The IOS VPN how to!

[Deepseadata]

Hi there,

I'm entering the world of VPN with my network and think it's best to ask the pro's some questions while I dig through forums and read articles.



I have a Cisco 2801 with ADVENTERPRISE IOS that connects a Cisco 3560 that does inter-vlan routing. What I want to do is configure things to give two people from the internet access to two their (different) vLAN's.

First off, do they NEED to use Cisco's VPN client?

I don't even know what questions to ask... that's what scares me.

Can anyone help me track down some ariticles to learn as quickly as possible?

Can anyone give me a general idea what is done so I can learn the details?

OK well I'm off to do some reading. I hope I hear back from someone soon.

Cheers.

Kelley

 

[burtsbees]

I answered someone's post with a good config for a remote access vpn and step-by-step on what the commands do...kind of like a tutorial, if I can find it...it's been probably almost a year...

Burt

 

[burtsbees]

Found it...this might help...

http://www.tek-tips.com/viewthread.cfm?qid=1446922&page=1

Burt

 

[Deepseadata]

Hi Burt,

Now I remember. I think I actually posted that in a different VPN cryout a few months back. I wish I could delete duplicate posts like that.. I hate to be a clutter.

I also remember shooting your commands into my router and having some questions for ya. I think I remember there being some NAT stuff that dropped my existing internet traffic.

I know how much everyone likes to see configs.. here's mine with working voice action in there for your viewing delight.

sh run
Building configuration...

Current configuration : 5133 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BD2801
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.124-17.bin
boot-end-marker
!
logging buffered 51200 warnings
enable passwor
!
aaa new-model
!
!
aaa authentication login my_vpn_group local
!
aaa session-id common
ip cef
!
!
voice-card 0
!
!
voice call carrier capacity active
voice rtp send-recv
voice dsp release early
!
voice service voip
fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco!
!
!
!
crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
!
crypto pki certificate chain TP-self-signed-3884018817
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383834 30313838 3137301E 170D3038 31303237 31393436
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383430
31383831 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DE4B 1FA895ED D8E3CB73 7C37B315 4FB6EBFD 66896B08 CC3D8434 67ED39C8
32B03EED 3A19208D B257BF8C 9B3DEF27 8B380015 3C91B783 A3FB87A9 BE6539A5
178C9956 FD4FCAA4 0BB0793B 527CC81C 4EA0BCDF C67DC20C 622A1606 1D326A07
9B312497 988115CD 15BD12C8 A7397C64 02523C8A CA012E08 AA802609 B384DF78
BD5D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06424432 38303130 1F060355 1D230418 30168014 9EEF1003
11802913 381F3060 34D190E7 A5EC24F4 301D0603 551D0E04 1604149E EF100311
80291338 1F306034 D190E7A5 EC24F430 0D06092A 864886F7 0D010104 05000381
81008360 0641CDDC 32C57F92 EC437791 B4D98434 E18404BA F02B5B7E CA063362
ED7B9F28 6A7046E3 271B7DB5 11D70313 6140E71D AB73D0AC 29F4CA5C 1C236BA4
452B5644 B711C5BF 3EE0BBD8 E1C0CB4C BF78E340 8AE2D555 4D243023 5D947866
2E530389 EEA9E35F 1720EC39 D33892E4 22098C81 14F3CC1E 05553EA3 E057E435 5CF5
quit
fax interface-type fax-mail
username oceantech privilege 15 password 0 vancouver
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group madcow
key madcowkey
pool vpm_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Starboard Stratos VSAT
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
crypto map vpn_cmap_1
!
router eigrp 1
network 192.168.49.0
auto-summary
!
ip local pool vpn_pool_1 192.168.50.150 192.168.50.151
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
!
control-plane
!
!
!
voice-port 0/2/0
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
voice-port 0/2/1
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
ccm-manager mgcp
!
mgcp
mgcp call-agent 10.129.48.11 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode nse
mgcp codec g729r8 packetization-period 60
mgcp playout adaptive 100 50 200
mgcp playout fax 500
no mgcp timer receive-rtcp
mgcp timer net-cont-test 1000
mgcp timer nse-response t38 1000
mgcp sdp simple
no mgcp fax t38 ecm
mgcp fax t38 nsf 000000
!
mgcp profile default
!
!
dial-peer cor custom
!
!
!
dial-peer voice 1 pots
service mgcpapp
!
dial-peer voice 2 pots
service mgcpapp
!
gateway
timer receive-rtp 1200
!
!
!
call-manager-fallback
max-conferences 4 gain -6
ip source-address 10.20.46.20 port 2000
max-ephones 24
max-dn 24
!

 

[Deepseadata]

One other question for ya.

I've already got access to my router console over the internet.

What I'm trying to do is give a VPN client to some of the subcontractors so they can maintain their devices on certain vlans I've let them put their stuff on.

If I successfully configure a vpn client, is it possible to plop remote clients into selected vlans and give them access to the whole subnet like they were local?

All this without disturbing truly local users LAN and internet access of course.

An answer to these questions would probably allow me to sleep tonight.

 

[burtsbees]

You might have to go with separate ISAKMP policies...I'll think about that more...BUT!
MORE IMPORTANTLY!

Change the password...

username oceantech privilege 15 password 0 vancouver

Burt

 

[Deepseadata]

Hi Burt,

Those aren't the correct username and passowords. Imagine if they were though.... there should be some sort of way to edit old posts.

Anyway Burt, my ISP has forwarded a public IP address that I can ping from anywhere on the net. I can telnet into my router with it, too. The problem is that it's not the same address as my internet interface.

I've NEVER setup any sort of vpn before. I was under the impression that my client PC would need to be pointed at my WAN interface... Do I just point it at the address the ISP gave me?