Cisco 837 ADSL VPN Help 1

[NettableWalker]

Hi,

I've been trying to create a VPN from home to my office but can't get any IPSEC action to happen at all. The office has a Cisco 1721 with several other site to site shared key VPN's currently working ok, but i just can't get the 837 to work. Can you check out this config and see if there is just anything missing or are there any specific things to watch out for when dealing with ADSL and VPN?

cheers,
Hellbabe


!
hostname Ray837
!

logging buffered 51200 debugging
no logging console

enable secret xxxxxxxxxxxxxxxxxxx

ip cef
no ip domain lookup
ip domain name local
ip name-server xxxxxxxxxxx
ip name-server xxxxxxxxxxx
no ip bootp server

ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 icmp

username xxxxxx privilege 15 password xxxxxxxxxxxxxxxxxx
!
crypto isakmp policy 2
authentication pre-share
group 1
hash md5
lifetime 7200
crypto isakmp key testkey address xxxxxxxxxxx
!
crypto ipsec security-association lifetime kilobytes 5242880
crypto ipsec security-association lifetime seconds 1800
!
crypto ipsec transform-set ray esp-des ah-md5-hmac
!
crypto map testvpn 15 ipsec-isakmp
set transform-set ray
set peer xxxxxxxxxxxxxxx
set pfs group1
match address 125
!
interface Null0
no ip unreachables
!
interface Ethernet0
description Connected to Local Network
ip address 10.5.0.203 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
crypto map testvpn
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Dialer1
ip address negotiated
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 in
crypto map testvpn
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password xxxxxxxxxxxxxxx2
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface Dialer1 overload
!
access-list 10 remark Telnet Access
access-list 10 permit 10.0.0.0 0.255.255.255

access-list 100 remark ----- Inbound ACL -----
access-list 100 deny ip any any log

access-list 102 permit ip 10.0.0.0 0.255.255.255 any

access-list 125 remark VPN Access
access-list 125 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.0.255.255

dialer-list 1 protocol ip permit
!
!
control-plane
!
banner login ^Authorised users only, all access is logged.^C
!
line con 0
exec-timeout 300 0
login local
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
stopbits 1
line vty 0 4
session-timeout 15 output
access-class 10 in
exec-timeout 300 0
password 7 xxxxxxxxxxx
login local
transport input telnet ssh
!
no scheduler max-task-time
scheduler interval 500
end

Ray837#

 

[JOAMON]

Do you have a static IP on your home ADSL internet connection? The following link might be helpful.

http://www.cisco.com/en/US/netsol/n...g_solutions_white_paper09186a00801890f6.shtml

 

[NettableWalker]

Hi Joamon,

Thanks for that link. I'm trying to do it as a straightforward site to site VPN. I've got 3 already working across serial connections at work but this ADSL one to the 837 is going nowhere.

I do have a static IP address...

 

[JOAMON]

Okay...static IP should be easy. Why are you using IP address negotiated in your dialer...should you not specify the static address? Also look at your dialer access-list 100 in. It will not let the VPN in. Need to modify list to allow VPN traffic from office router. I think you have a problem in your access-list 102 as well. Need to deny NAT to office router.

access-list 102 deny ip 10.5.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.0.0.0 0.255.255.255 any

Remember that access-lists are order specific and the deny needs to come before the permit so you will have to remove the list with the no access-list command before entering the new lines.

 

[mkarneman]

Hi
On all the 387's I set up with pppoe an an Dialer int
I put the crypto map on the dialer1 interface.

hope it works

 

[NettableWalker]

Hi again,

Sorry, i had given you a previous version, the current access-list 100 did allow for access from the remote subnet. I've added that new line to ACL 102 and still no luck.

suspiciously I get no output whatsoever from debug crypto ipsec, or isakmp commands. It's almost as if i need to switch ipsec on or something like that.

 

[JOAMON]

Couple of items:
mkarneman has a good point about the crypto-map needing to be on the dialer interface and not the atm. You say that access-list 100 allows the remote subnet. Access-list 100 should only have the remote and local WAN addresses as that is what the VPN traffic will arrive on. Access-list 100 and 125 are were the remote lan information needs to be.

Example:
1.1.1.1 = remote WAN Address 2.2.2.2 = 837 WAN Address
Same address used for the set peer statements.

access-list 100 remark ----- Inbound ACL -----
access-list 100 permit ahp host 1.1.1.1 host 2.2.2.2
access-list 100 permit esp host 1.1.1.1 host 2.2.2.2
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-list 100 permit udp host 1.1.1.1 host 2.2.2.2 eq non500-isakmp
access-list 100 deny ip any any log

 

[NettableWalker]

Thanks for all the help, but despite arseing about with this until about midnight last night i still could not get it to work.

I'm going to have to do some reading about this from the ground up to see exactly what is happening with this.
I am still confused why i get no debug info ?

Cheers for now, and thanks again.

Ray

 

[JOAMON]

Might need the following to initiate crypto...make sure crypto map is applied to dialer interface

crypto map testvpn local-address Dialer1

Take a look at the following link...towards the end is a good example of a VPN config

http://vpn.shmoo.com/vpn/vpn-ipsec.html

 

[NettableWalker]

It works!!!
Your last config did the trick Joamon, i had got the SHA/MD5 isakmp bits mixed up and as soon as that was sorted the whole thing worked.

Thanks again for all the help.

Very useful VPN link as well.

Cheers