04-25-2008 07:42 PM - edited 02-21-2020 03:41 PM
Hi,
I'm trying to create a VPN Tunnel to be able to access my network remotely from a dynamic IP address.
Cuurently I have a few machines and a server on IP subnet 192.168.1.0/0.0.0.255
and would like to use them as though I was inside the intranet!
I have started the config already but didn't understand alot from the Cisco documentation. I would be greatfull for any assistance.
My running-config is attached.
Thanks in advance!
04-28-2008 08:10 AM
The Cisco VPN client asks for either a certificate or authorized group of users. How can I implement this into my config?
Also how do I tell the router what is accessable within the network?
11-30-2010 04:26 PM
Hi Kayasaman,
I ran into the same problem. I have a 857W at home and I would like to set up a VPN
Are you able to share a working config for it?
Cheers,
Fabio
12-01-2010 11:46 PM
Hi Fabio,
sorry for the late reply!
My ISP did something strange to my network at home meaning I can't access the forums from there and hence have to write in from work now.
I have got some config for you:
Router1 = 200.1.1.1
Router2 = 200.2.2.2
------------------------------------------------------Router1----------------------------
[...]
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 200.2.2.2
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 200.2.2.2
set transform-set myset
match address 101
[...]
interface Dialer0
description To DSLAM
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname chapuname
ppp chap password 7 chappasswd
ppp ipcp dns 200.1.1.2 200.1.1.3
crypto map myvpn
[...]
ip nat inside source route-map NO-NAT interface Dialer0 overload
[...]
access-list 101 permit ip 172.16.0.0 0.0.0.63 192.168.0.0 0.0.1.255
access-list 101 permit ip 172.16.0.64 0.0.0.63 192.168.0.0 0.0.1.255
access-list 101 permit ip 172.16.0.192 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 deny ip 172.16.0.0 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 deny ip 172.16.0.64 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 deny ip 172.16.0.192 0.0.0.63 192.168.0.0 0.0.1.255
access-list 110 permit ip 172.16.0.0 0.0.0.255 any
access-list 110 permit ip 172.16.1.0 0.0.0.63 any
[...]
dialer-list 1 protocol ip permit
route-map NO-NAT permit 10
match ip address 110
------------------------------------------------------Router2----------------------------
[...]
crypto isakmp policy 10
authentication pre-share
crypto isakmp key ciscokey address 200.1.1.1
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto map myvpn 10 ipsec-isakmp
set peer 200.1.1.1
set transform-set myset
match address 101
[...]
interface Dialer0
description To DSLAM
ip address negotiated
ip nat outside
no ip virtual-reassembly
encapsulation ppp
no ip route-cache
dialer pool 1
no cdp enable
ppp authentication chap callin
ppp chap hostname chapuname
ppp chap password 7 chappasswd
ppp ipcp dns 200.2.2.2 200.2.2.3
crypto map myvpn
[...]
ip nat inside source route-map NO-NAT interface Dialer0 overload
[...]
access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.0 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.64 0.0.0.63
access-list 101 permit ip 192.168.0.0 0.0.1.255 172.16.0.192 0.0.0.63
access-list 110 deny ip 192.168.0.0 0.0.1.255 172.16.0.0 0.0.0.63
access-list 110 deny ip 192.168.0.0 0.0.1.255 172.16.0.64 0.0.0.63
access-list 110 deny ip 192.168.0.0 0.0.1.255 172.16.0.192 0.0.0.63
access-list 110 permit ip 192.168.0.0 0.0.1.255 any
[...]
dialer-list 1 protocol ip permit
route-map NO-NAT permit 10
match ip address 110
12-01-2010 11:49 PM
If you add this in addition to the full router config the VPN will work!!
You can also use these tools to debug:
show cryprto isakmp sa
show crypto ipsec sa
more tools can be found if you run the:
show crypto isakmp ?
or
show crypto ipsec ?
commands.
debug commands can also be run!
Regards,
Kaya
12-02-2010 12:00 AM
Hi Kaya,
Thank you very much for getting back to me.
I'll give that a shot.
Cheers,
Fabio
12-02-2010 12:09 AM
No problem :-)
If you experience any problems at all try rebooting the router, or taking out the VPN config to reinitialize the crypto module inside the system. Sometimes the system can become errornous and not connect properly.
If after finding yourself connected but unable to ping between systems, you might have an MTU or other unseen issue which you will need to contanct your ISP about - provided they are happy to help unlike mine!
Good luck.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide