03-08-2006 01:41 AM - edited 03-03-2019 02:10 AM
Hi,
i have got cisco 1751 with the IPsec IOS, having 2 ehternet ports, now i wanted to have VPN server on this router, so how do i configure, requirement is 1 port will be having public IP & other port will be having private IP pointing towards my LAN, i wanted to access the office LAN from my winXP laptop@home having broadband connection,by connecting to the public IP of the router, i will be accessing my office LAN & i get private IP defined in the pool on the router. so how do i configure? earlier i was using thru windows 2000 server, which is working fine, now i have decided to put a router in place of that.
03-08-2006 01:55 AM
Hi Ananda
There are several steps to configure a VPN connection between a router and a PC.
Im listing below a sample template of a config that I build on usually:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+
Router1(config)#aaa authentication enable default group tacacs+
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key xxx
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac
esp-3des
Router1(cfg-crypto-trans)#mode tunnel
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS
Router1(config-crypto-map)#exit
Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any
Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.25.1.5 255.255.255.0
Router1(config-if)#crypto map CRYPTOMAP
Router1(config-if)#exit
Router1#
I will try to explain the above to my best abilities.
1. Setup ISAKMP policy using the crypto isakmp policy command and select your encryption / authentication and group
2. After doing this, we need to define the IPSec VPN properties. We begin by defining the transform set that we want to use for these VPN connections. We will call this transform set VPN-TRANSFORMS.The VPN will use the esp-sha-hmac and esp-3des transforms
3.Because the workstation could, in principle, be anywhere on the Internet, we can't even define an IP address for it. But, to use IPSec on a Cisco router, we need to create a crypto map, which is a template for the SA that IPSec will use for this session. So in this case we are using a dynamic map statement "crypto dynamic-map VPN-USER-MAP 5"
4. This creates a dynamic map called VPN-USER-MAP. The number (50) on the end of the line is a sequence number, similar to the sequence numbers used in route map statements.
5. The access list here blocks any packets whose destination addresses are either multicasts or local broadcasts. Obviously this type of traffic cannot possible be associated with a VPN.
6. We can then build the actual crypto map that references this dynamic map.
7.You apply the crypto map to the interface that will be receiving the VPN requests.
As you can see there are quite a few considerations involved.
HTH
Please rate posts that help
Regards
Arvind
03-08-2006 02:03 AM
Thankz for the reply, for authentication you hav specified tacacs, instead of tacacs authentication, i can also use the local user created on the router itself isn't?
03-08-2006 02:32 AM
Yes you may use any mode of authentication you desire including local authentication.
HTH
Please rate posts that help
Regards
Arvind
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide