Configuring a Cisco Router to Accept VPN Connections
This blog has been a long-time-coming as someone asked me quite some time ago to post the simplest way to accomplish this (for a home environment). I hate to admit this, but my home PC (where I get all my email) was hacked since I allowed Microsoft's Remote Desktop Protocol (RDP) and VNC from anywhere on the Internet (very bad idea). That was the end of that - now VPN connections are required to get to my home PC. Well, the simplest way to configure a VPN on a router is to use the Cisco SDM...but Real Cisco Techs™ use the command line :). So here we go:
First thing you need to do is specify an authentication method. Since I'm assuming this is for a home environment, using the local router database is just fine:
Router(config)# aaa authentication login LOCAL_DB local (defines a login method called LOCAL_DB that uses the local DB)
Router(config)# username Jeremy password cisco (creates a user account in the local DB)
Second, you need to define a DHCP pool of addresses for your VPN clients. This is the address range that they will be assigned when they connect. This should be a unique range not in use on your LAN:
Router(config)# ip local pool CLIENT_ADDRESSES 172.30.50.10 172.30.50.20
Next, you have to create an ISAKMP policy. This is a policy that secures Phase 1 of the VPN negotiation. Phase 1 is there to allow you to securely exchange the encryption keys you'll be using for the VPN. Without this phase, someone could sniff your encryption keys and compromise the VPN security:
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr aes (my preferred encryption: 128-bit AES; fast and secure)
Router(config-isakmp)# authentication pre-share (says that I'll need to type a secret key on the router & VPN client)
Router(config-isakmp)# group 2 (Diffie-helman group 2...super strong keys to lock down Phase 1)
Now, I need to configure a client configuration group. This is what gives the clients their settings (such as DNS server, IP address, etc...).
Router(config)# crypto isakmp client configuration group HOME
Router(config-isakmp-group)# key s3cr3t (the client has to provide this key to connect to the VPN)
Router(config-isakmp-group)# dns 172.30.100.11 (assigns a DNS server to the client)
Router(config-isakmp-group)# domain ciscoblog.com (assigns a DNS suffix to the client)
Router(config-isakmp-group)# pool CLIENT_ADDRESSES (says that this client will get an IP address from the CLIENT_ADDRESS pool)
There is MUCH more you can put under the above config to define things like split tunneling and access control...but that discussion is for another day :)
Next up, we can configure the settings for the IPSEC tunnel (all this stuff until now has been Phase 1, pre-tunnel info). Initially, we must set up a transform set. This defines what level of encryption (scrambling data so people can't read it) and hashing (checking to make sure data doesn't change) we'd like to use:
Router(config)# crypto ipsec transform-set JEREMYS_SET esp-aes esp-sha-hmac
As a fly-by description, the line above sets the VPN encryption to AES 128-bit and uses SHA-1 (160-bit, I believe) hashing. This is what I'd recommend, but you can choose whatever levels you'd like (just hit the ? key to see all your options).
Now we can create a crypto map. A crypto map takes all these settings and sums them together into something we can apply to an interface:
Router(config)# crypto dynamic-map CLIENT_MAP 1 (creates a dynamic map, which is used for remote access clients)
Router(config-crypto-map)# set transform-set JEREMYS_SET (says that this will be the transform set used for clients)
Router(config-crypto-map)# reverse-route (puts the client IP address in the routing table when the client connects)
Router(config)# crypto map JEREMY_VPN client authentication list LOCAL_DB (links authentication method to the VPN)
Router(config)# crypto map JEREMY_VPN isakmp authorization list LOCAL_DB (links authorization settings - what a user can do - to the VPN)
Router(config)# crypto map JEREMY_VPN client configuration address respond (allows router to respond to DHCP requests from clients)
Router(config)# crypto map JEREMY_VPN 100 ipsec-isakmp dynamic CLIENT_MAP (applies the dynamic crypto map to the real crypto map)
FINALLY, we can apply the crypto map to the interface:
Router(config)# interface fa0/1 (my DSL connection interface)
Router(config-if)# crypto map JEREMY_VPN (applies the crypto map from above)
The router is now ready to accept VPN connections. Now that I'm looking back over this, I'm sure it's generated many more questions than it answered...ask away :).
Comments
Jeremy, Nice post. I am
Jeremy,
Nice post. I am curious if your CVOICE nuggets includes some Call Manger review? big picture? I recently was contracted into a wan support position with 1 of the larger telcos and they plan to start support for true voice solutions ie. Cisco. I lack in the knowledge of voice in a bad way outside of QoS which is not voice but needed to support it, which once again I'll give you a plug for a "SWEET!" 642-642. I just want to make sure I purchase the right nugget. 642-432 CVOICE should be a good start?
Thanks,
A satisfied disciple:)
Hi Jeremy, Nice post! I was
Hi Jeremy,
Nice post! I was wondering if you know how your pc was hacked, via RDP or VNC? I have the idea that RDP is pretty secure since there are no real vulnerabilities reported? Do you have more info regarding this?
Thanks
Ruben
David - Thanks for the kind
David - Thanks for the kind words :). CVOICE contains very little CallManager material; that'll be part of CIPT, which is due out as soon as I can finish CCNP updates.
Ruben - My PC was hacked via VNC. I was using RealVNC, which contained a known vulnerability (not known at the time, of course) that allowed an intruder in without authentication. Yikes! VPN took care of that...
More information on the hack: http://secunia.com/advisories/20107/
Is there any way to do
Is there any way to do something like this with some low end linksys (cisco) wrt54g routers? I'm looking to connect the router at my girlfriends house to the router my home so that I can be connected to my home network when I am on her wireless.
Hello JC, i did everythink as
Hello JC,
i did everythink as you posted here. But i am still unable to connect with vpn client.
This is debug message from IOS:
ISAKMP (0:13): Checking ISAKMP transform 12 against priority 21 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:13): Preshared authentication offered but does not match policy!
I have configured aaa new model:
aaa new-model
!
!
aaa authentication login userlist local
Please could you help me?
Tomas
I like your article. i have
I like your article. i have something similar to this setup. Do you know if there is a way to log vpn connections like this to a syslog server. All i can find info on is how to do this with RADIUS.
-Dustin
Post was great! I have the
Post was great! I have the Cisco Pix configuration file and am trying to get a VPN client to work to no avail. Is it possible to reverse engineer? Also, what does the show or wr t look like?
Hi Jeremy, Thanks for a nice
Hi Jeremy,
Thanks for a nice article.
I have on question,
if i want to restrict one interface of my router to accept ONLY VPN connections and deny all other connectoins, How can I do that?
How will the clients know how
How will the clients know how to route to the internal network?
Hi My config is very similar
Hi
My config is very similar to your but I am trying to connect with an XP pc to the router but it does not get connected at all it comes up with SA not offered. Can you help.
Marius
Hi Jeremy, I love your stuff
Hi Jeremy,
I love your stuff and videos that you do with CBT. I'm kind of stuck with my configuration for an Easy VPN server. I have a 2821 router attached to my SBC DSL modem with Static IP (69.x.x.x). And on the other interface (10.x.x.3) I have a switch connected just doing switching. Off this switch there's a call manager and a PC hanging (both within the 10.x.x.x IP Address range).
I am successfully able to VPN to the 69.x.x.x interface from my PC using Cisco VPN client (My VPN'ed IP becomes 1.1.1.10). But for some reason, I'm not able to ping either the Call Manager or the 10.x.x.3 interface on the router. My final objective is to attach the CIPC on my laptop to the CCM. Any pointers on where I could be wrong will be MUCCCCCH appreciated.
thanks,
Kamran
Jeremy, sorry for spamming
Jeremy,
sorry for spamming but are you sure this config is correct in your article above:
Router(config)# crypto dynamic-map CLIENT_MAP 1
Router(config-crypto-map)# set transform-set JEREMYS_SET
Router(config-crypto-map)# reverse-route
Router(config)# crypto map JEREMY_VPN client
shouldn't the crypto map name be "CLIENT_MAP" instead of "JEREMY_VPN"?
thx,
Kamran
Jeremy, I love your
Jeremy,
I love your Blog.
Please advise me, why if we Configure aaa new model on the CISCO as5400/5300, the passw via vty/telnet is change?
My configure aaa :
no aaa new-model
aaa authentication login local line
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection h323 stop-only group radius
aaa nas port voip
radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server key 7 13060E100E1E517C
Regards,
Bayu-
Jakarta-Indonesia
i want to know one thing in
i want to know one thing in cisco router pls explain me How can block the ICMP traffic on cisco router if u know than email me
hi guys, I need help for
hi guys,
I need help for configure this VPN in my router cisco. I am not getting to understand and to configure correctly.
please help me.
Paulo Célio
heloo sir i want to configure
heloo sir
i want to configure the router but i don't know the configuration if you can help me in this regards it will be very helpfull for me
thank you
Bilal Ahmadi
I need the Configuration for
I need the Configuration for making vpn for CISCO router as client side.
Regards
Hadi
I need to connect a CVPN v
I need to connect a CVPN v 4.8 client to a Cisco 2621xm router
but I'm experincing a lot of problems. My
router config is as follows:PLease help
I still cannot connect via via VPN client. Please help
username cisco password 0 class
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr des
authentication pre-share
group 2
!
crypto isakmp client configuration group HOME
key secret
dns 192.168.99.1
domain cisco.com
pool CLIENT_ADDRESSES
!
crypto ipsec transform-set VPN_TRANSFORM esp-des esp-md5-hmac
!
!
crypto dynamic-map CLIENT_MAP 1
set transform-set VPN_TRANSFORM
reverse-route
!
!
crypto map REMOTE_VPN client authentication list LOCAL_DB
crypto map REMOTE_VPN isakmp authorization list LOCAL_DB
crypto map REMOTE_VPN client configuration address respond
crypto map REMOTE_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map REMOTE_VPN
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 192.168.110.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.110.0
!
ip local pool CLIENT_ADDRESSES 192.168.99.10 192.168.99.20
thanks for above knowldege. I
thanks for above knowldege.
I want to know what is crypto?why we have used
Crypto command in cisco?plz send me reply as early
as possible on my mail i-d.
I am trying the same exact
I am trying the same exact config on my 2621 but my IOS doesnt seem to have a group command for "crypto isakmp client configuration..." All I have is crypto isakmp client configuration ?
address-pool Set network address for client
Any ideas? I am running this version
IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.2(46), RELEASE SOFTWARE (fc1)
and I have a feeling it is my IOS version. Please help. Thanks.
-Jay
Are you able to make GRE
Are you able to make GRE Tunnel on this IOS?
it is good to connect the pc
it is good to connect the pc to the modem first before connecting to the router.
hi i m pradeep
hi i m pradeep
Great post!!! How can I show
Great post!!!
How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?
Quote: How can I show a
Quote: How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?
...and compare to the account who authenticated the request.
To Hadi Nazari: You've
To Hadi Nazari:
You've probably spotted your issue already. This line is missing:
aaa authorization network LOCAL_DB local
Dear sir I am shofiur Rahman
Dear sir
I am shofiur Rahman form Bangladeh.I am working as a Network Engineer in one of the top most private Banks in Bangladesh.Recently our management take the decision to expand their business sector through online. But this online will not be centralized.It will be distributed that means Any Branch Banking(ABB) through WAN connectivity. I want to configure the Cisco Router for VPN.
I would like to request you that please give the design diagram as for example (eg. Bank)and then please show the configuration.
Please please anwser my query. Its very urgent.
Thanks
Engr. Shofiur Rahman
"Dear sir I am shofiur Rahman
"Dear sir
I am shofiur Rahman form Bangladeh.I am working as a Network Engineer in one of the top most private Banks in Bangladesh.Recently our management take the decision to expand their business sector through online. But this online will not be centralized.It will be distributed that means Any Branch Banking(ABB) through WAN connectivity. I want to configure the Cisco Router for VPN.
I would like to request you that please give the design diagram as for example (eg. Bank)and then please show the configuration.
Please please anwser my query. Its very urgent.
Thanks
Engr. Shofiur Rahman
"
Youd think if you were a network engineer, that this is something youd know. Not do haphazardly from googling results.
Your lab is helpful for my
Your lab is helpful for my work and study .
Hi all I am trying to
Hi all
I am trying to establish a VPN connection and need some help. The scenario is simple.
Router "RTA" acts as the VPN server which accepts remote VPN connections from a remote user with a laptop using Cisco VPN client v5.0. The remote user never
has a static ip address since he is always around on different sites which have dynamically assigned ip addressess on DSL connections.
Searching here and there I created the following configuration:
RTA#sh run
Building configuration...
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 7
logging buffered 4096 critical
!
enable secret xxxxxxxxx
!
memory-size iomem 5
clock timezone EET 2
clock summer-time EEDST recurring last Sun Mar 3:00 last Sun Oct 4:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.130.1 192.168.130.250
!
ip dhcp pool LOCAL_DHCP
network 192.168.130.0 255.255.255.0
default-router 192.168.130.100
domain-name vpn.local
dns-server 192.168.130.100 62.169.194.17
lease infinite
!
!
no ip cef
!
!
ip domain name vpn.local
ip host SW 192.168.130.101
ip name-server 62.169.194.17
ip name-server 62.169.194.18
!
no ip bootp server
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco privilege 15 password xxxxx
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh maxstartups 2
ip ssh logging events
ip ssh version 2
!
aaa new-model
!
aaa session-id common
!
aaa authentication login default local
aaa authentication login XAUTH_for_VPNs local
aaa authorization exec default local
aaa authorization network VPN_GROUP local
!
aaa local authentication attempts max-fail 10
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group VPN
key xxxxx
dns 192.168.130.100 62.169.194.17
domain vpn.local
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map dynmap client authentication list XAUTH_for_VPNs
crypto map dynmap isakmp authorization list VPN_GROUP
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0.1 point-to-point
description ADSL_INTERFACE
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description INSIDE_INTERFACE
ip address 192.168.130.100 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed auto
full-duplex
!
interface Dialer0
description OUTSIDE_INTERFACE
ip address negotiated
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxx
ppp chap password xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map dynmap
!
ip local pool VPN_POOL 192.168.130.50 192.168.130.60
!
no ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
ip dns server
!
!
access-list 1 permit 192.168.130.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password xxxxx
logging synchronous
transport output telnet
line vty 0 4
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
line vty 5 15
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180087
ntp server 193.93.167.241
end
The configuration works fine and the client connects to the Cisco VPN server (1751 router).
Here is the problem:
Before attempting to establish the VPN connection the laptop does have an active Internet connectionon and its physical NIC (which connects it to the
Internet) has the following settings assigned by the DHCP server on the local subnet of 192.168.0.1/24:
IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1
When Cisco VPN client runs and establishes succesfully a connection to the VPN, the Cisco VPN adapter (virtual NIC) gets the following configuration from the
VPN server (router):
IP Address: 192.168.130.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.130.51 (always same as the IP address it gets assigned from the VPN router at the tunnel end)
DNS Servers: 192.168.130.100
62.169.194.17
and in the same time the physical NIC looses the default gateway 192.168.0.1 it had thus loosing the connection to the Internet. So the physical NIC now has
this settings:
IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway:
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1
So what is wrong in this scenario and how should it work?
Second question:
In the above example Site A(remote user's site) and Site B(VPN server's site) are configured with different subnets.
Site A: 192.168.0.0 / 24
Site B: 192.168.130.0 / 24
What if both LAN's on both sides of the tunnel, for example Site A/LAN1 (behind VPN server/router) subnet is 192.168.1.0/24 and Site B / LAN2 (where remote
user may be at any time) subnet is also 192.168.1.0/24, what would then happen?
I mean what if the remote user sitting on Site B is on subnet 192.168.1.0/24 and has an ip address of 192.168.1.10/24, wants to remote desktop to a PC
sitting on Site A at the other side of the tunnel that also has local subnet 192.168.1.0/24? How would the remote user's laptop know on which local subnet
Site A or Site B this PC is located and reach it?
Hope I didn't confuse you.
Please reply here or mail me at ksylvios@gmail.com
Thanks a lot in advance!
Cheers, Sylvios
Jeremy, it worked like a
Jeremy, it worked like a charm. Thanks so much.
You are the God of Cisco. The only think missing here is split tunneling.Love you`re work. I`ve grow up with youre cisco nuggets.Keep up the good work.
Hello, I need some help. Does
Hello,
I need some help. Does anyone has an example of a TCL script for a cisco 1800 series running ios 12.4 how can switch between interfaces if one fails
To be more specific, i have 2 ISP configured on 2 Fast Ethernet ports.
If one fails i want the ip route to switch to the other interface.
I don`t want to manually switch ip route 0.0.0.0 0.0.0.0 fast ethernet...
Thanks in advance !
you don't need TCL for that.
you don't need TCL for that. I think you can do it with IP SLA.
I need to setup a Cisco 2821
I need to setup a Cisco 2821 router from a remote office back to corporate. This remote site only has U-Verse access and I have 2 seperate connections coming into the location. I would like to put the voice traffic on one circuit (connected to G0/1) and the data on the other (G0/0). I have a 16 port switchblade installed for user access.
I need to configure VPN connectivity to our MPLS firewall and I would like to provide "failover" so that if one side goes out all the traffic will go out the other side.
Any assistance in how to configure the 2821 router would be greatly appreciated. I have loaded advanced security 12.4-25c code on the router for this purpose.