VPN Client Configuration on the server

[ajtsystems]

Hi there,

I have been asked to set up a VPN client for a user. I have set up a few Site to Site VPNs so far and this is relatively easy. I can t seen to find any information however on setting up a client VPN using the Cisco client. Does any one have a link or any information on how to do this.

I know about the easy VPN wizard in the GUI but unfortunately only have command line access. The router is an 800 series....

Thanks in advance

 

[Supergrrover]

Take a loot at this thread -

http://www.tek-tips.com/viewthread.cfm?qid=1295401&page=1

He fixed the issue at the end by making the vpn ACL use the whole subnet and not a fraction of it. Compare it to your and see what you are missing.


Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ajtsystems]

Hi,

OK, the link in the post you supplied worked and I have got a connection to the router with teh VPN client. I followed the split DNS guide but as my router is test kit it doesnt have any ADSL instead I put a static route to forward all traffic to my cable router on the same network.

The next step is to open my work firewall to accept VPN client requests.... there is obviously a difference between being on the intoernal LAN like the link sent and coming form the outside...
Any ideas?

James

 

[Supergrrover]

not quite clear on what you are asking. what is the setup? can you post a scrubbed config and topology?

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ajtsystems]

Hi, sory for the delay.

Here is my tested and working config:

3640#show run
Building configuration...

Current configuration : 1884 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 3640
!

!--- Enable Authentication, Authorizing and Accounting (AAA)
!--- for user authentication and group authorization.

aaa new-model
!

!--- To enable X-Auth for user authentication,
!--- enable the aaa authentication commands.

aaa authentication login userauthen local


!--- To enable group authorization,
!--- enable the aaa authorization commands.

aaa authorization network groupauthor local
!

!--- For local authentication of the IPSec user,
!--- create the user with password.

username cisco password 0 cisco
!
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!

!--- Create a group that will be used to specify the
!--- Windows Internet Naming Service (WINS) and
!--- Domain Naming Service (DNS) server addresses to the client,
!--- along with the pre-shared key for authentication.

crypto isakmp client configuration group 3000client
key cisco123
dns 14.1.1.10
wins 14.1.1.20
domain cisco.com
pool ippool
!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-sha-hmac
!

!--- Create a dynamic map and
!--- apply the transform set that was created above.

crypto dynamic-map dynmap 10
set transform-set myset
!

!--- Create the actual crypto map,
!--- and apply the aaa lists that were created earlier.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
fax interface-type fax-mail
mta receive maximum-recipients 0
!
!
!

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
ip address 14.38.100.201 255.255.0.0
no keepalive
half-duplex
!
interface Serial1/0
no ip address
shutdown
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
interface Serial1/4
no ip address
shutdown
!
interface Serial1/5
no ip address
shutdown
!
interface Serial1/6
no ip address
shutdown
!
interface Serial1/7
no ip address
shutdown
!

!--- Create a pool of addresses to be assigned to the VPN Clients.

ip local pool ippool 14.1.1.100 14.1.1.200
ip classless
ip route 0.0.0.0 0.0.0.0 172.18.124.1
ip http server
ip pim bidir-enable
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end

3640#

All I am asking really is that if in a real world scenario my external IP address which I added my crypto map clientmap to probably wouldn't be an internal IP sucha as the on in my config - 172.18.124.159

!--- Apply the crypto map on the outside interface.

interface Ethernet0/0
ip address 172.18.124.159 255.255.255.0
half-duplex
crypto map clientmap

Can I simply add the crypto map to the dialer interface on the ADSL and then use the client over the internet or will I need additional NAT or similar.

Thanks

James