Solved: Re: Dynamic VTI IPSEC TUNNEL - Page 2

tanyatamir53355 · ‎05-04-2021

I am trying to create a simple VPN server for my home lab using cisco router 1941 or 3945( I have access to both)

When you design a Dyanmic VTI hub-and-spoke configuration. Does the spoke has to be a cisco router? can it be any VPN client such as windows native vpn or does have to be anyconnect.

I want to be able to tunnel in from multiple vpn clients(spoke) such as windows/ios client etc to the homelab router(hub)?

or is something like Ezy VPN dyanmic VTI more applicable to my need?

any help would be much appreciated.

many thanks.

tanyatamir53355 · ‎05-06-2021

@Rob Ingram

Here is a pic of the router port forwarding/static address

this is for one of the ports(udp 500 VPN/IPSec)

do I place the ISP public ip address in the source and my internal Cisco address) int gig0/0 192.168.0.254) in the destination address field?

please have a look

slightly confused.

Rob Ingram · ‎05-06-2021

No, the source is 0.0.0.0 and yes the destination is the cisco router.

The screenshot shows "Firewall Rules Outbound Services", not familar this ISP router but this traffic to the cisco router is obviously inbound.

tanyatamir53355 · ‎05-06-2021

Sorry I sent wrong bound, should have been inbound.

only problem is source IP cannot be 0.0.0.0 field it has to be an IP, can I use the ISP routers private IP 192.168.0.1 in the source field?

however thank you so much!

just one final note I have a brand new CISCO1941/K9 Cisco 1941 Integrated Services Router and used version, how can I know if it has the security pak? Show version cmd?

I have been searching everywhere for security licences for one 1900 series router? How much are they roughly?

Rob Ingram · ‎05-06-2021

It looks like you a drop down box which was currently set to single address, see what options you have with there.

The 1941 is long EOL, doubt you can get licensing for it. Try ebay, you can probably get a router with the security license cheap.

use the command "show version" will tell you the license.

You've a sky router, read the following:

https://portforward.com/sky/er115/

https://helpforum.sky.com/t5/Broadband-Talk/How-to-set-up-port-forwarding/ba-p/2662260

tanyatamir53355 · ‎05-06-2021

Yes, I was confused by your terminology earlier, I basically call this inbound port forwarding on ISP router...it’s no issue, when you said NAT inbound I thought you was referring to something else

i found a cheap 2921 and 2951 with security k9 license is there any fundamental different both have a single Sfp 3 wan ports?

Rob Ingram · ‎05-06-2021

No, it'll work fine. You have onboard ethernet interfaces, so you don't need to use the SFP ports.

tanyatamir53355 · ‎05-06-2021

I have some sfp transceivers laying around and 2 media converters, also few MM LC fibre cables might as well make use of them lol

Rob Ingram · ‎05-06-2021

@tanyatamir53355

Ok then, so I assume your 1941 or 3945 routers do not have the security license.

Create a new post once you receive your new hardware and have actual issues when configuring. Mark this post as solved/helpful.

tanyatamir53355 · ‎05-09-2021

I have the router 2921!(noisy compared to 1941)with perm securityk9 license

I have managed to set up the vpn server with the config(see previous post) however this configuration seems to be only working when the spoke is a router? how do i modify the code, so that windows 10 or anyconnect VPN clients can become spokes?