Remote Access VPN with 877

Discussion in 'Routing & Switching' started by k.r.o.g., Apr 17, 2011.

  1. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    Hi.

    I'm looking at setting up a remote access VPN to our 877w i.e. using the Windows client to connect to the 877. I'm pretty sure this is possible and I've done a fair bit of homework but I'm not getting anywhere fast.

    Has anyone setup an 877 or similar with this type of config that could share their configs / thoughts on how to go about this?

    Any pointers to setup guides would be great also.

    Cheers
    K
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290
  2. keconnect sparky

    keconnect sparky Nibble Poster

    78
    5
    34
    Not sure if this is what your after, but i did setup a basic PPTP (where the router was the radius server and auth'd clients connecting) although my goal was to get this to auth with a windows server box on AD but never got around to it :0(

    anyways this config is from old cisco lab;

    !
    version 12.3
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname 2691-Bonded
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    logging console critical
    enable secret 5
    !
    clock timezone GB 0
    clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip cef
    ip domain name sparky.com
    ip name-server 62.121.10.2
    ip name-server 62.121.0.2
    ip dhcp excluded-address 192.168.1.1 192.168.1.19
    ip dhcp excluded-address 192.168.1.101 192.168.1.254
    !
    ip dhcp pool homelan
    import all
    network 192.168.1.0 255.255.255.0
    dns-server 62.121.10.2 62.121.0.2
    default-router 192.168.1.1
    lease 3
    !
    ip multicast-routing
    vpdn enable
    !
    vpdn-group PPTP
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 2
    source-ip 77.76.97.xx
    local name sparkys
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    username sparky privilege 15 secret 5 xxxxx
    username sparkyvpn password 7 xxxx
    !
    !
    !
    !
    !
    !
    !
    interface Loopback1
    ip address 1.1.1.1 255.255.255.255
    !
    interface Loopback217
    description +++ PPTP/IPSec virtual interface +++
    ip address 77.76.97.xx 255.255.255.248
    no ip redirects
    no ip proxy-arp
    ip flow ingress
    ip route-cache flow
    no ip mroute-cache
    !
    interface ATM0/0
    description xxxxxxxxxxxxxxx
    no ip address
    ip flow ingress
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0/0
    description Connection to C2924M
    ip address 192.168.1.1 255.255.255.0
    no ip proxy-arp
    ip nat inside
    ip flow ingress
    ip pim dense-mode
    speed 100
    full-duplex
    hold-queue 100 out
    !
    interface Serial0/0
    no ip address
    shutdown
    clock rate 2000000
    !
    interface ATM0/1
    description xxxxxxxxxxxxxx
    no ip address
    ip flow ingress
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface Serial0/1
    no ip address
    shutdown
    clock rate 2000000
    !
    interface Virtual-Template1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip route-cache flow
    !
    interface Virtual-Template2
    description +++ PPTP Template +++
    ip unnumbered FastEthernet0/0
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip flow ingress
    ip nbar protocol-discovery
    ip route-cache flow
    peer default ip address pool PPTP
    no keepalive
    ppp encrypt mppe auto
    ppp authentication pap chap ms-chap ms-chap-v2
    ppp ipcp dns 192.168.1.1
    !
    interface Dialer0
    description +++ Connection to ISP +++
    ip address negotiated
    no ip proxy-arp
    ip accounting output-packets
    ip nat outside
    ip flow ingress
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer idle-timeout 0
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxxxxxxxxxxxxxxx
    ppp chap password 7 xxxxxxxxxxxxxxxxxxx
    ppp link reorders
    ppp multilink
    ppp multilink slippage mru 16
    ppp multilink fragment delay 20
    ppp multilink interleave
    !
    router ospf 1
    router-id 1.1.1.1
    log-adjacency-changes
    network 192.168.1.0 0.0.0.255 area 0
    network 0.0.0.0 255.255.255.255 area 0
    default-information originate
    !
    ip local pool PPTP 192.168.1.200 192.168.1.254
    ip nat inside source list NatPool interface Dialer0 overload
    ip nat inside source static tcp 192.168.1.5 5060 interface Dialer0 5060
    ip nat inside source static tcp 192.168.1.4 22 interface Dialer0 22
    ip nat inside source static tcp 192.168.1.4 5900 interface Dialer0 5900
    no ip http server
    ip http access-class 23
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip dns server
    !
    !
    ip access-list standard NatPool
    permit 192.168.0.0 0.0.255.255
    permit 10.10.12.0 0.0.0.255
    access-list 98 permit 62.121.1.22
    access-list 98 permit 62.121.19.202 log
    access-list 98 permit 62.121.18.149
    access-list 98 permit 77.76.97.216 0.0.0.7
    access-list 98 remark allowed telnet hosts
    access-list 98 permit 192.168.1.0 0.0.0.255
    dialer-list 1 protocol ip permit
    !
     
    Certifications: MCP, CCENT, CCNA, CCNA-S
    WIP: CCNP (ROUTE)
  3. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    Nice One Sparky.

    That is pretty much what I'm after. I spent all day looking at this kind of stuff:

    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group VPN
    key XXXXXX
    dns 208.67.222.222
    pool VPN-Pool
    acl 100
    crypto isakmp profile ISAKMP-VPN-Profile
    match identity group VPN
    client authentication list VPN
    isakmp authorization list VPN
    client configuration address respond
    virtual-template 1
    !
    !
    crypto ipsec transform-set Transform-VPN esp-3des esp-sha-hmac
    !
    !
    crypto dynamic-map dynmap 1
    set transform-set Transform-VPN
    set isakmp-profile ISAKMP-VPN-Profile
    !
    !
    crypto map mymap 65535 ipsec-isakmp dynamic dynmap
    !
    !
    interface Virtual-Template1 type tunnel
    description ***VPN***
    no ip address
    tunnel source Dialer0

    but I guess I was way off? I am now thinking that the above setup is for use with the Cisco VPN client?

    Anyway, I had started looking at the VPDN commands around when my head fried and I went for plan B and posted here. I have now applied the appropriate lines form your config and have a tunnel up but all I can get to is the VLAN interface of the 877. Do you know if I need to add any routes?

    I have to admit, I dont understand all of the configs in your post for example I'm not sure whats happening here:

    interface Loopback217
    description +++ PPTP/IPSec virtual interface +++
    ip address 77.76.97.xx 255.255.255.248
    no ip redirects
    no ip proxy-arp
    ip flow ingress
    ip route-cache flow
    no ip mroute-cache


    and also I'm not to sure about the ip unnumbered FastEthernet0/0 command in the virtual interface (I set this to my VLAN interface)

    Anyway, glad to have at least got the PPTP up, jst need to sus out why I'm not getting on to the remote LAN. But thats for another day now..:eek:

    Cheers
    K
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290
  4. k.r.o.g.

    k.r.o.g. Bit Poster

    17
    0
    16
    All sorted!

    I was using the same subnet in the ip local pool PPTP command as the subnet that I am trying to VPN to. Changed this and it works like a charm.

    I will post the config I used shortly incase anyone else is trying somthing similar.

    Thanks again Sparky.

    K.
     
    Certifications: Bsc Hons-Comp Networking. MCP-270,291
    WIP: MCSA-284,290

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.