Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
2
Helpful
2
Replies

query regarding address pool for vpn

bangkydotnet
Level 1
Level 1

‎10-11-2006 08:51 PM - edited ‎03-05-2019 12:12 PM

Hi guys,

I'm trying to configure a 2611 router (IOS 12.2) for vpn, so that vpn clients can connect to it.

As of now, my int e0/1 is using the 10.0.0.0/24 subnet, and I also have a dhcp pool that assigns address for that same subnet.

Hence, for the pool of addresses that I define for my vpn group, can the addresses overlap with an existing subnet?.. Or do I have to use an unused subnet?

Please enlighten me.

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

leonvd79
Level 4
Level 4

‎10-11-2006 10:37 PM

Use a different pool for VPN Clients.

Use the configuration below as a reference;

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router

!

no logging on

!

username gfullage password 7 0201024E070A0E2649

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

!

no ip domain lookup

!

!

!--- Keyring that defines wildcard pre-shared key.

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

!--- VPN Client configuration for group "testgroup"

!--- (this name is configured in the VPN Client).

crypto isakmp client configuration group testgroup

key cisco321

dns 1.1.1.1 2.2.2.2

wins 3.3.3.3 4.4.4.4

domain cisco.com

pool ippool

!

!--- Profile for VPN Client connections, that matches

!--- the "testgroup" group and defines the Xauth properties.

crypto isakmp profile VPNclient

description VPN clients profile

match identity group testgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!--- Two instances of the dynamic crypto map

!--- reference the two previous IPsec profiles.

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNclient

!

!

!--- Crypto-map only references the

!--- instances of the previous dynamic crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

interface FastEthernet0/0

description Outside interface

ip address 10.48.67.181 255.255.255.224

no ip mroute-cache

duplex auto

speed auto

crypto map mymap

!

interface FastEthernet0/1

description Inside interface

ip address 10.1.1.1 255.255.254.0

duplex auto

speed auto

no keepalive

!

ip local pool ippool 10.5.5.1 10.5.5.254

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 10.48.66.181

!

!

call rsvp-sync

!

!

dial-peer cor custom

!

!

line con 0

exec-timeout 0 0

escape-character 27

line aux 0

line vty 0 4

password 7 121A0C041104

!

!

end

HTH

--Leon

* Please rate ALL posts.

bangkydotnet
Level 1
Level 1
In response to leonvd79

‎10-12-2006 03:35 AM

hi.. thanks for your sample config, on my second attempt to fix the error.. seems that I should have defined a seperate address pool, and also, I forgot one line, which is client configuration address respond.

Thanks once again.

p/s sorry for voting 2.0.. couldn't change after I solved the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card