06-21-2003
05:46 PM
- last edited on
02-21-2020
11:43 PM
by
cc_security_adm
Where can I find a configuration example for a 1720 with multiple point to point VPN's and a remote access VPN?
06-22-2003 11:48 AM
Hi, you could use this 2 links, even though they are not specific for 1720's the concept will be the same.
For the router and Cisco VPN Client
http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html
For multiple routers IPsec configuration
http://www.cisco.com/warp/public/707/30.html
Hope this helps
06-23-2003 05:56 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
My configurations look very similar to the examples, however I am experiencing two issues.
First, when remote site 2 attempts the VPN connection while remote site 1 is already connected, site 1 loses its connection in favor of site 2. It doesn't seem to matter who is connected to the main site first. When the other site comes in, the first connection is dropped.
Second, my VPN client is unable to establish a connection with the main site.
The configurations for the main and one of the remotes is below. The second remote has a Linksys box and not a Cisco router.
router1#sh run
Building configuration...
Current configuration : 2759 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
no logging console
enable secret 5
!
memory-size iomem 20
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
!
ip name-server nnn.nnn.nnn.253
ip name-server nnn.nnn.nnn.227
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.51
ip dhcp excluded-address 10.0.0.56
ip dhcp excluded-address 10.0.0.95
ip dhcp excluded-address 10.0.0.19
ip dhcp excluded-address 10.0.0.200
!
ip dhcp pool lanpool
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
lease infinite
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address xx.xx.xx.254
crypto isakmp key xxxxxxxxxx address bb.bbb.bbb.41
crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
crypto isakmp client configuration group vpngroup
key xxxxxxxxxxx
pool ourpool
!
!
crypto ipsec transform-set mypolicy esp-3des esp-md5-hmac
!
crypto dynamic-map dyna 10
set transform-set mypolicy
!
!
crypto map test local-address Ethernet0
crypto map test client configuration address initiate
crypto map test client configuration address respond
crypto map test 1 ipsec-isakmp
set peer xx.xx.xx.254
set transform-set mypolicy
match address 115
crypto map test 2 ipsec-isakmp
set peer bb.bbb.bbb.41
set transform-set mypolicy
match address 120
crypto map test 10 ipsec-isakmp dynamic dyna
!
crypto map rmap local-address Ethernet0
!
!
!
!
interface Ethernet0
ip address qqq.qqq.qqq.97 255.255.255.248
ip nat outside
half-duplex
no cdp enable
crypto map test
!
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip local pool ourpool 10.1.1.1 10.1.1.254
ip nat inside source route-map rmap interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 qqq.qqq.qqq.98
no ip http server
ip pim bidir-enable
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 110 permit ip 10.0.0.0 0.0.0.255 any
access-list 115 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255
no cdp run
!
route-map rmap permit 10
match ip address 110
!
!
line con 0
exec-timeout 30 0
password
transport preferred telnet
line aux 0
line vty 0 4
password
login
!
end
router1#
router2#sh run
Building configuration...
Current configuration : 1990 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router2
!
logging rate-limit console 10 except errors
no logging console
enable secret 5
!
memory-size iomem 20
ip subnet-zero
!
!
no ip finger
ip name-server 64.80.255.250
ip name-server 64.80.255.251
!
ip audit notify log
ip audit po max-events 100
no ip dhcp-client network-discovery
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key xxxxxxxxxxxx address qqq.qqq.qqq.97
!
!
crypto ipsec transform-set mypolicy esp-3des esp-md5-hmac
!
crypto map test local-address Serial0
crypto map test 1 ipsec-isakmp
set peer qqq.qqq.qqq.97
set transform-set mypolicy
match address 115
!
!
!
!
interface FastEthernet0
ip address 10.0.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
no cdp enable
!
interface Serial0
description connection to Internet
ip address xx.xx.xx.254 255.255.255.252
ip nat outside
no fair-queue
no cdp enable
crypto map test
!
ip nat inside source route-map rmap interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.253
no ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 permit ip 10.0.1.0 0.0.0.255 any
access-list 115 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
no cdp run
!
!
route-map rmap permit 10
match ip address 110
!
!
line con 0
exec-timeout 30 0
login
transport preferred telnet
transport input none
line aux 0
exec-timeout 30 0
modem InOut
modem autoconfigure type usr_sportster
transport preferred telnet
transport input all
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 3
password
login
line vty 4
exec-timeout 30 0
password
login
transport preferred telnet
!
no scheduler allocate
end
06-23-2003 07:36 AM
1) I don't see a DHCP pool called "ourpool" for the VPN client connections.
2) I have seen Linksys routers mess up the SA when connecting to a Cisco router that already have a site-to-site connection.
06-23-2003 06:41 PM
I am getting the following:
3d11h: ISAKMP (0:0): received packet from 24.25.87.127 (N) NEW SA
3d11h: ISAKMP: local port 500, remote port 500
3d11h: ISAKMP: Locking CONFIG struct 0x818AFCFC from crypto_ikmp_config_initiali
ze_sa, count 5
3d11h: ISAKMP (0:59): processing SA payload. message ID = 0
3d11h: ISAKMP (0:59): processing ID payload. message ID = 0
3d11h: ISAKMP (0:59): processing vendor id payload
3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major
3d11h: ISAKMP (0:59): vendor ID is XAUTH
3d11h: ISAKMP (0:59): processing vendor id payload
3d11h: ISAKMP (0:59): vendor ID is DPD
3d11h: ISAKMP (0:59): processing vendor id payload
3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major
3d11h: ISAKMP (0:59): processing vendor id payload
3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major
3d11h: ISAKMP (0:59): processing vendor id payload
3d11h: ISAKMP (0:59): vendor ID is Unity
3d11h: ISAKMP (0:59): Checking ISAKMP transform 1 against priority 1 policy
3d11h: ISAKMP: encryption... What? 7?
3d11h: ISAKMP: hash SHA
3d11h: ISAKMP: default group 2
3d11h: ISAKMP: auth XAUTHInitPreShared
3d11h: ISAKMP: life type in seconds
3d11h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
3d11h: ISAKMP: attribute 14
3d11h: ISAKMP (0:59): Encryption algorithm offered does not match policy!
3d11h: ISAKMP (0:59): atts are not acceptable. Next payload is 3
.
.
.
.
.
.
.
3d11h: ISAKMP (0:62): no offers accepted!
3d11h: ISAKMP (0:62): phase 1 SA not acceptable!
3d11h: ISAKMP (0:62): incrementing error counter on sa: construct_fail_ag_init
3d11h: ISAKMP (0:62): Unknown Input: state = IKE_READY, major, minor = IKE_MESG_
FROM_PEER, IKE_AM_EXCH
06-23-2003 06:40 PM
Hi,
At the 1720nc you don't need the following three commands:
crypto isakmp key r3m0te address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
crypto map test client configuration address initiate
remove this commands with the no in front, also since we are in the topic of security, now that you have posted your preshared keys ;-) you should change them, this is a public forum, and therefore everyone is seeing your preshared keys, change them to something else, always remember the longer the preshared key the harder it is to break. Also change the key under the group configuration.
Also you are not using this
crypto map rmap local-address Ethernet0
A connection to a Linksys should be similar, considering that they are agreeing on same policies and transform.
Let me know
Arthur
06-24-2003 06:09 AM
Would I not need those commands for my VPN client to work?
Could you elaborate on not using the "crypto map rmap local-address Ethernet0" command?
Thanks
06-24-2003 11:50 AM
Sure, no problem, this is the configuration you have at the moment :
crypto map test local-address Ethernet0
crypto map test 1 ipsec-isakmp
set peer 63.81.59.254
set transform-set mypolicy
match address 115
crypto map test 2 ipsec-isakmp
set peer 67.158.245.41
set transform-set mypolicy
match address 120
crypto map test 10 ipsec-isakmp dynamic dyna
!
crypto map rmap local-address Ethernet0
"crypto map test local-address Ethernet0 " is the one you are using, but " crypto map rmap local-address Ethernet0 " is not in use, this command tells the router what interface to use for IPsec, you don't have a " crypto map rmap" in your configuration, so it is just using space ;-)
Regards,
Arthur
07-01-2003 02:25 AM
Still no luck getting the VPN client to work.
06-30-2003 01:34 PM
my problem is also VPN between 1720 and VPN client. My router is not taking following command
"crypto isakmp client configuration group 3000client" it has only option for "address-pool" after configuration in above comnad.
My IOS ver is 12.2.12f (c1700-k9o3sy-mz.122-12f.bin)
Is it IOS ver issue? in doc it has any ver higher then 12.2.8(T) and my ver is 12.2.12f..
thanks
Pradeep
06-30-2003 10:33 PM
The image you are using clearly doesn't support "VPN client". You need to take another version that supports it. Probably you might have to do some research on the image line to find out the one which supports.
07-02-2003 02:42 PM
my VPN is up . any way I can check who is logged in . I have local user database and using aaa auth.
Thanks
Pradeep
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide