[c-nsp] VPN Configuration

Kaj Niemi kajtzu at basen.net
Tue Apr 22 08:41:59 EDT 2008 

Hi,


I'm not sure how well Easy VPN and VTIs play together but in very  
general terms - with an old fashioned crypto map on your "outside"  
interface - you want to do something like the following; associate the  
dynamic map with your RA VPNs (vpn-users in this case) to the crypto  
map applied on the interface (map-outbound in this case).

- aaa lines as needed

- crypto isakmp policy as needed

crypto ipsec transform-set trans-default [something sane]
crypto ipsec transform-set trans-vpn-users [something sane]

crypto dynamic-map vpn-users 200
  set transform-set trans-vpn-users
  reverse-route

! assuming you have aaa in place
crypto map map-inbound client authentication list vpn-users
crypto map map-inbound client accounting list vpn-users
crypto map map-inbound isakmp authorization list vpn-users
crypto map map-inbound client configuration address respond
crypto map map-inbound 200 ipsec-isakmp dynamic vpn-users

crypto map map-outbound 100 ipsec-isakmp
  description somewhere
  set peer 1.2.3.4
  set transform-set trans-default
  match address match-whatever

interface FastEthernet0/0
  crypto map map-outbound

The Cisco VPN Client (IPSec) does work on both OS X and XP/Vista (not  
64 bit Vista, though) fine. It also works on Linux.


On Apr 22, 2008, at 15:21, Paul Stewart wrote:

> Hi folks... if there is a better place to ask than here please let me
> know...;)
>
> I have a Cisco 871 at a client site with a 2 meg connection.  We  
> built a
> site to site VPN (config below) which works perfectly... now the  
> client
> would like 4-5 remote access VPN sessions to be possible.  I'm  
> asking the
> list before I dive too much into docs on the easiest simple way to  
> setup a
> remote access VPN when you already have a site to site  
> configured.... we'd
> like to adopt a "cookie cutter" approach for some other client sites  
> in the
> near future....  this particular customer has remote computers  
> running Mac
> OS/X and PC's running XP/Vista which I understand the Cisco VPN  
> client runs
> on both....?
>
> Can someone tell me a good way to configure both on the same router?
> Thanks in advance..
>
> Paul
>
> Config:
>
> crypto isakmp policy 10
> encr aes 256
> authentication pre-share
> crypto isakmp key XXXXXXXXXXX address xx.xx.xx.xxx
> !
> !
> crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256
> !
> crypto ipsec profile VPN
> set transform-set ts1
>
> interface Tunnel0
> description xxxxxxxxxxx
> ip address 172.16.1.1 255.255.255.252
> tunnel source FastEthernet4
> tunnel destination xx.xx.xx.xxx
> tunnel protection ipsec profile VPN
>
> interface FastEthernet4
> description Nexicom Cable
> ip address dhcp
> ip nat outside
> ip virtual-reassembly
> duplex auto
> speed auto
> no cdp enable
> !
> interface Vlan1
> description Internal LAN
> ip address 10.241.41.193 255.255.255.192
> ip nat inside
> ip virtual-reassembly
>
> ip route 10.241.175.64 255.255.255.192 Tunnel0
>
> ip nat inside source list 102 interface FastEthernet4 overload
>
> access-list 102 deny   ip 10.241.41.192 0.0.0.63 10.241.175.64  
> 0.0.0.63
> access-list 102 permit ip 10.241.41.192 0.0.0.63 any
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000

More information about the cisco-nsp mailing list