Site 2 Site VPN with VPN Clients

philcisco2 · ‎09-18-2012

Hello All,

been working on this for the last couple of days

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

I currently have:

crypto map clientmap 10 ipsec-isakmp

set peer 10.123.123.102

set transform-set site2siteset

match address 110

I don't see anywhere to add in the match address into this example?

I can get Site-2-Site working no problem with

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address <SPOKE PUBLIC IP ADDRESS>

crypto ipsec transform-set site2siteset esp-des esp-md5-hmac

crypto map mymap 10 ipsec-isakmp

set peer <SPOKE PUBLIC IP ADDRESS>

set transform-set myset

match address 110

And i can set Client VPN working with

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ps790vpnclient

key cisco123

dns 8.8.8.8

domain ps790

pool ippool

acl 100

crypto ipsec transform-set ps790set esp-3des esp-md5-hmac

crypto dynamic-map ps790map 10

set transform-set ps790set

reverse-route

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic ps790map

In the example above it shows how to combine the 2. I see where all the information for the Client VPN goes.. but i don't know where this:

crypto map clientmap 10 ipsec-isakmp

set peer 10.123.123.102

set transform-set site2siteset

match address 110

Is entered in?

Any ideas or other example pages?

Thanks!

Julio Carvajal · ‎09-18-2012

Hello,

It needs to be setup on the Router that will be both : A l2l end point and a RA IPSec endpoint.

As you know you can only have one crypto map per interface so what you will need to do is to use the same crypto map for both the static one to one L2L and the dynamic connections ( Remote access)

Regards,

Any other question...Sure... Just remember to rate all of my answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

philcisco2 · ‎09-19-2012

Sorry i guess i left out some details.

I understand i need to use 1 map.

in the cisco example the RA IPSec make's sense it has the "acl 100" to match the VPN traffic. in the L2L example there is not match command. I am using nat on the router and i only want certain traffic to a certain subnet to travel over the L2L link

IE

crypto map clientmap 10 ipsec-isakmp

set peer 10.123.123.102

set transform-set site2siteset

match address 110

In the 110 ACL i would have the traffic in want to pass thur. Just wondering in the cisco example where the match address 110 command fits in?

Javier Portuguez · ‎09-19-2012

Hi,

The reason for that is because the example is for dynamic LAN-to-LAN and RA clients, so there is no need to add a match address statement.

If on the other hand, you are configuring a static LAN-to-LAN then the match address command needs to be defined under the crypto map settings.

Keep me posted.

Portu.

philcisco2 · ‎09-19-2012

Hi Javier,

Do you have an example of where that would fit in to the example config? Or does Cisco have an example of a Static Lan-2-Lan with Dynamic RA's?

I have tried googling this for quite some time. The example above is the best is could find

Javier Portuguez · ‎09-19-2012

Hi

Check this out:

Configuring LAN-to-LAN VPNs

Keep me posted.

Portu.

Please rate any posts you find helpful.

philcisco2 · ‎09-19-2012

hi Javier,

Let me put my config together and post it, then i can show you where i am getting stuck

Thanks again for all the help

philcisco2 · ‎09-19-2012

crypto keyring spokes

pre-shared-key address 10.123.123.10 key cisco123

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testgroup

key cisco321

dns 8.8.8.8

domain mydomain

pool ippool

acl 100

!

crypto isakmp profile L2L

description LAN-to-LAN for spoke router(s) connection

keyring spokes

match identity address 0.0.0.0

crypto isakmp profile VPNclient

description VPN clients profile

match identity group testgroup

client authentication list clientauth

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

set transform-set myset

set isakmp-profile VPNclient

reverse-route

crypto dynamic-map dynmap 10

set transform-set myset

set isakmp-profile L2L

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

Question is where do i add in:

set peer 10.123.123.10

match address 110

?

Thanks,

Javier Portuguez · ‎09-19-2012

Hi,

Did you have any chance to check the link that I provided in my previous post?

The configuration above is for a Dynamic-to-Static LAN-to-LAN tunnels and RA IPsec clients.

The "match address" and "set peer" commands are not required.

Please check the link that I shared and let me know.

Thanks.

Portu.

philcisco2 · ‎09-19-2012

hi Javier,

What i want to accomplish is a combination of this

Static Site-2-Site

http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/

And

Client VPN access via the Cisco VPN client

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml

Does that help at all?

philcisco2 · ‎09-19-2012

May have found the solution

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

The only thing missing is the acl 100 in the client VPN

crypto isakmp client configuration group vpngroup
key cisco123
dns 10.2.1.10
wins 10.2.1.20
domain cisco.com
pool ippool

** missing acl 100 **

using the example in the link is it safe to add the acl 100 in their and then create the ACL for the encrypted traffic to flow. The example above isn't using NAT on the HUB router.. i assume its safe to add that in?

Thanks again for all your help.