[c-nsp] vpn configuration
Hello, I have the need to create a vpn between two routers. R2 is behind R1 which is doing nat, and R3 has an interface with a public ip. R3 has to initiate the vpn connection because it has a dynamic public ip. I also need to be able to run ospf across the vpn and monitor the vpn traffic. What would be the best way to do this? Does anyone have any configuration examples? Thanks Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vpn configuration
DMVPN with GRE is your friend http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml On Thu, Mar 26, 2009 at 10:54 AM, Dan Letkeman danletke...@gmail.comwrote: Hello, I have the need to create a vpn between two routers. R2 is behind R1 which is doing nat, and R3 has an interface with a public ip. R3 has to initiate the vpn connection because it has a dynamic public ip. I also need to be able to run ospf across the vpn and monitor the vpn traffic. What would be the best way to do this? Does anyone have any configuration examples? Thanks Dan. ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] VPN Configuration
Hi folks... if there is a better place to ask than here please let me know...;) I have a Cisco 871 at a client site with a 2 meg connection. We built a site to site VPN (config below) which works perfectly... now the client would like 4-5 remote access VPN sessions to be possible. I'm asking the list before I dive too much into docs on the easiest simple way to setup a remote access VPN when you already have a site to site configured we'd like to adopt a cookie cutter approach for some other client sites in the near future this particular customer has remote computers running Mac OS/X and PC's running XP/Vista which I understand the Cisco VPN client runs on both? Can someone tell me a good way to configure both on the same router? Thanks in advance.. Paul Config: crypto isakmp policy 10 encr aes 256 authentication pre-share crypto isakmp key XXX address xx.xx.xx.xxx ! ! crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256 ! crypto ipsec profile VPN set transform-set ts1 interface Tunnel0 description xxx ip address 172.16.1.1 255.255.255.252 tunnel source FastEthernet4 tunnel destination xx.xx.xx.xxx tunnel protection ipsec profile VPN interface FastEthernet4 description Nexicom Cable ip address dhcp ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Vlan1 description Internal LAN ip address 10.241.41.193 255.255.255.192 ip nat inside ip virtual-reassembly ip route 10.241.175.64 255.255.255.192 Tunnel0 ip nat inside source list 102 interface FastEthernet4 overload access-list 102 deny ip 10.241.41.192 0.0.0.63 10.241.175.64 0.0.0.63 access-list 102 permit ip 10.241.41.192 0.0.0.63 any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VPN Configuration
Hi, I'm not sure how well Easy VPN and VTIs play together but in very general terms - with an old fashioned crypto map on your outside interface - you want to do something like the following; associate the dynamic map with your RA VPNs (vpn-users in this case) to the crypto map applied on the interface (map-outbound in this case). - aaa lines as needed - crypto isakmp policy as needed crypto ipsec transform-set trans-default [something sane] crypto ipsec transform-set trans-vpn-users [something sane] crypto dynamic-map vpn-users 200 set transform-set trans-vpn-users reverse-route ! assuming you have aaa in place crypto map map-inbound client authentication list vpn-users crypto map map-inbound client accounting list vpn-users crypto map map-inbound isakmp authorization list vpn-users crypto map map-inbound client configuration address respond crypto map map-inbound 200 ipsec-isakmp dynamic vpn-users crypto map map-outbound 100 ipsec-isakmp description somewhere set peer 1.2.3.4 set transform-set trans-default match address match-whatever interface FastEthernet0/0 crypto map map-outbound The Cisco VPN Client (IPSec) does work on both OS X and XP/Vista (not 64 bit Vista, though) fine. It also works on Linux. On Apr 22, 2008, at 15:21, Paul Stewart wrote: Hi folks... if there is a better place to ask than here please let me know...;) I have a Cisco 871 at a client site with a 2 meg connection. We built a site to site VPN (config below) which works perfectly... now the client would like 4-5 remote access VPN sessions to be possible. I'm asking the list before I dive too much into docs on the easiest simple way to setup a remote access VPN when you already have a site to site configured we'd like to adopt a cookie cutter approach for some other client sites in the near future this particular customer has remote computers running Mac OS/X and PC's running XP/Vista which I understand the Cisco VPN client runs on both? Can someone tell me a good way to configure both on the same router? Thanks in advance.. Paul Config: crypto isakmp policy 10 encr aes 256 authentication pre-share crypto isakmp key XXX address xx.xx.xx.xxx ! ! crypto ipsec transform-set ts1 ah-sha-hmac esp-aes 256 ! crypto ipsec profile VPN set transform-set ts1 interface Tunnel0 description xxx ip address 172.16.1.1 255.255.255.252 tunnel source FastEthernet4 tunnel destination xx.xx.xx.xxx tunnel protection ipsec profile VPN interface FastEthernet4 description Nexicom Cable ip address dhcp ip nat outside ip virtual-reassembly duplex auto speed auto no cdp enable ! interface Vlan1 description Internal LAN ip address 10.241.41.193 255.255.255.192 ip nat inside ip virtual-reassembly ip route 10.241.175.64 255.255.255.192 Tunnel0 ip nat inside source list 102 interface FastEthernet4 overload access-list 102 deny ip 10.241.41.192 0.0.0.63 10.241.175.64 0.0.0.63 access-list 102 permit ip 10.241.41.192 0.0.0.63 any ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ HTH Kaj -- Kaj J. Niemi [EMAIL PROTECTED] +358 45 63 12000 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/