Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Setup VPN Client on Router

Status
Not open for further replies.
lagcat

lagcat

Technical User
May 18, 2007
52
GB
Hello All

i have never tried setting this up so looking for some help

how to a setup a dial in for a cisco router using the Cisco VPN Client?

i have a router now with a setup on it that is working but it is not making to much sense

is there a template somewhere that i can look at or a guide i can follow to see about doing it myself? i have the information but cant understand what exactly is pointing where is that makes sense

it would be dialing in through an adsl connection ...

this is what area i am staring at on my router

interface Group-Async1
description Dial In PPP Group
ip unnumbered FastEthernet0/0.3
encapsulation ppp
peer default ip address pool RAS
compress mppc <<what is this
ppp authentication ms-chap ms-chap-v2 chap
group-range 0/2/0 0/3/1 <<whats is this

interface FastEthernet0/0.3
description RAS Network
encapsulation dot1Q 3
ip address **.**.0.50 255.255.255.0
no snmp trap link-status

radius-server host **.**.1.50 auth-port 1645 acct-port 1646 key 7 01*000F1F755*04

i am wondering how i set up the designated ip pool from what it will gain its virtual ip address through?

also this one is using a RAS connection to authenticate via Active directory

how would i do this with out this authentication? could i just use usernames and passwords on the router?

also it has the authentication...whats about allowing entry into the router with a ACL i cannot see any group which matches this?

any help would be great cheers

CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+
 
Sort by date Sort by votes
Hello
I maybe wrong but your setup doesn't look like it can support the Cisco VPN client.If you have a FTP server I can upload you some doc's.
Regards
 
Upvote 0 Downvote
Building configuration...

Current configuration : 8710 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****_2801_1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$.TiW$******fJU8T2catrhyh1c1
!
aaa new-model
!
!
aaa group server radius vpn
server 172.16.1.50 auth-port 1645 acct-port 1646
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login RADIUS group radius local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 group radius
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 172.19.0.50
!
ip dhcp pool DMZ-LAN
network 172.19.0.0 255.255.0.0
default-router 172.19.0.50
dns-server ***.43.***.1
!
!
no ip ips deny-action ips-interface
ip domain name ukcss
ip name-server 172.16.1.50
!
!
!
crypto pki trustpoint TP-self-signed-67853557
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-67853557
revocation-check none
rsakeypair TP-self-signed-67853557
!
!
crypto pki certificate chain TP-self-signed-67853557
certificate self-signed 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36373835 33353537 301E170D 30383034 32323038 31363431
5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D363738 35333535
3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B67B
626B7CAE 6E55DA7F 650F013C EC27BC50 A5BB78FF ABADE1D8 0685244D FF9E4EED
972A465F 9BED4771 8C681966 D3607A24 B61BE70D EFE39608 32FC66E2 456435C8
93EB8DF3 34EEA96B ******** 49755350 9027231C B4B2D16B 8A2B5FDB 5EBA53B1
9FFFBCF9 209C2938 59D5AFE3 31B2E1C3 65E9D51E 94ED45B6 E0F59798 72210203
010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 551D1104
17301582 13544841 ******** 32383031 5F312E75 6B637373 301F0603 551D2304
18301680 141C265C CA727632 E87F7015 A78BC8A7 99DFCF9E BD301D06 03551D0E
04160414 1C265CCA 727632E8 7F7015A7 8BC8A799 DFCF9EBD 300D0609 2A864886
F70D0101 04050003 81810031 DD2F5CCA 5FA012D1 491F44B4 FB9215C0 2BF141D8
C3B1DE3F 298FB18F 351FCFC7 35F6FA78 AD6920CF 3A84C101 C23289CB B75E165E
AD032152 7667C9BD 24C1F0CB 21F7E1C7 6CAD2FC2 8FEAED41 2E943A36 135D861C
BC85C0E7 D4566EEC 797B7211 ******** CCDD5F51 FEA99C90 206BA063 C426FC15
2C3CEA34 EFF49CAF 833C0C
quit
username sup*****24 privilege 15 secret 5 $1$u*N8$a1U6sXjklL*******ITyFo.
username ****** password 7 02050D48******245859060B0E
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key ****** address ****.***.***.*** no-xauth
!
crypto isakmp client configuration group VPN
key **a**s <<<<is this for the VPN client?
pool RAS
acl 110
!
!
crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
crypto ipsec transform-set SET2 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set SET1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list RADIUS
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 100 ipsec-isakmp
set peer ***.35.85.***
set transform-set SET2
match address TEST
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.1
description Private LAN
encapsulation dot1Q 1 native
ip address 172.16.7.5 255.255.0.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface FastEthernet0/0.2
description Public Network
encapsulation dot1Q 2
ip address 172.17.0.50 255.255.0.0
ip access-group 103 in
ip verify unicast reverse-path
no snmp trap link-status
!
interface FastEthernet0/0.3
description RAS Network
encapsulation dot1Q 3
ip address 172.18.0.50 255.255.0.0
no snmp trap link-status
!
interface FastEthernet0/0.4
description DMZ Lan
encapsulation dot1Q 4
ip address 172.19.0.50 255.255.0.0
ip access-group 104 in
ip verify unicast reverse-path
no snmp trap link-status
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface ATM0/1/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0 <<this is the outgoing line
ip address negotiated
ip access-group 106 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***01@adsl.***.co.uk
ppp chap password 7 1**E4F0***258
crypto map SDM_CMAP_1
!
interface Group-Async1 <<<what is all this part for?
description Dial In PPP Group
ip unnumbered FastEthernet0/0.3
encapsulation ppp
peer default ip address pool RAS
compress mppc
ppp authentication ms-chap ms-chap-v2 chap
group-range 0/2/0 0/3/1
!
ip local pool DIAL-IN 192.168.1.0 192.168.1.254
ip local pool RAS 172.18.0.1 172.18.0.20
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.0.0.0 172.16.20.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map NAT interface Dialer0 overload
!
ip access-list extended NAT
deny ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended TEST
permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 172.16.1.50 eq 1645 host 172.16.7.5
access-list 102 permit udp host 172.16.1.50 eq 1646 host 172.16.7.5
access-list 102 deny ip 172.19.0.0 0.0.255.255 any
access-list 102 deny ip 172.17.0.0 0.0.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 106 remark SDM_ACL Category=1
access-list 106 remark IPSec Rule
access-list 106 permit ip 172.16.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 106 permit ahp any any
access-list 106 permit esp any any
access-list 106 permit udp any any eq isakmp
access-list 106 permit udp any any eq non500-isakmp
access-list 106 permit ip host 172.18.0.20 any
access-list 106 permit ip host 172.18.0.19 any
access-list 106 permit ip host 172.18.0.18 any
access-list 106 permit ip host 172.18.0.17 any
access-list 106 permit ip host 172.18.0.16 any
access-list 106 permit ip host 172.18.0.15 any
access-list 106 permit ip host 172.18.0.14 any
access-list 106 permit ip host 172.18.0.13 any
access-list 106 permit ip host 172.18.0.12 any
access-list 106 permit ip host 172.18.0.11 any
access-list 106 permit ip host 172.18.0.10 any
access-list 106 permit ip host 172.18.0.9 any
access-list 106 permit ip host 172.18.0.8 any
access-list 106 permit ip host 172.18.0.7 any
access-list 106 permit ip host 172.18.0.6 any
access-list 106 permit ip host 172.18.0.5 any
access-list 106 permit ip host 172.18.0.4 any
access-list 106 permit ip host 172.18.0.3 any
access-list 106 permit ip host 172.18.0.2 any
access-list 106 permit ip host 172.18.0.1 any
access-list 106 deny ip 172.19.0.0 0.0.255.255 any
access-list 106 deny ip 172.17.0.0 0.0.255.255 any
access-list 106 deny ip 172.16.0.0 0.0.255.255 any
access-list 106 deny ip host 255.255.255.255 any
access-list 106 deny ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
access-list 107 remark vpn
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 109 remark SDM_ACL Category=4
access-list 109 remark IPSec Rule
access-list 109 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 110 permit ip 172.16.0.0 0.0.255.255 172.18.0.0 0.0.255.255
route-map nonat permit 10
match ip address NAT
!
!
radius-server host 172.16.1.50 auth-port 1645 acct-port 1646 key 7 01100F175804
!
control-plane
!
!
line con 0
line aux 0
line 0/2/0 0/2/1
stopbits 1
speed 115200
flowcontrol hardware
line 0/3/0 0/3/1
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
!
end

-------------------------------------------------------

sorry i do not have a ftp site that you could upload to is there any online documentation somewhere on setting up a basic remote dial in using Cisco VPN Client?

thats is the full config (obviously stars added)

it just looks like there is alot of extra rubbish on this config that does nothing so it is not helping me much when it comes to learning about a fresh install

i have done site-2-site VPNs just not a client acceess one which is my problem

Cheers

CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+
 
Upvote 0 Downvote
Hello
Sorry but I can't guide you a good link.If you find a way for me to give you those files let me know.
Regards
 
Upvote 0 Downvote
I wrote sort of a tutorial here in tek-tips...i'll look tonight...

Burt
 
Upvote 0 Downvote
Your ios version needs to support it but here is the link I think burt was looking for -

Here is another one to take a look at - his fix was to make sure to make the whole subnet pool was available -

Have fun.

Burt - wasn't there a thread where you were adding a RA vpn to a L2L? Did you get it working?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
No---never did...
It goofed up the ssh logins---had to rebuild keys 3 different times. That problem stopped when I removed the site to site config. I stopped trying after that---had another confusing issue with an acl, then I forgot. Thanks for looking up the link!

Burt
 
Upvote 0 Downvote
Thankyou

i will take a read through these....

which Cisco course will go through these VPN's?

site-2-site VPNs was covered for me in the CCNA but i was told for a remote access just to use the GUI Http to create a EZVPN for clients?

would the CCNP or next stage cover VPN's alot better?

Cheers

CCENT, CCNA
MCP, MCSA
Comptia: Network Essentials, Security +, A+
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
378
CPM86
CPM86
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
307
testman1
testman1
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
261
quazimotto
quazimotto
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
513
iggsterman
iggsterman
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
286
bfordz
bfordz

Part and Inventory Search

Sponsor

Back
Top