09-18-2012 01:18 PM
Hello All,
been working on this for the last couple of days
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
I currently have:
crypto map clientmap 10 ipsec-isakmp
set peer 10.123.123.102
set transform-set site2siteset
match address 110
I don't see anywhere to add in the match address into this example?
I can get Site-2-Site working no problem with
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address <SPOKE PUBLIC IP ADDRESS>
crypto ipsec transform-set site2siteset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer <SPOKE PUBLIC IP ADDRESS>
set transform-set myset
match address 110
And i can set Client VPN working with
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ps790vpnclient
key cisco123
dns 8.8.8.8
domain ps790
pool ippool
acl 100
crypto ipsec transform-set ps790set esp-3des esp-md5-hmac
crypto dynamic-map ps790map 10
set transform-set ps790set
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic ps790map
In the example above it shows how to combine the 2. I see where all the information for the Client VPN goes.. but i don't know where this:
crypto map clientmap 10 ipsec-isakmp
set peer 10.123.123.102
set transform-set site2siteset
match address 110
Is entered in?
Any ideas or other example pages?
Thanks!
09-18-2012 02:25 PM
Hello,
It needs to be setup on the Router that will be both : A l2l end point and a RA IPSec endpoint.
As you know you can only have one crypto map per interface so what you will need to do is to use the same crypto map for both the static one to one L2L and the dynamic connections ( Remote access)
Regards,
Any other question...Sure... Just remember to rate all of my answers
Julio
09-19-2012 04:43 AM
Sorry i guess i left out some details.
I understand i need to use 1 map.
in the cisco example the RA IPSec make's sense it has the "acl 100" to match the VPN traffic. in the L2L example there is not match command. I am using nat on the router and i only want certain traffic to a certain subnet to travel over the L2L link
IE
crypto map clientmap 10 ipsec-isakmp
set peer 10.123.123.102
set transform-set site2siteset
match address 110
In the 110 ACL i would have the traffic in want to pass thur. Just wondering in the cisco example where the match address 110 command fits in?
09-19-2012 06:13 AM
Hi,
The reason for that is because the example is for dynamic LAN-to-LAN and RA clients, so there is no need to add a match address statement.
If on the other hand, you are configuring a static LAN-to-LAN then the match address command needs to be defined under the crypto map settings.
Keep me posted.
Portu.
09-19-2012 07:02 AM
Hi Javier,
Do you have an example of where that would fit in to the example config? Or does Cisco have an example of a Static Lan-2-Lan with Dynamic RA's?
I have tried googling this for quite some time. The example above is the best is could find
09-19-2012 07:48 AM
Hi
Check this out:
Keep me posted.
Portu.
Please rate any posts you find helpful.
09-19-2012 09:23 AM
hi Javier,
Let me put my config together and post it, then i can show you where i am getting stuck
Thanks again for all the help
09-19-2012 09:36 AM
crypto keyring spokes
pre-shared-key address 10.123.123.10 key cisco123
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testgroup
key cisco321
dns 8.8.8.8
domain mydomain
pool ippool
acl 100
!
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
Question is where do i add in:
set peer 10.123.123.10
match address 110
?
Thanks,
09-19-2012 09:49 AM
Hi,
Did you have any chance to check the link that I provided in my previous post?
The configuration above is for a Dynamic-to-Static LAN-to-LAN tunnels and RA IPsec clients.
The "match address" and "set peer" commands are not required.
Please check the link that I shared and let me know.
Thanks.
Portu.
09-19-2012 10:14 AM
hi Javier,
What i want to accomplish is a combination of this
Static Site-2-Site
http://www.routergeek.net/general/how-to-configure-site-to-site-vpn-in-cisco-routers/
And
Client VPN access via the Cisco VPN client
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
Does that help at all?
09-19-2012 10:21 AM
May have found the solution
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
The only thing missing is the acl 100 in the client VPN
crypto isakmp client configuration group vpngroup key cisco123 dns 10.2.1.10 wins 10.2.1.20 domain cisco.com pool ippool
** missing acl 100 **
using the example in the link is it safe to add the acl 100 in their and then create the ACL for the encrypted traffic to flow. The example above isn't using NAT on the HUB router.. i assume its safe to add that in?
Thanks again for all your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide