Re: Cisco 891 Router & VPN Setup

robert prentice · ‎10-13-2010

Ive followed every wizard in the CCP program to setup a simple VPN so I can access my work ne

twork from home and nothing works. I am lost and out of ideas.

Can anyone give me a simple walkthrough on setting one up? I just want to be able to setup a connection in windows that i can "connect" to from my home cable internet using a username/password that will allow me to access the network from home as if my computer was there at the office.

Do I need special software on the remote computer? Ive seen people connect to vpns just using windows vpn connection setup, i assume via IPSEC?

Federico Coto Fajardo · ‎10-14-2010

Hi,

You can connect using the VPN client software from Cisco using IPsec.

Or you can connect using windows native VPN client (PPTP or L2TP).

Which protocol are you trying and we can send you a link.

Federico.

robert prentice · ‎10-14-2010

I cant get any method to work, but i dont have any software from cisco for the VPN so lets assume windows native vpn connection.

Federico Coto Fajardo · ‎10-14-2010

Trying to find a nice clean document but I don't see.

Take a look at this discussion:

https://supportforums.cisco.com/message/273122#273122

Federico.

robert prentice · ‎10-14-2010

I dont really see any answer at all. What i really need is to know what i need to setup on the router to allow for the connection to work.

I already know how to use windows vpn native client, i just need to get the router to accept vpn connections.

Federico Coto Fajardo · ‎10-14-2010

This is more or less how the configuration on the router goes:

hostname fifi

!

username l2tp-w2k password 0 ww

!--- This is the password for the Windows 2000 client.

!--- With AAA, the username and password can be offloaded to the external

!--- AAA server.

!

vpdn enable

!--- Activates VPDN.

!

vpdn-group l2tp-w2k

!--- This is the default L2TP VPDN group.

accept-dialin

protocol l2tp

!--- This allows L2TP on this VPDN group.

virtual-template 1

!--- Use virtual-template 1 for the virtual-interface configuration.

no l2tp tunnel authentication

!--- The L2TP tunnel is not authenticated.

!--- Tunnel authentication is not needed because the client will be

!--- authenticated using PPP CHAP/PAP. Keep in mind that the client is the

!--- only user of the tunnel, so client authentication is sufficient.

!

interface loopback 0

ip address 1.1.1.1 255.255.255.255

!

interface Ethernet1/0

ip address 200.0.0.14 255.255.255.0

ip router isis

duplex half

tag-switching ip

!

interface Virtual-Template1

!--- Virtual-Template interface specified in the vpdn-group configuration.

ip unnumbered Loopback0

peer default ip address pool pptp

!--- IP address for the client obtained from IP pool named pptp (defined below).

ppp authentication chap

!

ip local pool pptp 1.100.0.1 1.100.0.10

!--- This defines the "Internal" IP address pool (named pptp) for the client.

ip route 199.0.0.0 255.255.255.0 200.0.0.45

Federico.

robert prentice · ‎10-14-2010

i tried what you gave me and nothing works. Can you explain your IP schemes? They dont make

sense. My IP pools as it stands for the Vlans i have are 10.10.10.1 and 10.10.20.1. And for example sake my outside IP is 192.168.

1.1

Federico Coto Fajardo · ‎10-15-2010

This link explains how to configure the router to accept IPsec VPN connections from a client:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html#wp1192045

The feature is called EzVPN server and you need the IPsec client installed on the client machine.

If you use the GUI, you should be able to configure the other VPN type (L2TP), I just don't seem to find a good link on the web for it.

Federico.

bobbycornetto · ‎11-10-2010

The following assumes that FastEthernet 0/1 is NAT outside and 0/0 is NAT inside.

From global config mode: (just add theses lines to the ACL you already have on outside)

##Access list to permit IPSEC/ISAKMP packets.

ip access-list ex outside-interface-in

permit udp any host 192.168.1.1 eq isakmp

permit udp any host 192.168.1.1 eq non500-isakmp

permit ahp any host 192.168.1.1

permit esp any host 192.168.1.1

exit

##Access list for split tunneling so that you can still access internet from your remote client while tunneled to work.

ip access-list ex SPLIT_TUNNEL

permit ip 10.10.10.0 0.0.0.255 any

permit ip 10.20.20.0 0.0.0.255 any

exit

##Addresses assigned to remote access VPN clients.

ip local pool VPNPOOL 10.40.40.1 10.40.40.20

##If you already have login authentication and network authorization configured, just stick with what you have.

aaa authentication login LOCAL_AUTHEN local

aaa authorization network GROUP_AUTHOR local

username myvpnuser secret MYSECRETPASSWORD

int fa 0/1

ip access-group outside-interface-in in

exit

crypto isakmp enable

crypto isakmp policy 10

hash sha

auth pre

group 5

lifetime 86400

encryption aes 256

exit

crypto ipsec transform-set MYSET esp-aes 256 esp-sha-hmac

crypto isakmp client configuration group MYVPNGROUP

dns 10.10.10.5

wins 10.10.10.6 ##whatever they are.

key

acl SPLIT_TUNNEL

pool VPNPOOL

exit

crypto dynamic map MYDYNMAP 1

set transform-set MYSET

reverse-route

exit

crypto map MYMAP client authentication list LOCAL_AUTHEN

crypto map MYMAP isakmp authroization list GROUP_AUTHOR

crypto map MYMAP client configuration address respond

crypto map MYMAP 10 ipsec-isakmp dynamic MYDYNMAP

interface fa0/1

crypto map MYMAP

exit

I think that's pretty much it.

To set up the client, you need the group name (MYVPNGROUP), the outside address of your router, the key from the "crypto isakmp client" section, and your username and password. I highly recommend getting hold of the Cisco Easy VPN client, but this should work with the Windows client.