01-19-2010 08:13 AM
I have a Cisco 871 router running Cisco IOS 12.4(24).
I want to configure this device to terminate VPN connections from remote laptops using the Cisco VPN client. I have downloaded the latest version of the Cisco VPN client.
These laptops are running XP and MAC.
I want to use a pre-shared key for authentication.
Does anyone have an example of a config I can use or any advice on a direction I should take? Any pitfalls to avoid?
Thanks,
01-19-2010 11:41 AM
I have a Cisco 871 router running Cisco IOS 12.4(24).
I want to configure this device to terminate VPN connections from remote laptops using the Cisco VPN client. I have downloaded the latest version of the Cisco VPN client.
These laptops are running XP and MAC.
I want to use a pre-shared key for authentication.Does anyone have an example of a config I can use or any advice on a direction I should take? Any pitfalls to avoid?
Thanks,
There are quite a few examples of IPSEC configuration on the Cisco site. Start here and if you need further clarification then come back -
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor15
Jon
01-26-2010 11:04 PM
I did quite a bit of reading.
I am quite familiar with IPSEC, just not on Cisco's implementaion.
From bits and pieces, here and there, I have arrived to the following config.
It does NOT work.
PLEASE HELP......
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2010.01.27 01:47:28 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 6045 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname drw871
!
boot-start-marker
boot-end-marker
!
enable secret 5 -------------------------
enable password 7 -----------------------
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization exec default local
aaa authorization network groupauth local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1963796551686
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1963796551686
revocation-check none
rsakeypair TP-self-signed-1963795651686
!
!
crypto pki certificate chain TP-self-signed-1963796551686
certificate self-signed 01
-----------------------
quit
dot11 syslog
!
dot11 ssid office98
vlan 1
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 7 -----------------------
!
dot11 ssid office98 guest-mode
authentication open
--More-- wpa-psk ascii 7 -----------------------
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server ----------------------- -----------------------
domain-name dr.off98
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server -----------------------
ip name-server -----------------------
ip name-server -----------------------
!
!
!
!
username capone -----------------------
username stiffer -----------------------
username scammer -----------------------
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group Oschool
key mykey
pool OS-VPN
save-password
max-users 5
max-logins 2
!
!
crypto dynamic-map Oschool 10
reverse-route
!
!
crypto map SW-Client client authentication list userauth
crypto map SW-Client isakmp authorization list groupauth
crypto map SW-Client client configuration address respond
crypto map SW-Client 10 ipsec-isakmp dynamic Oschool
!
crypto ctcp port 443 10000
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface Loopback99
ip address 192.168.99.1 255.255.255.0
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SW-Client
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office98
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool OS-VPN 192.168.99.2 192.168.99.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 -----------------------
no modem enable
line aux 0
line vty 0 4
password 7 -----------------------
!
scheduler max-task-time 5000
end
Thanks.......................
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide