Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1540
Views
4
Helpful
6
Replies

Cisco 857 - EasyVPN, not so easy?

c04horner
Level 1
Level 1

‎02-03-2011 11:35 PM

Hi

I have a 857 (124-4.T12)

And would like to setup an EasyVPN server.

I can run throught the wizard in CCP, but it does not work from the VPN client. It does not complete the first stage of comms

All I have done is run the wizard and create a user.

I'm faily happy with cisco routers, but the VPN part is new to me.

I've read the walkthrough document on the Cisco site

I created it on a new local loopback

The first time I run the wizard and click test it tells me none of the cyrpo interfaces are up

Are there some prereqs I'm missing?

Thanks

Labels:
0 Helpful
6 Replies 6

ccnpwannabe
Level 1
Level 1

‎02-04-2011 03:39 AM

Hi

Look into this discussion as it might give u more insight into what EasyVpn is all about

https://supportforums.cisco.com/thread/2059992

0 Helpful

andamani
Cisco Employee
Cisco Employee

‎02-04-2011 06:29 AM

Hi,

here is the link which will help you configure RA VPN on routers:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a00801c4246.shtml

i can check the configuration of the tunnel if you paste the sh run of the router.

Regards,

Anisha

-do rate helpful posts

c04horner
Level 1
Level 1

‎02-05-2011 12:50 AM

Thanks for the links.

I've stepped through the guide, using the CCP to configure.

There are a couple of stages I'm not quite sure I've got it right

I've created a loopback interface is that correct, its what the wizard has as default. What should the IP be? a real one or a 127.0.0.1?

Or should i create it unnumbered to the dialer/vlan?

AAA is enabled and the group is there, I've allowed the CCP to modify the firewall

I've entered a PSK, and a IP pool (on a different range from VLAN1)

I click test VPN and it intially fails saying non of the Crypto applied interface(s) are up

If I close the wizard and re-run the test is says every thing is OK

If I then try to connect from a client it doesn't connect at all, it says contacted the security gateway and then says the remote peer stopped responding

Sorry - I'm sure this is really stupid, but its the only way to learn!

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to c04horner

‎02-05-2011 04:55 AM

Hi Chris,

No issues with that.

The Crypto map has to be applied to an interface which has a real ip and has internet connectivity i.e. ISP.

Why don't you login to your router and take the output of "sh run" and paste here.

Let me have a look at it. modify if required and then explain you the changes. what say?

Regards,

Anisha

0 Helpful

Sam Smiley
Level 3
Level 3
In response to c04horner

‎02-05-2011 05:02 AM

Chris, VPN are far from easy; it took me a couple of days to set up my first one but this was before the GUI craze with Cisco. All of my old links to set up an IPSec VPN are dead on the Cisco site so I'll post a working config for you to compare to your own config. This should help.

Cheers,

Sam

79918-ipsec-vpn.txt.zip
0 Helpful

c04horner
Level 1
Level 1

‎02-05-2011 09:19 AM

Thanks alot guys

My IOS skills are limited really to setting the IP on the VLAN and bringing up the ports on a fresh router, thats all I do - then turn on http-server, I then use the CCP to do the rest apart from TFTP'ing new IOS images into the flash:

Ideally I'd like to know how to do this via the CCP, but if I have to use the IOS I'll do my best!

I'm wondering if the crypto is done when you run the EasyVPN wizard or not. Or If I've bound it to the wrong interface.

I'm not new to VPNs generally, I've used Zyxel or Windows PPTP to do them before, but I'd like to learn the Cisco way as the equipment is so much more robust I find.

All I am trying to achieve is

857 1 ADSL over POTS + 1 VLAN, with a dial up VPN from the cisco client to get at a server IPMI card to reboot etc nothing fancy.

The routing and firewall etc stuff is fine, but the VPN stuff is the problem!

Heres my current running-config.

Current configuration : 5124 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco857
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$xCvg$X3NIta.CZ5ajnbrekEN401
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
!
!
dot11 syslog
!
!
ip cef
ip inspect name CCP_LOW cuseeme
ip inspect name CCP_LOW dns
ip inspect name CCP_LOW ftp
ip inspect name CCP_LOW h323
ip inspect name CCP_LOW sip
ip inspect name CCP_LOW https
ip inspect name CCP_LOW icmp
ip inspect name CCP_LOW imap
ip inspect name CCP_LOW pop3
ip inspect name CCP_LOW rcmd
ip inspect name CCP_LOW realaudio
ip inspect name CCP_LOW rtsp
ip inspect name CCP_LOW esmtp
ip inspect name CCP_LOW sqlnet
ip inspect name CCP_LOW streamworks
ip inspect name CCP_LOW tftp
ip inspect name CCP_LOW tcp
ip inspect name CCP_LOW udp
ip inspect name CCP_LOW vdolive
!
!
!
username admin privilege 15 view root secret 5 $1$L/K4$WwLw7h0b91Y3gf/GlB
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key

pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
  hidekeys
!
!
!
!
!
interface Loopback0
ip address 192.168.11.254 255.255.255.0
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
ip inspect CCP_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
!
ip local pool SDM_POOL_1 192.168.11.50 192.168.11.60
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.5 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.10.10 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.10 25 interface Dialer0 25
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by CCP firewall configuration
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp any host 192.168.10.254 eq 10000
access-list 100 permit udp any host 192.168.10.254 eq non500-isakmp
access-list 100 permit udp any host 192.168.10.254 eq isakmp
access-list 100 permit esp any host 192.168.10.254
access-list 100 permit ahp any host 192.168.10.254
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by CCP firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any any eq 10000
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 3389
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
snmp-server community public RO
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
!
scheduler max-task-time 5000
end

0 Helpful
Customers Also Viewed These Support Documents