06-16-2016 04:06 AM - edited 03-05-2019 04:15 AM
Hi,
I have a remote site which is connected to Head-office through IPSEC VPN Tunnel, now i want to configure our Head-office router for VPN-client configuration as well so that users will be connected using VPN-client to Head-office and they can access the resources at remote branch using already configured IPSEC VPN tunnel. I am posting specific configuration from Head office router and need expert advice that which specific configuration i required to achieve this.
interface Loopback0
ip address 217.18.168.169 255.255.255.248
interface GigabitEthernet0/0
description connected to ISP
bandwidth 9000
ip address 172.29.156.54 255.255.255.252
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
crypto map CRYPTOMAP
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco****** address 193.232.126.35
crypto ipsec transform-set REM_VPN esp-3des esp-md5-hmac
mode tunnel
crypto map CRYPTOMAP local-address Loopback0
crypto map CRYPTOMAP 1 ipsec-isakmp
set peer 193.232.126.35
set transform-set REM_VPN
match address SITE-TO-SITE
reverse-route static
ip nat inside source list NAT interface Loopback0 overload
ip access-list extended SITE-TO-SITE
permit ip 10.40.1.0 0.0.0.255 10.80.1.0 0.0.0.255
ip access-list extended NAT
deny ip 10.40.1.0 0.0.0.255 10.80.1.0 0.0.0.255
permit ip 10.40.1.0 0.0.0.255 any
Thanks
Shahzad
06-16-2016 05:38 AM
Hi
For doing Client VPN on the same router on which you're doing site-to-site VPN, I will not put right here all commands but redirect you on a link from Cisco explaining how to implement:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/20982-ipsecrouter-vpn.html
However if you have issues, I would be able to help troubleshooting.
Thanks
PS: Please don't forget to rate and mark as correct answer if this solved your issue.
06-19-2016 02:16 AM
Thanks for your reply.
I wrote some steps after looking at the document you referred, please review it and advise.
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
username cisco password 0 cisco
crypto isakmp client configuration group CLIENT-VPN
key cisco123
dns 10.100.9.5
domain local.*****.com
pool ippool
!
crypto dynamic-map dynmap 10
set transform-set REM_VPN
reverse-route
!
crypto map CRYPTOMAP client authentication list userauthen
crypto map CRYPTOMAP isakmp authorization list groupauthor
crypto map CRYPTOMAP client configuration address initiate
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 10 ipsec-isakmp dynamic dynmap
ip local pool ippool 10.100.20.100 10.100.20.254
Thanks
Shahzad
06-19-2016 08:45 AM
It looks like ok.
PS: Please don't rate and mark as correct answer if this solved your issue
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide