Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1601
Views
0
Helpful
6
Replies

Cisco 897VA - Easy VPN Server

Storm Trooper
Level 1
Level 1

‎06-12-2017 05:56 AM

Hi,

I'm trying to configure a 897VA as a VPN Server, for 3 remote users to connect to. 

I can't for the life of me seem to get this configured, despite going through the setup guide.  I have all the aaa authentication in place and the remaining relevanat config is as folllows :

crypto isakmp profile vpn-profile-1
match identity group test1
match identity group test2
client authentication list test_vpn_xauth_ml_7
isakmp authorization list test_vpn_group_ml_7
client configuration address respond
keepalive 3000 retry 20
virtual-template 5

crypto ipsec profile VPN_Profile1
set transform-set ESP-3DES-SHA13
set isakmp-profile vpn-profile-1

crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
mode tunnel

interface Virtual-Template5 type tunnel
ip unnumbered Dialer0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile Test_Profile1

If I do a show crypto map I get the following for the Virtual-Template5 interface :

Crypto Map IPv4 "Virtual-Template5-head-0" 65536 ipsec-isakmp

        ISAKMP Profile: vpn-profile-1

        Profile name: VPN_Profile1

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Mixed-mode : Disabled

        Transform sets={

                ESP-3DES-SHA13:  { esp-3des esp-sha-hmac  } ,

        }

        Interfaces using crypto map Virtual-Template5-head-0:

So,  Virtual-Template5 crypto map has no interface associated with it, which I think is the issue. However, I am unable to assign this manually as it has been dynamically created.

Any help or advice gratefully appreciated.

Thanks.

Labels:
0 Helpful
6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-12-2017 06:16 PM

Try using my Cisco 897 config wizard.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

Tick the box for "Enable client to site IPSec VPN", and then extract out the bits of the config that are relevant.

0 Helpful

Storm Trooper
Level 1
Level 1
In response to Philip D'Ath

‎06-13-2017 06:17 AM

Thanks for this Phillip, looks a really useful tool that I will be able to utilise moving forward.

I've copied out the relevant parts, but still get the same if I do a show crypto map, in that there are no interfaces assigned to the Virtual-Template crypto map.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Storm Trooper

‎06-13-2017 01:14 PM

What software version are you using on your 897?  I would personally recommend you run:

c800-universalk9-mz.SPA.154-3.M7.bin

0 Helpful

Storm Trooper
Level 1
Level 1
In response to Philip D'Ath

‎06-13-2017 01:29 PM

Hmmm.  I'll give this a go.  At present it's running c800-universalk9-mz.SPA.156-2.T1.bin

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Storm Trooper

‎06-13-2017 01:31 PM

We use the that particular ConfigWizard at least once a week, so I am very confident on what it produces.

You could also try wiping your router, and letting the wizard generate the whole config for you.

0 Helpful

Storm Trooper
Level 1
Level 1
In response to Philip D'Ath

‎06-13-2017 01:34 PM

Everything else seems ok on the router.  I've setup SIte-Site VPN without any issues.  Just the Client-Site that is playing up.  Thanks Phillip, if the software downgrade doesn't help I'll give it a go.  

0 Helpful
Customers Also Viewed These Support Documents