cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
922
Views
0
Helpful
11
Replies

1720 VPN

carolinas
Level 1
Level 1

Where can I find a configuration example for a 1720 with multiple point to point VPN's and a remote access VPN?

11 Replies 11

artherrera
Level 1
Level 1

Hi, you could use this 2 links, even though they are not specific for 1720's the concept will be the same.

For the router and Cisco VPN Client

http://www.cisco.com/warp/public/471/ipsecrouter_vpn.html

For multiple routers IPsec configuration

http://www.cisco.com/warp/public/707/30.html

Hope this helps

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

My configurations look very similar to the examples, however I am experiencing two issues.

First, when remote site 2 attempts the VPN connection while remote site 1 is already connected, site 1 loses its connection in favor of site 2. It doesn't seem to matter who is connected to the main site first. When the other site comes in, the first connection is dropped.

Second, my VPN client is unable to establish a connection with the main site.

The configurations for the main and one of the remotes is below. The second remote has a Linksys box and not a Cisco router.

router1#sh run

Building configuration...

Current configuration : 2759 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router1

!

no logging console

enable secret 5

!

memory-size iomem 20

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

!

ip name-server nnn.nnn.nnn.253

ip name-server nnn.nnn.nnn.227

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.51

ip dhcp excluded-address 10.0.0.56

ip dhcp excluded-address 10.0.0.95

ip dhcp excluded-address 10.0.0.19

ip dhcp excluded-address 10.0.0.200

!

ip dhcp pool lanpool

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

lease infinite

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

!

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxxx address xx.xx.xx.254

crypto isakmp key xxxxxxxxxx address bb.bbb.bbb.41

crypto isakmp key xxxxxxxxxx address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local ourpool

!

crypto isakmp client configuration group vpngroup

key xxxxxxxxxxx

pool ourpool

!

!

crypto ipsec transform-set mypolicy esp-3des esp-md5-hmac

!

crypto dynamic-map dyna 10

set transform-set mypolicy

!

!

crypto map test local-address Ethernet0

crypto map test client configuration address initiate

crypto map test client configuration address respond

crypto map test 1 ipsec-isakmp

set peer xx.xx.xx.254

set transform-set mypolicy

match address 115

crypto map test 2 ipsec-isakmp

set peer bb.bbb.bbb.41

set transform-set mypolicy

match address 120

crypto map test 10 ipsec-isakmp dynamic dyna

!

crypto map rmap local-address Ethernet0

!

!

!

!

interface Ethernet0

ip address qqq.qqq.qqq.97 255.255.255.248

ip nat outside

half-duplex

no cdp enable

crypto map test

!

interface FastEthernet0

ip address 10.0.0.1 255.255.255.0

ip nat inside

speed auto

no cdp enable

!

ip local pool ourpool 10.1.1.1 10.1.1.254

ip nat inside source route-map rmap interface Ethernet0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 qqq.qqq.qqq.98

no ip http server

ip pim bidir-enable

!

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 110 deny ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255

access-list 110 deny ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 110 permit ip 10.0.0.0 0.0.0.255 any

access-list 115 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255

access-list 120 permit ip 10.0.0.0 0.0.0.255 10.0.2.0 0.0.0.255

no cdp run

!

route-map rmap permit 10

match ip address 110

!

!

line con 0

exec-timeout 30 0

password

transport preferred telnet

line aux 0

line vty 0 4

password

login

!

end

router1#

router2#sh run

Building configuration...

Current configuration : 1990 bytes

!

version 12.1

no service single-slot-reload-enable

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router2

!

logging rate-limit console 10 except errors

no logging console

enable secret 5

!

memory-size iomem 20

ip subnet-zero

!

!

no ip finger

ip name-server 64.80.255.250

ip name-server 64.80.255.251

!

ip audit notify log

ip audit po max-events 100

no ip dhcp-client network-discovery

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

crypto isakmp key xxxxxxxxxxxx address qqq.qqq.qqq.97

!

!

crypto ipsec transform-set mypolicy esp-3des esp-md5-hmac

!

crypto map test local-address Serial0

crypto map test 1 ipsec-isakmp

set peer qqq.qqq.qqq.97

set transform-set mypolicy

match address 115

!

!

!

!

interface FastEthernet0

ip address 10.0.1.1 255.255.255.0

ip nat inside

speed auto

half-duplex

no cdp enable

!

interface Serial0

description connection to Internet

ip address xx.xx.xx.254 255.255.255.252

ip nat outside

no fair-queue

no cdp enable

crypto map test

!

ip nat inside source route-map rmap interface Serial0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.253

no ip http server

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 110 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 110 permit ip 10.0.1.0 0.0.0.255 any

access-list 115 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255

no cdp run

!

!

route-map rmap permit 10

match ip address 110

!

!

line con 0

exec-timeout 30 0

login

transport preferred telnet

transport input none

line aux 0

exec-timeout 30 0

modem InOut

modem autoconfigure type usr_sportster

transport preferred telnet

transport input all

stopbits 1

speed 38400

flowcontrol hardware

line vty 0 3

password

login

line vty 4

exec-timeout 30 0

password

login

transport preferred telnet

!

no scheduler allocate

end

1) I don't see a DHCP pool called "ourpool" for the VPN client connections.

2) I have seen Linksys routers mess up the SA when connecting to a Cisco router that already have a site-to-site connection.

I am getting the following:

3d11h: ISAKMP (0:0): received packet from 24.25.87.127 (N) NEW SA

3d11h: ISAKMP: local port 500, remote port 500

3d11h: ISAKMP: Locking CONFIG struct 0x818AFCFC from crypto_ikmp_config_initiali

ze_sa, count 5

3d11h: ISAKMP (0:59): processing SA payload. message ID = 0

3d11h: ISAKMP (0:59): processing ID payload. message ID = 0

3d11h: ISAKMP (0:59): processing vendor id payload

3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major

3d11h: ISAKMP (0:59): vendor ID is XAUTH

3d11h: ISAKMP (0:59): processing vendor id payload

3d11h: ISAKMP (0:59): vendor ID is DPD

3d11h: ISAKMP (0:59): processing vendor id payload

3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major

3d11h: ISAKMP (0:59): processing vendor id payload

3d11h: ISAKMP (0:59): vendor ID seems Unity/DPD but bad major

3d11h: ISAKMP (0:59): processing vendor id payload

3d11h: ISAKMP (0:59): vendor ID is Unity

3d11h: ISAKMP (0:59): Checking ISAKMP transform 1 against priority 1 policy

3d11h: ISAKMP: encryption... What? 7?

3d11h: ISAKMP: hash SHA

3d11h: ISAKMP: default group 2

3d11h: ISAKMP: auth XAUTHInitPreShared

3d11h: ISAKMP: life type in seconds

3d11h: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B

3d11h: ISAKMP: attribute 14

3d11h: ISAKMP (0:59): Encryption algorithm offered does not match policy!

3d11h: ISAKMP (0:59): atts are not acceptable. Next payload is 3

.

.

.

.

.

.

.

3d11h: ISAKMP (0:62): no offers accepted!

3d11h: ISAKMP (0:62): phase 1 SA not acceptable!

3d11h: ISAKMP (0:62): incrementing error counter on sa: construct_fail_ag_init

3d11h: ISAKMP (0:62): Unknown Input: state = IKE_READY, major, minor = IKE_MESG_

FROM_PEER, IKE_AM_EXCH

Hi,

At the 1720nc you don't need the following three commands:

crypto isakmp key r3m0te address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local ourpool

crypto map test client configuration address initiate

remove this commands with the no in front, also since we are in the topic of security, now that you have posted your preshared keys ;-) you should change them, this is a public forum, and therefore everyone is seeing your preshared keys, change them to something else, always remember the longer the preshared key the harder it is to break. Also change the key under the group configuration.

Also you are not using this

crypto map rmap local-address Ethernet0

A connection to a Linksys should be similar, considering that they are agreeing on same policies and transform.

Let me know

Arthur

Would I not need those commands for my VPN client to work?

Could you elaborate on not using the "crypto map rmap local-address Ethernet0" command?

Thanks

Sure, no problem, this is the configuration you have at the moment :

crypto map test local-address Ethernet0

crypto map test 1 ipsec-isakmp

set peer 63.81.59.254

set transform-set mypolicy

match address 115

crypto map test 2 ipsec-isakmp

set peer 67.158.245.41

set transform-set mypolicy

match address 120

crypto map test 10 ipsec-isakmp dynamic dyna

!

crypto map rmap local-address Ethernet0

"crypto map test local-address Ethernet0 " is the one you are using, but " crypto map rmap local-address Ethernet0 " is not in use, this command tells the router what interface to use for IPsec, you don't have a " crypto map rmap" in your configuration, so it is just using space ;-)

Regards,

Arthur

Still no luck getting the VPN client to work.

my problem is also VPN between 1720 and VPN client. My router is not taking following command

"crypto isakmp client configuration group 3000client" it has only option for "address-pool" after configuration in above comnad.

My IOS ver is 12.2.12f (c1700-k9o3sy-mz.122-12f.bin)

Is it IOS ver issue? in doc it has any ver higher then 12.2.8(T) and my ver is 12.2.12f..

thanks

Pradeep

The image you are using clearly doesn't support "VPN client". You need to take another version that supports it. Probably you might have to do some research on the image line to find out the one which supports.

my VPN is up . any way I can check who is logged in . I have local user database and using aaa auth.

Thanks

Pradeep

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: