06-01-2013 03:53 PM
Here is a copy of my cisco 881 easy vpn config. Can someone please let me know what I need to modify so this will work on a cisco 1921.
Thanks in advance
hostname BTLvpn
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T3.bin
boot-end-marker
no logging buffered
enable secret 5 XXXXXX
no aaa new-model
clock timezone EASTERN -5
crypto pki trustpoint TP-self-signed-733417695
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-733417695
revocation-check none
rsakeypair TP-self-signed-733417695
crypto pki certificate chain TP-self-signed-733417695
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37333334 31373639 35301E17 0D303230 33303130 30313130
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3733 33343137
36393530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
DB8C973C EA391850 0A1FC496 CD6DFAA8 36F72E3B 51542A05 DF0B3BD0 6080C367
CE76E4AD 24EFD4D6 1562B1B8 63C27FED 2810B02A 18D5B8AF 349BDB51 9D735584
C46B5844 A1B46B23 9C9C449C 8C61E97F 4585FB64 BA5359AC 981DFDCA 6E87B423
B9F3269D EA9EF97E 74B0AC75 3906ED58 E87F317E 1D8CE583 2DDFFCAB 84278123
02030100 01A36E30 6C300F06 03551D13 0101FF04 05300301 01FF3019 0603551D
11041230 10820E45 41467670 6E2E7375 6E2E696E 73301F06 03551D23 04183016
8014638B 4C4459E4 18E06ADD 8A145115 1BE39596 9834301D 0603551D 0E041604
14638B4C 4459E418 E06ADD8A 1451151B E3959698 34300D06 092A8648 86F70D01
01040500 03818100 8180553B 6FCFDB9F 0307DE6C F9758A0C 775D22DA B084AAEA
8FD8C674 DC13A65D 97A76CB7 41D62861 6513E641 AA348740 2108A58F 68DE29A8
9A2161FE 0B37D8C5 1FD7B9C9 540AC637 64DBC58B 3D89E8E1 C391FBDE 54ACFC4D
7FCAE855 978ED9CA 75AED32B 19D516FB FAC6769B F9DA9892 F27EA1E9 2AF3B757
58F84AF8 FCDB2D8E
quit
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local
no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3
ip dhcp pool DHCP-Voice
import all
network 172.30.86.0 255.255.255.0
default-router 172.30.86.1
dns-server 10.10.10.45
option 150 ip 192.168.64.4 192.168.64.3
ip dhcp pool DHCP-Data
import all
network 172.31.86.0 255.255.255.0
default-router 172.31.86.1
dns-server 10.10.10.45
no ip domain lookup
ip domain name XXXX
username admin privilege 15 password XXXXX
archive
log config
hidekeys
ip tftp source-interface Vlan10
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust
interface FastEthernet0
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut
interface FastEthernet1
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut
interface FastEthernet2
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut
interface FastEthernet3
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut
interface FastEthernet4
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id FastEthernet4
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut
interface Vlan1
description Voice-VLAN
ip address 172.30.86.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside
interface Vlan10
description Data-VLAN
ip address 172.31.86.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
access-list 100 permit ip 172.30.86.0 0.0.0.255 any
access-list 100 permit ip 172.31.86.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
line con 0
password 7 XXXXX
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0
scheduler max-task-time 5000
webvpn cef
end
Solved! Go to Solution.
06-02-2013 02:04 PM
All in all it looks correct, only some small corrections:
The boot system comand is not needed as it loads an image for the old router
ip tftp source-interface Vlan10
has to be changed to
ip tftp source-interface GigabitEthernet0/1.10
In ACLs 123 and 124 there is no need to allow traffic in the first ACEs if you later have "permit ip any any" unless you want to see the hitcounts.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 12:24 AM
The 1921 will have different interface-identifiers. SO you need to change the config from "interface FastEthernet4" to "interface Gig0/0" for example. The inside interface has to be a trunk which is implemented as subinterfaces on the 1921 as you use two vlans for data and voice. Or you add a switch-module into the 1921, then you have a similar config as on the 800 router, but again there will be different identifiers.
After setting up the 1921 you use a new trustpoint and certificate for accessing the device with CCP, so you don't need to copy the "crypto pki ..." commands.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 06:53 AM
I think I understand how to set up the wan interface under inter gig 0/0. I am just not sure how to set up the lan interface. If I use interface gig 0/1, how do I go about setting up the sub interfaces? How would interface gig 0/1 look and what would the sub interfaces look like? I feel I am close, just need this last bit of info.
Thanks again for any help
06-02-2013 08:22 AM
Instead of the VLans you have subinterfaces:
interface Gig0/1
! here you only have speed and duplex
interface Gig0/1.1
encapsulation dot1Q 1
ip address ...
! other commands
interface Gig0/1.10
encapsulation dot1Q 10
ip address ...
! other commands
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 12:29 PM
Does this look correct?
hostname BTLvpn
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T3.bin
boot-end-marker
no logging buffered
enable secret 5 XXXXXX
no aaa new-model
clock timezone EASTERN -5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local
no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3
ip dhcp pool DHCP-Voice
import all
network 172.30.86.0 255.255.255.0
default-router 172.30.86.1
dns-server 10.10.10.45
option 150 ip 192.168.64.4 192.168.64.3
ip dhcp pool DHCP-Data
import all
network 172.31.86.0 255.255.255.0
default-router 172.31.86.1
dns-server 10.10.10.45
no ip domain lookup
ip domain name XXXX
username admin privilege 15 password XXXXX
archive
log config
hidekeys
ip tftp source-interface Vlan10
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust
interface GigabitEthernetEthernet0/1
speed auto
duplex auto
no shut
interface interface GigabitEthernet0/0
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id GigabitEthernet0/0
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut
interface GigabitEthernet0/1.1
encapsulation dot1q 1
description Voice-VLAN
ip address 172.30.86.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside
interface GigabitEthernet0/1.10
encapsulation dot1q 10 native
description Data-VLAN
ip address 172.31.86.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
access-list 100 permit ip 172.30.86.0 0.0.0.255 any
access-list 100 permit ip 172.31.86.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
line con 0
password 7 XXXXX
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0
scheduler max-task-time 5000
webvpn cef
end
06-02-2013 02:04 PM
All in all it looks correct, only some small corrections:
The boot system comand is not needed as it loads an image for the old router
ip tftp source-interface Vlan10
has to be changed to
ip tftp source-interface GigabitEthernet0/1.10
In ACLs 123 and 124 there is no need to allow traffic in the first ACEs if you later have "permit ip any any" unless you want to see the hitcounts.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-02-2013 04:11 PM
Thanks. Here is my final config that I will try out tomorrow when I get into work. Thanks again for all your help!
hostname BTLvpn
no logging buffered
enable secret 5 XXXXXX
no aaa new-model
clock timezone EASTERN -5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local
no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3
ip dhcp pool DHCP-Voice
import all
network 172.30.86.0 255.255.255.0
default-router 172.30.86.1
dns-server 10.10.10.45
option 150 ip 192.168.64.4 192.168.64.3
ip dhcp pool DHCP-Data
import all
network 172.31.86.0 255.255.255.0
default-router 172.31.86.1
dns-server 10.10.10.45
no ip domain lookup
ip domain name XXXX
username admin privilege 15 password XXXXX
archive
log config
hidekeys
ip tftp source-interface gigether 0/1.10
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust
interface GigabitEthernetEthernet0/1
speed auto
duplex auto
no shut
interface interface GigabitEthernet0/0
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id GigabitEthernet0/0
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut
interface GigabitEthernet0/1.1
encapsulation dot1q 1
description Voice-VLAN
ip address 172.30.86.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside
interface GigabitEthernet0/1.10
encapsulation dot1q 10 native
description Data-VLAN
ip address 172.31.86.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
access-list 100 permit ip 172.30.86.0 0.0.0.255 any
access-list 100 permit ip 172.31.86.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
line con 0
password 7 XXXXX
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0
scheduler max-task-time 5000
webvpn cef
end
06-03-2013 09:03 AM
Thanks for your help. The 1921 is up and working. It drops my bandwith from 10mb download to about 3mb download. Is that normal when tunnelling all traffic?
06-03-2013 03:02 PM
No, that's not normal. The 1921 is capable of handling a mich higher speed. What's your actual config from the 1921?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
06-03-2013 04:35 PM
Here is my acutually config
hostname PCKvpn
no logging buffered
enable secret 5 XXXX
no aaa new-model
clock timezone EASTERN -5
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXX
mode network-extension
peer X.X.X.X default
acl 100
username PCKuser password XXXX
xauth userid mode local
no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.200.1
ip dhcp excluded-address 172.30.200.2
ip dhcp excluded-address 172.30.200.31 172.30.200.255
ip dhcp excluded-address 172.31.200.1
ip dhcp excluded-address 172.31.200.2
ip dhcp excluded-address 172.31.200.31 172.31.200.255
ip dhcp excluded-address 172.31.200.3
ip dhcp pool DHCP-Voice
import all
network 172.30.200.0 255.255.255.0
default-router 172.30.200.1
dns-server 10.10.10.45
option 150 ip 192.168.64.4 192.168.64.3
ip dhcp pool DHCP-Data
import all
network 172.31.200.0 255.255.255.0
default-router 172.31.200.1
dns-server 10.10.10.45
no ip domain lookup
ip domain name XXX
username admin privilege 15 password XXXX
archive
log config
hidekeys
ip tftp source-interface GigabitEthernet 0/1.10
class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31
policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust
interface GigabitEthernet0/1
speed auto
duplex auto
no shut
interface GigabitEthernet0/0
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id GigabitEthernet0/0
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut
interface GigabitEthernet0/1.1
encapsulation dot1q 1
description Voice-VLAN
ip address 172.30.200.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside
interface GigabitEthernet0/1.10
encapsulation dot1q 10 native
description Data-VLAN
ip address 172.31.200.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
access-list 100 permit ip 172.30.200.0 0.0.0.255 any
access-list 100 permit ip 172.31.200.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
line con 0
password 7 XXXXX
logging synchronous
login local
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0
scheduler max-task-time 5000
webvpn cef
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide