Cisco 1841 to Vigor VPN

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

Cisco 1841 to Vigor VPN

Post by Guest » Mon Dec 20, 2010 12:43 am

Hi All, Im in desperate need of some help. Ive spent the last 48 hrs trawling the internet try to find how to set this up secessfully   I have ports 80 and 443 port forwarded for 78.25.xxx.xxx to our local  mailserver 192.168.6.65. But all im presented with is page cannot be  displayed when i try and connect to the external IP within the LAN. However if i try and access this address outside the lan then  it works great? My other problem I have is i would like to setup 7 vpns which all dial in to this router. They are setup to use ipsec with an ike pre-shared key. The dial in routers are vigor 2600-2820  series and i was going to use the following config for the cisco but it  hangs at crypto map cm-cryptomap. If anyone can help me i would really really appreciate it. Network setup                                     PRIVATE IP    PUBLIC IPHUB SITECISCO 1841   192.168.6.0   78.XX.XXX.48SPOKE SITE(VIGOR 2600) 192.168.88.0  85.XX.XXX.85 ################# attempted vpn config which didnt work ####### crypto isakmp policy 1hash md5authentication pre-sharelifetime 3600crypto isakmp key 123 address 85.189.xxx.xxx   (spoke site)crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmaccrypto mib ipsec flowmib history tunnel size 200crypto mib ipsec flowmib history failure size 200crypto map cm-cryptomap local-address FastEthernet0/0crypto map cm-cryptomap 1 ipsec-isakmpset peer 85.189.155.85  (spoke site)set transform-set cm-transformset-1match address 100 interface FastEthernet0/0crypto map cm-cryptomapaccess-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255 Below is the full config less vpn info which works flawlessly with bonded adsl################ FULL CONFIG ################ Current configuration : 3938 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname BURTON!boot-start-markerboot-end-marker!enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxenable password xxxxxxxxxxx!no aaa new-modelip cef!!ip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!!ip name-server 62.121.0.2ip name-server 195.54.225.10!!crypto pki trustpoint TP-self-signed-692553461 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-692553461 revocation-check none rsakeypair TP-self-signed-692553461!!crypto pki certificate chain TP-self-signed-692553461 certificate self-signed 01  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274  69666963 6174652D 36393235 35333436 31301E17 0D313031 31323431 34343930  325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533  34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100  BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED  B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43  20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387  FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D  11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90  A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8  77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100  B9B21771 6B8C0F9E C66B907A AC7A09BF 1FFCB332 0C7B6446 22483A32 5EE7D1FC  0A29DD8B 4ABE123D 250070DF 30964615 128A9224 E70FFE29 513455AB 6A1747C4  E67A33F0 4E61AB87 9AE1D2DC 72741BE7 3A9AD79D 13B622B3 BCADCDAA 9D5EA74C  567D2852 AD429722 9AE90E13 7D80027F 4FA37A7F 65014A45 43CB141C 36FCB96B  quit!!!!!!interface FastEthernet0/0 description $ETH-LAN$ ip address 192.168.6.40 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto!interface FastEthernet0/1 no ip address shutdown duplex auto speed auto!interface ATM0/0/0 no ip address no ip mroute-cache no atm ilmi-keepalive bundle-enable dsl operating-mode auto pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface ATM0/1/0 no ip address no ip mroute-cache no atm ilmi-keepalive bundle-enable dsl operating-mode auto pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp reliable-link ppp authentication chap callin ppp chap hostname username@supplier.co.uk ppp chap password 0 xxxxxxxx ppp ipcp dns request ppp link reorders ppp multilink ppp multilink slippage mru 16 ppp multilink fragment delay 10 ppp multilink interleave ppp multilink multiclass!ip forward-protocol ndip route 0.0.0.0 0.0.0.0 Dialer0!ip http serverip http secure-serverip nat inside source list 100 interface Dialer0 overloadip nat inside source static tcp 192.168.6.65 25 interface Dialer0 25ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723ip nat inside source static tcp 192.168.6.65 80 78.XX.XXX.61 80 extendableip nat inside source static tcp 192.168.6.65 443 78.XX.XXX.61 443 extendableip nat inside source static tcp 192.168.6.30 80 78.XX.XXX.62 80 extendableip nat inside source static tcp 192.168.6.30 443 78.XX.XXX.62 443 extendable!access-list 100 permit ip 192.168.6.0 0.0.0.255 anydialer-list 1 protocol ip permitsnmp-server community public RO!!control-plane!!line con 0line aux 0line vty 0 4 password xxxxxxxxxxxx login!scheduler allocate 20000 1000end

Guest

Re:Cisco 1841 to Vigor VPN

Post by Guest » Mon Dec 20, 2010 2:16 am

Please tell us more about the errors which you are getting. By the looks of it the configuration is fine. ################# attempted vpn config which didnt work ####### crypto isakmp policy 1hash md5authentication pre-sharelifetime 3600 crypto isakmp key 123 address 85.189.xxx.xxx   (spoke site)crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmaccrypto map cm-cryptomap local-address FastEthernet0/0 crypto map cm-cryptomap 1 ipsec-isakmpset peer 85.189.155.85  (spoke site)set transform-set cm-transformset-1match address 100 interface FastEthernet0/0crypto map cm-cryptomap access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255

Guest

Re:Cisco 1841 to Vigor VPN

Post by Guest » Mon Dec 20, 2010 3:49 am

First off when im entering this config i get down to crypto map cm-cryptomap and then the router is then uncontactable? so i can even put the correct acl in from then on. Im a complete novice at ciscos to be honest, managed to setup the bonded lines ok and some port forwarding but really am struggling here. How can i debug the vpn connection or see the errors? Thanks

Guest

Re:Cisco 1841 to Vigor VPN

Post by Guest » Mon Dec 20, 2010 4:46 am

Ive turned some sort of debugging on Router# debug crypto verboseRouter# debug crypto isakmpRouter# term monitor

Guest

Re:Cisco 1841 to Vigor VPN

Post by Guest » Mon Dec 20, 2010 5:11 am

Below my latest attempt, will switch this over when i get to work tomorrow and see if it works.   Building configuration...                        Current configuration : 4729 bytes                                  ! version 12.4            service timestamps debug datetime msec                                      service timestamps log datetime msec                                    no service password-encryption                              ! hostname BURTON               ! boot-start-marker                 boot-end-marker               ! enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx                                              enable password xxxxxxxxxxxxxxxx                           ! no aaa new-model                ip cef      ! ! ip auth-proxy max-nodata-conns 3                                ip admission max-nod                   ! ! ip name-server 62.121.0.2                         ip name-server 195.54.225.10                            ! ! crypto pki trustpoint TP-self-signed-692553461                                              enrollment selfsigned                      subject-name cn=IOS-Self-Signed-Certificate-692553461                                                      revocation-check none                      rsakeypair TP-self-signed-692553461                                    ! ! crypto pki certificate chain TP-self-signed-692553461                                                     certificate self-signed 01                             3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030                                                                           30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274                                                                           69666963 6174652D 36393235 35333436 3                                       365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F                                                                           532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3639 32353533                                                                           34363130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100                                                                           BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED                                                                           B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43                                                                           20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387                                                                           FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E                                                                        02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D                                                                           11040A30 08820642 5552544F 4E301F06 03551D23 04183016 8014645E 3FDE4E90                                                                           A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8                                                                           77358081 EE4217F4 82123899 3A300D06 092A8648 86F70D01 01040500 03818100                                                                           5FE3DF70 3253B1F7 D1359012 24F8E1E3 57E1DF58 A2010295 A03A8C75 FA41E51D                                                                           09C5E211 8BD9C42E D1D242FB 6BDCD933 B22256C9 ADB1841D BD015A05 28D41A86                                                                           E1E80740 1CDC4B02 FD689446 426DE1D6 0D1500A6 C5558839 029AA0D0 B8AA33                                                                        88DACDDA AC58BC10 799FC7CD FBCB8A3A 0FB8A789 9756338C F51AF115 159ADC52                                                                           quit      ! ! ! ! crypto isakmp policy 1                      encr 3des          authentication pre-share                         group 2        crypto isakmp key xxxxxxx address 77.xxx.xxx.176                                                  ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac                                                         crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac                                                       crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs                                                                              crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs                                                                            ! crypto map VPN-Map-1 10 ipsec-isakmp                                   set peer 77.xxx.xxx.176                        set transform-set AES-SHA-compression                                      set pfs group2               match address Crypto-list                          ! ! ! interface FastEthernet0/0                         description $ETH-LAN$                      ip address 192.168.6.40 255.255.255.0                                      ip nat inside              ip virtual-reassembly                      duplex auto            speed auto           crypto map VPN-Map-1                     ! interface FastEthernet0/1                         no ip address              shutdown         duplex auto            speed auto           ! interface ATM0/0/0                  no ip address              no ip mroute-cache                   no atm ilmi-keepalive                      bundle-enable              dsl operating-mode auto                        pvc 0/38           encapsulation aal5mux ppp dialer                                  dialer pool-member 1                      !  ! interface ATM0/1/0                  no ip address              no ip mroute-cache                   no atm ilmi-keepalive                      bundle-enable              dsl operating-mode auto                        pvc 0/38           encapsulation aal5mux ppp dialer                                    dialer pool-member 1                      !  ! interface Dialer0                 ip address negotiated                      ip nat outside               ip virtual-reassembly                      encapsulation ppp                  dialer pool 1              dialer-group 1               ppp reliable-link                  ppp authentication chap callin                               ppp chap hostname xxxxxxxxxxxxxxxxxxxxx                                              ppp chap password 0 xxxxxxxxxxx                             ppp ipcp dns request                     ppp link reorders                  ppp mult       ppp multilink slippage mru 16                              ppp multilink fragment delay 10                                ppp multilink interleave                         ppp multilink multiclass                         ! ip forward-protocol nd                      ip route 0.0.0.0 0.0.0.0 Dialer0                                ! ip http server              ip http secure-server                     ip nat inside source list 100 interface Dialer0 overload                                                        ip nat inside source static tcp 192.168.6.45 1723 interface Dialer0 1723                                                                        ip nat inside source static tcp 192.168.6.65 25 interface Dialer0 25                                                                    ip nat inside source static tcp 192.168.6.65 80 78.xxx.xxx.61 80 extendable                                                                          ip nat inside source static tcp 192.168.6.65 443 78.xxx.xxx.61 443 extendable                                                                            ip nat inside source static tcp 192.168.6.30 80 78.xxx.xxx.62 80 extendable                                                                          ip nat inside source static tcp 192.168.6.30 443 78.xxx.xxx.62 443 extendable                                                                            ! ip access-list extended Crypto-list permit ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255ip access-list extended Internet-inbound-ACL permit udp host 77.xxx.xxx.176 any eq isakmp permit esp host 77.xxx.xxx.176 any!access-list 100 permit ip 192.168.6.0 0.0.0.255 anydialer-list 1 protocol ip permitsnmp-server community public RO!!control-plane!!line con 0line aux 0line vty 0 4 password xxxxxxxxxxx login!scheduler allocate 20000 1000end

Post Reply