cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2152
Views
0
Helpful
0
Replies
Beginner

PP tunnel plus win VPN clients plus Iphone VPN clients (aka no virtual-template with apple devices)

HI All

My goal is to make this three things live together :

1: Tunnel between Cisco877 named “A” (company router with static WAN address) and Cisco877 named “B” (home router with dynamic WAN address)

2: Configure the “A” router as VPN server for windows notebook with Cisco VPN Client installed

3:   Configure the “A” router as VPN server for Iphone4s with native Cisco VPN Client

The starting and actually working environment is point 1.

It’s made by use of GRE over IPSEC with IP-NHRP (dynamic multipoint) tunnel on which traffic between LANs is routed (this because of the continuos change in router “B” WAN address) :

ROUTER “A”

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key MyKey address 0.0.0.0 0.0.0.0

crypto ipsec transform-set MySet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile Myprofile

set transform-set MySet

interface Tunnel0

ip address 192.168.200.1 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp server-only

ip tcp adjust-mss 1360

cdp enable

tunnel source MY_WAN_STATIC_IP_ADDRESS

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile Myprofile

ROUTER “B”

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key MyKey address “router_A_wan_address”

crypto ipsec transform-set MySet esp-3des esp-sha-hmac

mode transport

crypto ipsec profile Myprofile

set transform-set MySet

interface Tunnel0

ip address 192.168.200.2 255.255.255.0

no ip redirects

ip mtu 1400

ip nhrp authentication test

ip nhrp map multicast “router_A_wan_address”

ip nhrp network-id 100000

ip nhrp holdtime 360

ip nhrp nhs 192.168.200.1

ip nhrp registration no-unique

no ip mroute-cache

delay 1000

cdp enable

tunnel source dialer 1

tunnel destination “router_A_wan_address”

tunnel key 100000

tunnel protection ipsec profile Myprofile

“A” and ”B” LANs are communicating perfectly.

Now, the first attempt to use crypto-maps for configuring router “A” as VPN server , made the existent tunnel to crash whenever the crypto map was applied to the outside nat interface.

So , I opted for the new-style virtual-template / split-tunneling method at router “A”:

R1(config)# aaa new-model

R1(config)# aaa authentication login default local

R1(config)# aaa authentication login vpn_xauth_ml_1 local

R1(config)# aaa authentication login sslvpn local

R1(config)# aaa authorization network vpn_group_ml_1 local

R1(config)# aaa session-id common

R1(config)# crypto isakmp policy 1

R1(config-isakmp)# encr 3des

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)#

R1(config-isakmp)#crypto isakmp policy 2

R1(config-isakmp)# encr 3des

R1(config-isakmp)# hash md5

R1(config-isakmp)# authentication pre-share

R1(config-isakmp)# group 2

R1(config-isakmp)# exit

R1(config)# crypto isakmp client configuration group CCLIENT-VPN

R1(config-isakmp-group)# key xxxxxxxx

R1(config-isakmp-group)# dns 192.168.0.1

R1(config-isakmp-group)# pool VPN-Pool

R1(config-isakmp-group)# acl 120

R1(config-isakmp-group)# max-users 5

R1(config-isakmp-group)# exit

R1(config)# ip local pool VPN-Pool 192.168.0.20 192.168.0.25

R1(config)# crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac

R1(config)# crypto ipsec profile VPN-Profile-1

R1(ipsec-profile)# set transform-set encrypt-method-1

R1(config)# interface Virtual-Template2 type tunnel

R1(config-if)# ip unnumbered FastEthernet0/0

R1(config-if)# tunnel mode ipsec ipv4

R1(config-if)# tunnel protection ipsec profile VPN-Profile-1

R1(config)# crypto isakmp profile vpn-ike-profile-1

R1(conf-isa-prof)# match identity group CCLIENT-VPN

R1(conf-isa-prof)# client authentication list vpn_xauth_ml_1

R1(conf-isa-prof)# isakmp authorization list vpn_group_ml_1

R1(conf-isa-prof)# client configuration address respond

R1(conf-isa-prof)# virtual-template 2

This works great with cisco vpn client equipped win machines , satisfying point 2.

Unfortunately, virtual template seems useless for native cisco ipsec VPN client built inside the Iphone4s (latest firmware also).

So , to satisfy point 3 I have to revert back to some method that honestly I don’t know / I’m not able to implement.

I’ve read enough this forum to see there are many solved issue with crypto-maps based VPN as well as Iphone ipsec VPN connectivity and point to point connectivity.

I’m just searching for help in make these three realities to live together…..

I hope someone can give me the right input……

Thank you very much !!!