Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
3
Replies

Easy VPN Remote (Client) for IPSec VTIs on Cisco 1841

neyromantt1
Level 1
Level 1

‎11-08-2016 10:45 PM - edited ‎02-21-2020 09:02 PM

Router1(Cisco 1841, f0/1 - WAN, IP 172.16.1.7/24, VPN_Server) <==========Switch1========>Router1(Cisco 1841, f0/1 - WAN, IP 172.16.1.8/24, VPN_Client)

Router1: Cisco 1841 128MB/64M, IOS: c1841-advipservicesk9-mz.124-19b.bin

Router2: Cisco 1841 128MB/64M, IOS: c1841-advipservicesk9-mz.124-19b.bin

sh running-config

!======================================VPN_Server===================================

version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname rserver
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$15oL$.3L8AgLxEJyH7DFgNpoiN0
!
aaa new-model
!
aaa authentication login user local
aaa authorization network group local
!
aaa session-id common
clock timezone Moscow 3
ip cef
!
no ip domain lookup
ip domain name hvnp.loc
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco password 0 cisco123
!
ip ssh authentication-retries 2
ip ssh version 2
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key cisco123
 pool vpnpool
 save-password
crypto isakmp profile easy_vpn
   match identity group vpngroup
   client authentication list user
   isakmp authorization list group
   client configuration address respond
   virtual-template 1
!
crypto ipsec transform-set vpn-vti esp-3des esp-sha-hmac
!
crypto ipsec profile easy_profile
 set transform-set vpn-vti
 set isakmp-profile easy_vpn
!
interface Loopback0
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback1
 ip address 10.0.0.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.1.7 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile easy_profile
!
ip local pool vpnpool 192.168.1.2 192.168.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.254
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input none
 transport output none
!
scheduler allocate 20000 1000
ntp clock-period 17178550
ntp server 172.16.1.254
end

!===================================================================

^

% Invalid input detected at '^' marker.

!======================================VPN_Client===================================

version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname rclient
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$j71U$minhcQ97/lovDuurN9SS3/
!
aaa new-model
!
aaa session-id common
clock timezone Moscow 3
ip cef
!
no ip domain lookup
ip domain name hvnp.loc
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco password 0 cisco123
!
ip ssh authentication-retries 2
ip ssh version 2
!
crypto ipsec client ezvpn test_easy
 connect auto
 group vpngroup key cisco123
 mode client
 peer 172.16.1.7
 username cisco password cisco123
 xauth userid mode local
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.1.8 255.255.255.0
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.16.1.254
!
!
no ip http server
no ip http secure-server
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
line vty 5 15
 transport input none
 transport output none
!
scheduler allocate 20000 1000
ntp clock-period 17179093
ntp server 172.16.1.254
end

!===================================================================

When I try to specify the virtual interface in EZVPN settings, the error appears.

rserver(config)# crypto ipsec client ezvpn test_easy

rserver(config-crypto-ezvpn)# virtual-interface 1

^

% Invalid input detected at '^' marker.

how to make a binding to VTI ?

Labels:
0 Helpful
3 Replies 3

JP Miranda Z
Cisco Employee
Cisco Employee

‎11-09-2016 05:56 PM

Hi 

The vti should not be specified on the crypto isakmp client on the server config, this should be specified on the client site, you can take a look to the following guide, make sure you only consider the enhanced EzVPN config on the Hub and the Spoke 1.

Hope this info helps!!

Rate if helps you!!

-JP-

0 Helpful

neyromantt1
Level 1
Level 1
In response to JP Miranda Z

‎11-10-2016 02:36 AM

Excerpts from the official documentation on the following link:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ezvpn/118240-config-ezvpn-00.html

Hub Configurationhostname Hub

!
........
crypto isakmp client configuration group En-Ezvpn
 key test-En-Ezvpn
crypto isakmp profile En-EzVpn-Isakmp-Profile
   match identity group En-Ezvpn
   isakmp authorization list default
   client configuration address respond
   virtual-template 1
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile En-EzVpn-Ipsec-Profile
!
...................

Spoke 1 (Enhanced EzVPN) Configuration

............................
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
!
crypto ipsec client ezvpn En-EzVpn
 connect auto
 group En-Ezvpn key test-En-Ezvpn
 mode network-extension
 peer 172.16.0.1
 virtual-interface 1
!

I did so:

========================================
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname rclient
!
crypto ipsec client ezvpn test_easy
 connect auto
 group vpngroup key cisco123
 mode client
 peer 172.16.1.7
 username cisco password cisco123
 xauth userid mode local
!
interface Loopback0
 ip address 10.0.1.1 255.255.255.255
 crypto ipsec client ezvpn test_easy inside
!
interface Loopback1
 ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 172.16.1.8 255.255.255.192
 duplex auto
 speed auto
 crypto ipsec client ezvpn test_easy
!

.......................

=====================================
But there is an additional interface loopback, which is stored in the running-config. And if this run
#copy run start
created the interface  saved in  setup-config

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee
In response to neyromantt1

‎11-10-2016 08:59 PM

Hi neyromantt1,

Can you be more specific about the issue here? is this DVTI not working?

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful
Customers Also Viewed These Support Documents