Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
899
Views
0
Helpful
2
Replies

Cisco Router 881 VPN Config

froiromero
Level 1
Level 1

‎02-01-2013 08:18 AM

Hello,

I need help connecting VPN client to my router. Here's my config below.

It has site to site VPN which is working fine.

Thanks!!!

Building configuration...

!

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login dafault local

aaa authentication login vpn-xauth1 local

aaa authentication login sslvpn local

aaa authorization network vpn-group1 local

!

!

!

!

!

aaa session-id common

!

!

!

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-2155039512

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2155039512

revocation-check none

rsakeypair TP-self-signed-2155039512

!

!

crypto pki certificate chain TP-self-signed-2155039512

certificate self-signed 01

  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313535 30333935 3737301E 170D3131 30363232 31363239

  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31353530

  33393537 3730819F 0129384 2A864886 F70D0101 01050003 818D0030 81890281

  8100BCC9 82DD2E9E DB424671 B2481D77 1EB7FDA8 25D2EEFC 6C66A551 68B418C6

  75B76471 36D457B1 7AEC16FC 9333A228 A138C24A CCB715CF 143EF482 816C7080

  330E7D24 6592EED9 F0167AAB D53490D4 8291CB52 BB40E140 8306A3CA AFE72861

  FE9C6E34 B45B08D8 60AF2755 A0B90B4A 5DB260A3 4A879A91 0039C6CB 3F7E9384

  43E10203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603

  551D1104 1F301D82 1B626372 68612D77 6E647372 2D727472 1234234 68612E6C

  6F63616C 301F0603 551D2304 18301680 14972BCE BC74B909 D904A757 3C82434A

  822B2F65 6E301D06 023424E 04160414 972BCEBC 74B909D9 04A7573C 82434A82

  2B2F656E 300D0609 2A864886 F70D0101 04050003 818100B4 A1AC739C 6F212BE9

  00FF9D10 67BD509A E7056108 CBF3884E 97E668D3 2CD43BEE B8C10098 56B386D7

  B0523710 6E7D4092 71234234CD F6B70179 C89F575C 9889BA15 229E3452 AFC398A4

  E016A49C 409ECF55 DCB941FF 092549B2 7E9E42C7 451C410D AF1B5697 01C586ED

  D2DD0CB1 D33AAAAD 9A3AEC7A E8F06C61 0EE9A01E A017A6

            quit

ip source-route

!

!

!

!        

ip cef

ip domain name xxxx.local

ip name-server xx.x.xx.xx

ip name-server xx.xxx.xxx.xx

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn yyyyyy

!

!

username tech privilege 15 secret 5 xxxxxxxxxxx

username vpn-user1 secret 5 xxxxxxxxx

username admin privilege 15 password 7 xxxxxxxx

!

!

!

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 103

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 102

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any vpn-ssh

match protocol ssh

match protocol icmp

match protocol tcp

match protocol udp

match protocol http

match protocol https

match protocol citrix

match protocol ipsec-msft

match protocol pptp

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

match access-group 199

class-map match-all inspection_icmp

match any

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxx address 69.xx.xx.xx

!

crypto isakmp client configuration group XXXXX

key xxxxx

dns 8.8.8.8

pool VPN-Pool

acl 110

crypto isakmp profile VPN-IKE-Profile1

   match identity group XXXX

   client authentication list VPN-xauth1

   isakmp authorization list VPN-group1

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile VPN-Profile1

set transform-set ESP-3DES-SHA

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to69.xx.xxx.xx

set peer 69.xx.xxx.xx

set transform-set ESP-3DES-SHA

match address 101

!

!

!        

!

!

interface FastEthernet0

switchport mode trunk

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 65.xx.xxx.xx 255.255.255.xxx

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

!

interface Virtual-Template2 type tunnel

ip unnumbered Vlan1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN-Profile1

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 10.10.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

!

ip local pool VPN-Pool 10.10.200.1 10.10.200.50

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 65.xx.xxx.1

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

!

access-list 23 remark CCP_ACL Category=17

access-list 23 permit 10.10.0.0 0.0.0.255

access-list 23 permit 173.0.0.0 0.255.255.255

access-list 23 permit 152.0.0.0 0.255.255.255

access-list 101 remark CCP_ACL Category=4

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 69.xx.xxxx.xx any

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip 10.20.0.0 0.0.255.255 10.10.0.0 0.0.255.255

access-list 104 remark CCP_ACL Category=2

access-list 104 remark IPSec Rule

access-list 104 deny   ip 10.10.0.0 0.0.255.255 10.20.0.0 0.0.255.255

access-list 104 permit ip 10.10.0.0 0.0.0.255 any

access-list 110 remark VPN-Users

access-list 110 permit ip 10.10.200.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 199 permit ip any any

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 104

!

!

control-plane

!

!        

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

transport input ssh

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
2 Replies 2

froiromero
Level 1
Level 1

‎02-01-2013 08:35 AM

I got it.

0 Helpful

Anis Momin
Level 1
Level 1

‎11-22-2013 06:24 AM

Are you trying to configured easy vpn server ,, if so,, please check below link,,

I have working config,,,,

https://supportforums.cisco.com/thread/2252633

Hope this will help,.,

0 Helpful
Customers Also Viewed These Support Documents