Before I go to far into researching how to setup Easy VPN between 2 Cisco 837 ADSL routers I would like to know if it is possible. I have read quite a few of the Cisco articles and they state that you need an Easy VPN server and an Easy VPN client. Makes sense! Can a Cisco 837 be setup as an Easy VPN Server? Can it be done through the CRWS (all I can find is Easy VPN Client settings) or does it have to be configured through CLI. Any help / advise would be greatly appreciated.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Cisco 837 to 837 VPN
- Thread starter Gitszer
- Start date
So I assume that you're simply trying to setup a site to site VPN tunnel, not a VPN dial scenario? If it's a tunnel situation, the config can be done via the CLI.
Eg.
Lets say that Site A is 192.168.0.0/24
and that site B is 192.168.1.0/24
So:
Site A
------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx - external IP of site B
!
!
crypto ipsec transform-set VPN-SiteA esp-3des esp-md5-hmac
!
crypto map VPN-Site-A 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx - External IP of site B
set transform-set VPN-SiteA
match address 150
!
!mark which traffic to be encrypted:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!Apply the crypto map to the Dialer1 Interface and adjust the MSS
interface Dialer1
crypto map VPN-SiteA
ip tcp adjust-mss 1400
!Add a route to the remote subnet site B
ip route 192.168.1.0 255.255.255.0 Dialer1
You'll probably have a NAT statement like:
ip nat inside source list 102 interface Dialer1 overload
modify access-list 102 to prevent natting of the local to remote subnet:
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
Site B
------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx - external IP of site A
!
!
crypto ipsec transform-set VPN-SiteB esp-3des esp-md5-hmac
!
crypto map VPN-Site-B 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx - External IP of site B
set transform-set VPN-SiteB
match address 150
!
!mark which traffic to be encrypted:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!Apply the crypto map to the Dialer1 Interface and adjust the MSS
interface Dialer1
crypto map VPN-SiteB
ip tcp adjust-mss 1400
!Add a route to the remote subnet site B
ip route 192.168.0.0 255.255.255.0 Dialer1
You'll probably have a NAT statement like:
ip nat inside source list 102 interface Dialer1 overload
modify access-list 102 to prevent natting of the local to remote subnet:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Make sure that you have the relevant traffic allowed on the external interfaces:
access-list 111 permit esp any any (3 matches)
access-list 111 permit udp any any eq isakmp (12 matches)
(this is applied to dialer1)
int dialer1
ip access-group 111 in
Eg.
Lets say that Site A is 192.168.0.0/24
and that site B is 192.168.1.0/24
So:
Site A
------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx - external IP of site B
!
!
crypto ipsec transform-set VPN-SiteA esp-3des esp-md5-hmac
!
crypto map VPN-Site-A 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx - External IP of site B
set transform-set VPN-SiteA
match address 150
!
!mark which traffic to be encrypted:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!Apply the crypto map to the Dialer1 Interface and adjust the MSS
interface Dialer1
crypto map VPN-SiteA
ip tcp adjust-mss 1400
!Add a route to the remote subnet site B
ip route 192.168.1.0 255.255.255.0 Dialer1
You'll probably have a NAT statement like:
ip nat inside source list 102 interface Dialer1 overload
modify access-list 102 to prevent natting of the local to remote subnet:
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
Site B
------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxxx address xxx.xxx.xxx.xxx - external IP of site A
!
!
crypto ipsec transform-set VPN-SiteB esp-3des esp-md5-hmac
!
crypto map VPN-Site-B 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx - External IP of site B
set transform-set VPN-SiteB
match address 150
!
!mark which traffic to be encrypted:
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!Apply the crypto map to the Dialer1 Interface and adjust the MSS
interface Dialer1
crypto map VPN-SiteB
ip tcp adjust-mss 1400
!Add a route to the remote subnet site B
ip route 192.168.0.0 255.255.255.0 Dialer1
You'll probably have a NAT statement like:
ip nat inside source list 102 interface Dialer1 overload
modify access-list 102 to prevent natting of the local to remote subnet:
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
Make sure that you have the relevant traffic allowed on the external interfaces:
access-list 111 permit esp any any (3 matches)
access-list 111 permit udp any any eq isakmp (12 matches)
(this is applied to dialer1)
int dialer1
ip access-group 111 in
- Thread starter
- #4
You can also set it up using SDM on the 837s, which is the alternative to CRWS that ships with new 837s, else you can download it from TAC.
Details here;
More info on SDM here;
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
Details here;
More info on SDM here;
CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP
- Status
Similar threads
- Locked
- Question