Wednesday, April 21, 2010

Cisco IOS VPN Server and Client config

Allowing VPN Clients to Connect IPsec and still allow Internet access using Split Tunneling configuration.

This configuration assumes the following:

VPN Client Username: myusername
VPN Client Password: mypassword
VPN Group authentication name: mygroupname
VPN Group authentication password: mygroupkey
Your internal DNS: 192.168.1.100
Your domain: mydomain
IPs to be assigned to VPN clients: 192.168.1.5 to 192.168.1.10/24
FastEthernet0/0 is the router's outside interface

Router configuration:
Router(config)#aaa new-model
Router(config)#aaa authentication login userauth local-case
Router(config)#aaa authorization network groupauth local
Router(config)#username myusername password 0 mypassword
Router(config)#crypto isakmp policy 3
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#exit
Router(config)#crypto isakmp client configuration group mygroupname
Router(config-isakmp-group)#key mygroupkey
Router(config-isakmp-group)#dns 192.168.1.100
Router(config-isakmp-group)#domain mydomain
Router(config-isakmp-group)#pool myvpnpool
Router(config-isakmp-group)#acl 101
Router(config-isakmp-group)#exit
Router(config)#crypto ipsec transform-set myset esp-3des esp-md5-hmac
Router(cfg-crypto-trans)#exit
Router(config)#crypto dynamic-map dynmap 10
Router(config-crypto-map)#set transform-set myset
Router(config-crypto-map)#reverse-route
Router(config-crypto-map)#exit
Router(config)#crypto map clientmap client authentication list userauth
Router(config)#crypto map clientmap isakmp authorization list groupauth
Router(config)#crypto map clientmap client configuration address respond
Router(config)#crypto map clientmap 10 ipsec-isakmp dynamic dynmap
Router(config)#int fa0/0
Router(config-if)#ip address <outside_IP_address> <subnet_mask>
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config-if)#crypto map clientmap
Router(config-if)#exit
Router(config)#ip local pool myvpnpool 192.168.1.5 192.168.1.10
Router(config)#ip nat inside source list 111 interface FastEthernet0/0 overload
Router(config)#access-list 111 deny ip <local_network_IP> <inverted mask> 192.168.1.0 0.0.0.255
Router(config)#access-list 111 permit ip any any
Router(config)#access-list 101 permit ip <local_network_IP> <inverted mask> 192.168.1.0 0.0.0.255
Remember to save your config!

Install the Cisco VPN client. Restart your computer. Open the VPN client and click "New". Fill out the details you just configured on your router:

NOTE: Still getting Error 2738 with Windows 7 install?
Bring up an administrative terminal:
Start --> Run --> Type "cmd" hold ctrl+shift and press ENTER
Re-register VBScript engine:
reg delete "HKCU\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}" /f
%systemroot%\system32\regsvr32 vbscript.dll






















Click "Save". Double click your new Connection entry and supply your configured Username and Password.

Check that all is working:
Router#show crypto isakmp sa
Shows all current IKE Security Associations (SAs) at a peer.
Router#show crypto ipsec sa
Shows the settings used by current SAs.

Reference: http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml#vpn405
Facebook Twitter Delicious Favourites | Share
Posted by Unknown at Wednesday, April 21, 2010