VPN Configuration

ayokunles · ‎05-13-2013

Hello all,

I need help to configure a VPN connection between remote users and the head office.

At the head office we have a cisco 2901 ISR and we propose the use of a client software to be installed on the users computer system at the remote end via the internet.

From the documentation, it seems the 2901 cannot terminate VPN connections, I need help on this.

thanks

Karsten Iwen · ‎05-13-2013

The 2901 is capable of terminating VPNs as you want. But you need the security-license:

your "show version" should look like that:

rtr#sh ver | b Technology Package

Technology Package License Information for Module:'c1900'

-----------------------------------------------------------------

Technology Technology-package Technology-package

Current Type Next reboot

------------------------------------------------------------------

ipbase ipbasek9 Permanent ipbasek9

security securityk9 Permanent securityk9

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ayokunles · ‎05-13-2013

Hello Karsten,

Thanks for your reply I did this and I got this type of response

However, this link says that 2900 cannot be a VPN server, I would appreciate your thoughts on this.

Also there is no SDM on my router so how to I configure the VPN server.

Karsten Iwen · ‎05-13-2013

You didn't post the link, but whatever it says, the 2901 can be a VPN-server with that license.

You could use the Windows Software CCP (Cisco Configuration Professional, that's the succesor of the SDM) for the configuration. Or you just paste your config here and we help you setting up the VPN in CLI.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ayokunles · ‎05-13-2013

Apologies Karsten for not posting the links, the links only showed SDM configuration guides for both 1800 and 3800 ISRs and I could not find any one for the 2900 series which led to my assumption.

Nevertheless, I have a challenge with this configuration as the Router that I want to use for the VPN server is also the Internet Edge router which also performs NAT functions.

Can I use that, please see NAT config below

ip nat inside source list internet_traffic interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

This router is connected to the collapsed core/distribution; this is so due to cost considerations.

Karsten Iwen · ‎05-13-2013

No problem with the (missing) link ... ;-)

Using one router for VPN and Internet is a very common setup. You need to make sure that the VPN-traffic is excluded from your NAT-definition. In your case the ACL "internet_traffic" needs deny-statements for the traffic from your internal network to the VPN-pool that your users will use.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ayokunles · ‎05-13-2013

Hi Karsten,

I intend to use this address subnet for the VPN pool. 10.0.104.0/24

Can the ACL internet_traffic look like this?

ip access-list extended internet_traffic

permit ip 10.0.110.0 0.0.0.3 any

permit ip 10.0.100.0 0.0.0.255 any

permit ip 10.0.101.0 0.0.0.255 any

permit ip 10.0.102.0 0.0.0.255 any

permit ip 10.0.103.0 0.0.0.255 any

deny ip any 10.0.104.0 0.0.0.255

the VPN pool.

ip local pool VPN_POOL 10.0.104.1 10.0.104.254

Karsten Iwen · ‎05-13-2013

The deny-statement has to be moved to the top:

ip access-list extended internet_traffic

deny ip any 10.0.104.0 0.0.0.255

permit ip 10.0.110.0 0.0.0.3 any

...

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ayokunles · ‎05-13-2013

thanks karsten,

I would try and give feedback as soon as I can.