Cisco 837 and vpn client

olivier_1968 · ‎09-02-2005

Hello all !

Is anybody know if it's possible to setup a vpn beetween a cisco router 837 and a vpn client 4.04 (or 3.0), we have many roaming users who need to connect to our main site from the internet network ,our main site is connected to internet thru a 837.

Thanks in advance for your help

olivier

d-mark · ‎09-04-2005

Hi Oliver,

it should be possible to configure a 837 as Easy VPN Server. See the following link for more info:

http://www.cisco.com/en/US/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/networking_solutions_white_paper09186a0080117919.shtml

http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

hth

Mark

jackko · ‎09-04-2005

read below is a "cut-down" version of config, which should serve as an example to follow. feel free to post your existing config and we will help you to modify.

username cisco password 7 xxxxxxxx

aaa new-model

aaa authentication login vpnauthen local

aaa authorization network vpnauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 172.16.8.1 255.255.255.0

ip nat inside

interface Dialer0

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.12.12.1 10.12.12.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 172.16.8.0 0.0.0.255 10.12.12.0 0.0.0.255

access-list 101 permit ip 172.16.8.0 0.0.0.255 any

access-list 130 permit ip 172.16.8.0 0.0.0.255 10.12.12.0 0.0.0.255

route-map nonat permit 10

match ip address 101

olivier_1968 · ‎09-06-2005

Many thanks for your exemple, it will help me.

I goign to include your exemple in my present configuration.

this router is also used to connect our site to another office (a vpn rputer 837 to PIX 506).

I keep you posted.

Olivier

jackko · ‎09-18-2005

just wondering how you go

juan-navarro · ‎09-23-2005

Same here, I would like to know if you were able to get both the site to site vpn tunnel and vpn clients to connect to the same router at the same time.

Juan

olivier_1968 · ‎09-25-2005

Hi Juan,

I build the configuration (vpn client +vpn tunnel), i wil test it next week , i keep you inform if it works !!!

olivier

r.perera · ‎09-26-2005

Hi I did the sam ething with 2651XM, it already have site2site VPN and I need to get the VPN client working, I check with many configs, EsyVPN server etc

It Always error with this msg

CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer

This is my config (only vpn client)

crypto isakmp client configuration group opsnetvpngroup

key cisco1232

pool vpnpool

acl 150

crypto ipsec transform-set opsnet-vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 900

set transform-set opsnet-vpnset

crypto map OPSNETMAP client authentication list vpnauthen

crypto map OPSNETMAP client configuration address respond

crypto map OPSNETMAP 900 ipsec-isakmp dynamic dynmap

ip local pool vpnpool 172.31.18.241 172.31.18.246

access-list 150 permit ip 172.31.18.240 0.0.0.7 any

Any help will be appreciated

r.perera · ‎09-26-2005

Hi, I got valuable tip from cisco tac about my defered version,

This time I use 2821 as my easyVPN server, after upgrade to 12.3(8)T8 I have my site-2-site and vpn client in one single router

I use SDM to craete the EasyVpn server, it's easy and simple.