Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
0
Helpful
2
Replies

Easy VPN on cisco router

jeevan.koganti
Level 1
Level 1

‎12-24-2012 02:27 PM - edited ‎03-04-2019 06:29 PM

Hi,

I am trying to create easy VPN on cisco 881 router. I have configured successfully and able to login also, but unfortunately not able to ping nor communicate to any computers on VPN LAN network.

Can anyone tell me where i am going wrong. Below is the config done.

interface loopback0 172.16.0.1

aaa new-model

aaa authentication login auth local

aaa authorization network auth local

ip local pool xyz 172.16.0.2 172.16.0.10

access-list 101 permit ip 172.16.0.0 0.0.0.255 any

crypto isakmp policy 10

encr 3des

authentication-preshare

group 2

crypto iaskmp client configuration group xyz

acl 101

key compaq

pool xyz

domain cisco.com optional

crypto isakmp profile isakmp-p(this is a word)

match identity group xyz

virtual-template 1

isakmp authorization auth

client authentication auth

client configuration address respond

crypto ipsec transform-set TS esp-3des esp-sha-hmac

mode transport

crypto ipsec profile S-S

set transform-set TS

set isakmp-profile ISAKMP-P

interface virtual-template 1 type tunnel

ip unnumbered fa0/0

tunnel protection ipsec profile S-S

tunnel mode ipsec ipv4

tunnel source fa0/0

                  

Thanks in advance,

Labels:
0 Helpful
2 Replies 2

Emmanuel Valdez
Level 3
Level 3

‎12-24-2012 02:54 PM

Hi Jeevan,

Try with this configuration:

aaa new-model

aaa authentication login auth local

aaa authorization network auth local

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xyz

key compaq

pool xyz

acl 101

crypto isakmp profile isakmp-p(this is a word)

   match identity group xyz

   client authentication list auth

   isakmp authorization list auth

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

!

crypto ipsec profile S-S

set transform-set TS

set isakmp-profile ISAKMP-P

!

!

interface Virtual-Template1 type tunnel

ip unnumbered FA0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile S-S

!

!

ip local pool xyz 172.16.0.2 172.16.0.10

!

access-list 101 permit ip X.X.X.X Y.Y.Y.Y any

Where X.X.X.X is your LAN computers segment.

      Y.Y.Y.Y is the wild card for the LAN computers segment.

Your actual ACL is wrong because the source address is your LAN computer and not the VPN Client IP address.

If it is useful please rate.

Best regards.

0 Helpful

Hardik Vaidh
Level 1
Level 1

‎01-01-2013 04:04 AM

crypto isakmp policy 10
encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY  local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

After that configure NAT with req. access-list

For troubleshooting

sh cry ipsec sa peer 10.10.10.10

sh cry session

hope your IPSec site to site VPN tunnel is working fine

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card