remote client configuration for Cisco VPN

Dana J. Dawson dana at INTERPRISE.COM
Wed Mar 15 16:28:28 EST 2000 

Rob Ang wrote:
>
> Anyone have a sample configuration or documentation I can look at in
> implementing both pre-shared and certificate based VPNs for remote clients
> on a Cisco 2600 or 3600 series router?  Specifically, when using dynamic
> maps what would the ACL look like since the client's IP address is unknown?
> I'm using Secure Net's IRE client.  Also if anyone is interested my company
> is looking for someone with VPN/Certificate Authority experience, just email
> me.  Sorry if this is not the proper list to post this --
>
> thanks!
> Rob

I don't have an example for using a CA, but below is a copy of a config from a
2612 that supports both single and triple DES connections from the Cisco client
software.  It also doesn't include the authentication proxy feature for doing
user authentication, but that's only a few extra commands.  When using the
client, you don't need and access-list at all (see below).

Hope this helps.

Dana

--
Dana J. Dawson                         dana at interprise.com
Distinguished Principal Engineer       CCIE #1937
!NTERPRISE Networking Services         (612) 664-3364
U S WEST                               (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."


> C2612A#sho conf
> Using 2322 out of 29688 bytes
> !
> ! Last configuration change at 18:42:34 cst Fri Jan 28 2000
> ! NVRAM config last updated at 18:47:00 cst Fri Jan 28 2000
> !
> version 12.0
> service timestamps debug datetime msec localtime
> service timestamps log datetime localtime
> !
> hostname C2612A
> !
> logging buffered 20000 debugging
> enable password *
> !
> !
> clock timezone cst -6
> clock summer-time cdt recurring
> ip subnet-zero
> no ip domain-lookup
> !
> crypto isakmp policy 10
>  authentication pre-share
>  lifetime 3600
> !
> crypto isakmp policy 20
>  encr 3des
>  authentication pre-share
>  lifetime 3600
> crypto isakmp key cisco1234 address 0.0.0.0
> crypto isakmp client configuration address-pool local TEST-MODE
> !
> !
> crypto ipsec transform-set TEST esp-des esp-sha-hmac
> crypto ipsec transform-set TEST3 esp-3des esp-sha-hmac
> !
> crypto dynamic-map TEST-MODE 10
>  set transform-set TEST TEST3
> !
> crypto map TEST-MODE client configuration address initiate
> crypto map TEST-MODE client configuration address respond
> crypto map TEST-MODE 10 ipsec-isakmp dynamic TEST-MODE
> !
> !
> interface Ethernet0/0
>  ip address 172.28.64.60 255.255.255.192
>  no ip directed-broadcast
>  crypto map TEST-MODE
> !
> !
> router eigrp 1
>  network 172.28.0.0
>  no auto-summary
> !
> ip local pool TEST-MODE 10.10.10.1 10.10.10.254
> ip classless
> !
> !
> line con 0
>  transport input none
> line aux 0
> line vty 0
>  exec-timeout 0 0
>  password *
>  login
> line vty 1 4
>  exec-timeout 60 0
>  password *
>  login
> !
> no scheduler allocate
> end
>
> C2612A#
> C2612A#
> C2612A#
> C2612A#
> C2612A#sho hard
> Cisco Internetwork Operating System Software
> IOS (tm) C2600 Software (C2600-IK2O3S-M), Version 12.0(7)T,  RELEASE SOFTWARE (fc2)
> Copyright (c) 1986-1999 by cisco Systems, Inc.
> Compiled Tue 07-Dec-99 09:25 by phanguye
> Image text-base: 0x80008088, data-base: 0x80DB93B4
>
> ROM: System Bootstrap, Version 11.3(2)XA4, RELEASE SOFTWARE (fc1)
>
> C2612A uptime is 5 hours, 51 minutes
> System returned to ROM by reload at 12:54:10 cst Fri Jan 28 2000
> System restarted at 12:56:04 cst Fri Jan 28 2000
> System image file is "flash:c2600-ik2o3s-mz.120-7.T.bin"
>
> cisco 2612 (MPC860) processor (revision 0x101) with 53248K/12288K bytes of memory.
> Processor board ID JAB032705L5 (3897372102)
> M860 processor: part number 0, mask 49
> Bridging software.
> X.25 software, Version 3.0.0.
> Basic Rate ISDN software, Version 1.1.
> 1 Ethernet/IEEE 802.3 interface(s)
> 1 Token Ring/IEEE 802.5 interface(s)
> 1 ISDN Basic Rate interface(s)
> 2 Voice FXO interface(s)
> 2 Voice E & M interface(s)
> 32K bytes of non-volatile configuration memory.
> 16384K bytes of processor board System flash (Read/Write)
>
> Configuration register is 0x2102
>
> C2612A#

VPN is sponsored by SecurityFocus.COM

More information about the VPN mailing list