11-19-2010 09:15 AM
Hi,
I'm a total Cisco / networking novice that has inherited responsibilities for our small office network and I am in need of help to setup up a VPN that office staff or clients can access from home or from a clients office. We have a number of public facing IP addresses, currently one of them is unused and we would like to use it for our VPN (lets say the address is 44.55.66.77 GW is 44.55.66.78 and Mask is 255.255.255.252 and uses Xauth and Mutual PSK) to access our internal network (192.168.1.1 thru 192.168.1.254) an internal DHCP server hands out addresses from 192.168.1.100 thru 192.168.1.199.
I have tried copying quite a few router configs I've found by googling but I have had no luck whatsoever, so I'm really hoping someone can post a working config for the 1811 router and setup for the Shrewsoft client. An explanation (tutorial) as well would really be helpful but I'd happy settle for something that works.
Thanks in Advance
Solved! Go to Solution.
11-23-2010 10:06 AM
Brad,
The remaining Fast 2-8 ports are layer 2 ports (switch ports), so cannot be assigned an IP.
You can configure an Interface VLAN to associate the ports and create different IP subnets.
The VPN connection creates a VPN virtual adapter (network connection) that reports an IP from the pool
as you mentioned (you should see this information if the client is connected succesfully).
To be able to access other subnets via the VPN, you should include those networks in the ACL 101.
Federico
11-19-2010 09:32 AM
Brad,
The configuration that I can send you most likely are the ones you've found and tried.
Why don't you just share a copy of your config (change the real IPs) and we help you see what are you missing.
Federico.
11-19-2010 10:11 AM
11-19-2010 10:28 AM
Brad,
Sorry to reply with a link:
But here's the deal...
You're configuring the remote access client IPsec VPN connection with a static crypto map:
crypto map IPSEC 45 ipsec-isakmp
set peer 44.55.66.77
set security-association lifetime seconds 7200
set transform-set L2TP-LNS
set pfs group2
You need to change that to a dynamic crypto map (explained in the link).
Also, the ''mode'' should be tunnel and not transport in the transform-set.
Please try it and let us know any problems.
Federico.
11-19-2010 10:42 AM
Do you have another link or example? I can't access that link.
11-19-2010 10:44 AM
This is the same link (without requiring CCO):
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml
Federico.
11-19-2010 01:01 PM
Federico,
Thanks I can get to the page now, in fact it is one I found before. Maybe I'm not looking in the right place but I don't see any explanations for tunnels, crypto maps, or encryption. This is the page the link tok me to.
Document Id: 21060.
As first posted I'm a complete novice to all things Cisco and could really use a working example for the 1811.
Thanks for the help and will be back after the weekend.
11-19-2010 01:21 PM
That's the correct link.
It shows the configuration where it says:
Follow that configuration (just change the IPs to the right ones).
You see that the crypto map is a dynamic-map and not a static as your original configuration.
What you can do is the following...
Follow the steps on that link to configure the router and try to connect... if it fails... we should be closer to having it correct.
The only real difference from the link (besides the IPs) are that you're going to use the local databased authentication instead of a Radius server to authenticate the VPN clients.
Federico.
11-22-2010 04:20 AM
11-22-2010 04:34 AM
Fredrico,
In the link you provide one of the lines contains the following.
crypto isakmp client configuration group 3000client
In the same link I can see this value "3000client" gets set as a group name in the cisco vpn client, what is the correspounding entry for the Shrewsoft client?
Thanks
11-23-2010 03:26 AM
Federico,
My apologies, I noticed I misplelt your name in previous posts. I'm still unable to get my VPN to work I tried another config yesterday and have included both the 1811 config as well as the client config. I see this error at the console of the 1811
%CRYPTO-6-VPN_TUNNEL_STATUS: Group: does not exist
Thanks
Brad
11-23-2010 07:33 AM
Brad,
Please do the following:
Enable ISAKMP debugs on the router:
debug cry isa
debug cry ipsec
term mon
From the VPN client connect using the following:
Group name: vpnclient
Group password: mypresharekeystring
Post the output of the debugs above.
Federico.
11-23-2010 09:25 AM
Federico,
I was able to get my VPN established using the attached config files. I still really don't understand how this stuff all works though. In order to complete my setup I need to be able to connect to a few servers on different sub nets after I establish the VPN connection. Can you provide some additional direction on how to do this?
I have 3 subnets 192.168.1.0 - 192.168.1.255 NM 255.255.255.0
192.168.2.0 - 192.168.1.255 NM 255.255.255.0
10.0.1.0 - 10.0.1.255 NM 255.255.255.-0
The subnets are on HP procurve switches model 2900-24G
In my posted config I tried to setup a VLAN of 192.168.5.0 and NM 255.255.255.0 and use FastEthernet 1.
Can I use the remaining FastEthernet ports 2 - 8 to physically connect to the other subnets? How do I set this up?
Also I have a question about the VPN itself. I expected to see an assigned address in the range 192.168.5.100 192.168.5.119 when I type ipconfig /all
on the client workstation. Client is win 7 and Shrewsoft VPN however I don't see this.
Thanks for all the help
11-23-2010 10:06 AM
Brad,
The remaining Fast 2-8 ports are layer 2 ports (switch ports), so cannot be assigned an IP.
You can configure an Interface VLAN to associate the ports and create different IP subnets.
The VPN connection creates a VPN virtual adapter (network connection) that reports an IP from the pool
as you mentioned (you should see this information if the client is connected succesfully).
To be able to access other subnets via the VPN, you should include those networks in the ACL 101.
Federico
11-23-2010 10:37 AM
Can you verify these commands ?
(config)#int FastEthernet 2
(config-if)#sw mode access
(config-if)#sw access vl 2
(config)#int vl 2
!192.168.0.249 is unused on the subnet
(config-if)#ip address 192.168.0.249 255.255.255.0
(config-if)#no shut
config)#access-list 101 permit ip 192.168.5.0 0.0.0.255 any
(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 any
(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Thanks
Edit:
The above commands don't allow me to ping a device at 192.168.1.1. Is there something I need to add for routing as well?
Edit 2:
I can ping the device at 192.168.1.1 from the console of the 1811 but not from the remote end of the tunnel. Does that make it a routing issure?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide