Reviews:
 ·Optimum Online
1 edit | Sample network configurationSo I've been tinkering with IPsec tunneling and VPN remote access. After googling and playing with my little lab, I finally got a configuration working that some may find useful at one point or another.
I've learned a lot in this place, so I'm giving this in return. Enjoy :)
--Some disclaimers in this configuration --
• I enabled RIPv2 on the Linksys router, NAT is enabled.
• The 2960 has two trunk links, FA0/1 and FA0/23. One connected to the 1841, the other to the 1721.
• Each trunk carries separate VLAN traffic.
• The tunnel between the 1841 and the 1721 is for traffic between 20.17.12.0 and 29.18.12.0 only.
• The 1841 acts as a remote access VPN gateway for Cisco VPN clients.
Cisco 1841
router1#sh run
Building configuration...
Current configuration : 2465 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$JA62$iR6pa7GlBMgQ3HcbngSAB.
!
aaa new-model
!
!
aaa authentication login default enable
aaa authentication login VPNClientuser local
aaa authorization network VPNClientuser local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 20.17.12.0 20.17.12.24
ip dhcp excluded-address 20.18.12.0 20.18.12.24
!
ip dhcp pool VLAN_20-17-12-0
network 20.17.12.0 255.255.255.0
dns-server 4.2.2.1
domain-name localnet.local
default-router 20.17.12.1
!
ip dhcp pool VLAN_20-18-12-0
network 20.18.12.0 255.255.255.0
dns-server 4.2.2.1
domain-name localnet.local
default-router 20.18.12.1
!
!
!
!
!
username vpn password 0 client
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 letstunnel address 20.18.12.2 no-xauth
!
crypto isakmp client configuration group RemoteAccess
key iwantin
dns 4.2.2.1
domain vpnclient.local
pool VPNClients
!
!
crypto ipsec transform-set Tset1 esp-3des esp-md5-hmac
!
crypto dynamic-map DynMap1 10
set transform-set Tset1
!
!
crypto map ClientMap1 client authentication list VPNClientuser
crypto map ClientMap1 isakmp authorization list VPNClientuser
crypto map ClientMap1 client configuration address respond
crypto map ClientMap1 10 ipsec-isakmp dynamic DynMap1
!
crypto map Map1 10 ipsec-isakmp
set peer 20.18.12.2
set transform-set Tset1
match address 150
!
!
!
interface FastEthernet0/0
ip address 10.17.12.25 255.255.255.0
duplex auto
speed auto
crypto map ClientMap1
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 20.17.12.1 255.255.255.0
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 20.18.12.1 255.255.255.0
crypto map Map1
!
interface Serial0/0/0
no ip address
shutdown
!
router rip
version 2
network 10.0.0.0
network 20.0.0.0
!
ip local pool VPNClients 32.17.12.25 32.17.12.100
!
!
no ip http server
no ip http secure-server
!
access-list 150 permit ip 20.17.12.0 0.0.0.255 29.18.12.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
scheduler allocate 20000 1000
end
Cisco 1721
router2#sh run
Building configuration...
Current configuration : 1820 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$l0Yx$SOArw7wT8I.vRQCOZkPwz/
!
aaa new-model
!
!
aaa authentication login default enable
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 29.18.12.0 29.18.12.24
ip dhcp excluded-address 29.17.12.0 29.17.12.24
!
ip dhcp pool VLAN_29-17-12-0
network 29.17.12.0 255.255.255.0
default-router 29.17.12.1
dns-server 4.2.2.1
domain-name localnet.local
!
ip dhcp pool VLAN_29-18-12-0
network 29.18.12.0 255.255.255.0
default-router 29.18.12.1
dns-server 4.2.2.1
domain-name localnet.local
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key 6 letstunnel address 20.18.12.1 no-xauth
!
!
crypto ipsec transform-set Tset1 esp-3des esp-md5-hmac
!
crypto map Map1 10 ipsec-isakmp
set peer 20.18.12.1
set transform-set Tset1
match address 150
!
!
!
interface Ethernet0
ip address 20.18.12.2 255.255.255.0
half-duplex
crypto map Map1
!
interface FastEthernet0
no ip address
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 3
ip address 29.17.12.1 255.255.255.0
no snmp trap link-status
!
interface FastEthernet0.2
encapsulation dot1Q 4
ip address 29.18.12.1 255.255.255.0
no snmp trap link-status
!
router rip
version 2
network 20.0.0.0
network 29.0.0.0
!
ip classless
!
no ip http server
no ip http secure-server
!
access-list 150 permit ip 29.18.12.0 0.0.0.255 20.17.12.0 0.0.0.255
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password cisco
line vty 5 15
password cisco
!
end
Cisco 2960
sw1#sh run
Building configuration...
Current configuration : 2493 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname sw1
!
enable secret 5 $1$Z42v$m9A5Es7odyqdLYLUI8dMO1
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
switchport trunk allowed vlan 1,2
switchport mode trunk
!
interface FastEthernet0/2
spanning-tree portfast
!
interface FastEthernet0/3
spanning-tree portfast
!
interface FastEthernet0/4
spanning-tree portfast
!
interface FastEthernet0/5
spanning-tree portfast
!
interface FastEthernet0/6
spanning-tree portfast
!
interface FastEthernet0/7
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/8
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/9
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/10
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/11
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/12
switchport access vlan 2
spanning-tree portfast
!
interface FastEthernet0/13
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/14
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/15
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/16
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/17
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/18
switchport access vlan 3
spanning-tree portfast
!
interface FastEthernet0/19
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet0/20
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet0/21
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet0/22
switchport access vlan 4
spanning-tree portfast
!
interface FastEthernet0/23
switchport trunk allowed vlan 3,4
switchport mode trunk
!
interface FastEthernet0/24
switchport access vlan 4
spanning-tree portfast
!
interface GigabitEthernet0/1
switchport access vlan 10
!
interface GigabitEthernet0/2
switchport access vlan 10
!
interface Vlan1
ip address 20.17.12.3 255.255.255.0
no ip route-cache
!
ip default-gateway 20.17.12.1
ip http server
!
control-plane
!
!
line con 0
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
end
|
|
|
|
| Thanks for the information NetworkGuy. One small request -- instead of Router 1 and Router 2,
could you specify which config is the 1841 and which config is the 1721? I think I know which
ois which, I just want to be sure.
Regards |
|
| Oops, sorry about that. Makes sense. Edited now. |
|
| reply to Network Guy
Ahh, that helps. Thanks Network Guy.
Regards |
|
aryobaPremium,MVM
join:2002-08-22
kudos:3 | The next experiment is probably having the NAT to take place in the Cisco routers and no longer depends on the Linksys or any other devices. In other words, the Cisco routers terminate IPSec VPN and GRE tunnels, and NAT traffic to go through the tunnels  |
|
