VPN traffic. That mean, e.g. if you ping 10.1.1.3, 10.1.1.3 response back, but it was nat to 173.206.x.11. So you never see anything come back from 10.1.1.3.

To fix that, you need to use these commands:

no ip nat inside source list 100 interface FastEthernet0/1 overload
no access-list 100
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
 route-map nonat permit 10
 match ip address VPN-traffic
ip nat inside source route-map nonat interface FastEthernet0/1 overload

0
 

Author Comment

by:stasila2010
ID: 35739603
I have applied your config but still not able to ping any hosts on my 10.1.1.1 network.
here is the conf with sh ip route.


Building configuration...

Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny   ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
 match ip address VPN-traffic


sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0

     173.206.0.0/29 is subnetted, 1 subnets
C       173.206.x.8 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
S       10.1.2.200/32 [1/0] via 67.212.13.26
S*   0.0.0.0/0 [1/0] via 173.206.x.9


Router#sh cryp ip sa

interface: FastEthernet0/1
    Crypto map tag: vpnmap, local addr 173.206.x.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.255/0/0)
   current_peer 67.212.13.26 port 61277
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xBB412AC8(3141610184)

     inbound esp sas:
      spi: 0x39F28194(972194196)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583849/3264)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB412AC8(3141610184)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583862/3255)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:




0
 

Author Comment

by:stasila2010
ID: 35747058
is there anything else we can try?
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question