I'm trying to configure a 2611 router (IOS 12.2) for vpn, so that vpn clients can connect to it.
As of now, my int e0/1 is using the 10.0.0.0/24 subnet, and I also have a dhcp pool that assigns address for that same subnet.
Hence, for the pool of addresses that I define for my vpn group, can the addresses overlap with an existing subnet?.. Or do I have to use an unused subnet?
Please enlighten me.
Thanks in advance.
Use a different pool for VPN Clients.
Use the configuration below as a reference;
service timestamps debug datetime msec
service timestamps log datetime msec
no logging on
username gfullage password 7 0201024E070A0E2649
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
no ip domain lookup
!--- Keyring that defines wildcard pre-shared key.
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
!--- VPN Client configuration for group "testgroup"
!--- (this name is configured in the VPN Client).
crypto isakmp client configuration group testgroup
dns 220.127.116.11 18.104.22.168
wins 22.214.171.124 126.96.36.199
!--- Profile for VPN Client connections, that matches
!--- the "testgroup" group and defines the Xauth properties.
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!--- Two instances of the dynamic crypto map
!--- reference the two previous IPsec profiles.
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
!--- Crypto-map only references the
!--- instances of the previous dynamic crypto map.
crypto map mymap 10 ipsec-isakmp dynamic dynmap
description Outside interface
ip address 10.48.67.181 255.255.255.224
no ip mroute-cache
crypto map mymap
description Inside interface
ip address 10.1.1.1 255.255.254.0
ip local pool ippool 10.5.5.1 10.5.5.254
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.48.66.181
dial-peer cor custom
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 121A0C041104
* Please rate ALL posts.
hi.. thanks for your sample config, on my second attempt to fix the error.. seems that I should have defined a seperate address pool, and also, I forgot one line, which is client configuration address respond.
Thanks once again.
p/s sorry for voting 2.0.. couldn't change after I solved the problem.