1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Linksys RV042 VPN To Cisco 871 Router with IOS 12.4

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by dschoolxlt, Mar 1, 2007.

  1. dschoolxlt

    dschoolxlt LI Guru Member

    I've read on here that it can be done, my router has the vpn feature set, i've found several config's most wont work. any one have any pointer's i'm almost a ccna, so i'm fairly comfortable with the cisco aspect.. any help is greatly appreciated...
     
  2. ifican

    ifican Network Guru Member

    What I have you tried thus far. It can be a little tricky but its still pretty straight forward. If you would post the cisco config and well have a look at it, just be sure to to change any relevant info before.
     
  3. dschoolxlt

    dschoolxlt LI Guru Member

    Here is the config, the software version is flash:c870-advsecurityk9-mz.124-4.T7.bin
    Its an 871W by the way..

    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname catter
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 debugging
    logging console critical
    !
    !
    no aaa new-model
    !
    resource policy
    !
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.29.0.1
    !
    ip dhcp pool sdm-pool1
    import all
    network 10.29.0.0 255.255.255.0
    default-router 10.29.0.1
    dns-server 65.24.7.3 65.24.7.6
    !
    !
    !
    crypto isakmp policy 15
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key 6 linksys address REMOTE SITE
    crypto isakmp key 6 linksys address 10.1.1.1
    crypto isakmp key 6 linksys address 10.1.1.2
    !
    !
    crypto ipsec transform-set my-set esp-3des esp-md5-hmac
    !
    crypto map linksys 15 ipsec-isakmp
    ! Incomplete
    set peer REMOTE SITE
    set transform-set my-set
    set pfs group2
    match address 101
    !
    bridge irb
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    description $ES_WAN$$FW_OUTSIDE$
    ip address dhcp client-id FastEthernet4
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    crypto map linksys
    !
    interface Dot11Radio0
    no ip address
    !
    ssid Mike's Hard Wireless
    authentication open
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    bridge-group 1
    bridge-group 1 spanning-disabled
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    ip tcp adjust-mss 1452
    bridge-group 1
    !
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 10.29.0.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1412
    !
    ip classless
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet4 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.29.0.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    no cdp run
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!
    !
    line con 0
    login local
    no modem enable
    transport output telnet
    line aux 0
    login local
    transport output telnet
    line vty 0 4
    privilege level 15
    login local
    transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    the local lan on the cisco is ip 10.29.0.x

    remote site on the linksys is 10.29.1.x

    Linksys Config:

    static external IP,

    Tunnel No: 1
    Tunnel Name:test
    Interface:WAN1
    Enable: tick

    Local Security Gateway Type: IP Only
    IP Address:localhost
    Local Security Group Type: Subnet
    IP Address: 10.29.1.0
    Subnet Mask: 255.255.255.0

    Remote Security Gateway Type: IP Only
    IP Address: remotehost
    Local Security Group Type: Subnet
    IP Address: 10.29.0.0
    Subnet Mask: 255.255.255.0

    Keying Mode: IKE with Preshared Key
    Phase 1 DH Group: Group 2
    Phase 1 Encryption: 3DES
    Phase 1 Authentication: MD5
    Phase 1 SA Lifetime: 28800

    Perfect Forward Secrecy: tick
    Phase 2 DH Group: Group 2
    Phase 2 Encryption: 3DES
    Phase 2 Authentication: MD5
    Phase 2 SA Lifetime: 28800
    Preshared Key: Linksys

    Aggressive Mode: Tick
    Keep Alive: Tick


    tried this config based on http://www.linksysinfo.org/forums/showthread.php?t=34334

    Any help's greatly appreciated
     
  4. ifican

    ifican Network Guru Member

    Ok Ill get this as close as I can but there is not enough info here to complete, I will put what i can in ( ) with notes. Make the following changes too:

    crypto isakmp policy 15
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key linksys address (wan ip of linksys)
    !
    !
    crypto ipsec transform-set my-set esp-3des esp-md5-hmac
    !
    !
    crypto map linksys 15 ipsec-isakmp
    set peer (wan ip of linksys)
    set transform-set my-set
    set pfs group2
    match address 101
    !
    !
    access-list 101 permit ip 10.29.0.0 0.0.0.255 10.29.1.0 0.0.0.255
    !
    !
    Now also remove the statement "ip access-group 101 in" from interface FE4

    Now I am not familiar with the RV series but most vpn's are about the same. What ip appears you are missing with the linksys config is a setting for “Remote Secure Gateway” which is going to be the Wan ip of the cisco router. Everything else looks ok, give it a try and let me know if you have any questions.
     
  5. kspare

    kspare Computer Guy Staff Member Member

    This should get you going.

    This took me a while to build and tweak so I don't want to give away all my secrets, but this snap of my template config will give you an idea to do site to site vpn as well as CLIENT to site vpn via the cisco vpn client. It also allows for radius authentication and local authentication.

    Good luck!

    !
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authentication login client_vpn_xauth_ml_1 local group radius
    aaa authorization ipmobile default group rad_pmip
    aaa authorization network client_vpn_group_ml_1 local group radius
    aaa accounting network acct_methods start-stop group rad_acct
    !
    aaa session-id common
    !
    clock timezone PCTime -6
    !
    !
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp key "cryptokey" address "ip address" no-xauth
    !
    crypto isakmp client configuration group vpnclient
    key vpnpass
    dns 192.168.1.1
    domain your.domainname
    pool VPN_POOL_1
    acl 103
    include-local-lan
    netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set KSP esp-aes 256 esp-sha-hmac
    !
    crypto dynamic-map CLIENT_DYNMAP_1 1
    set security-association idle-time 3600
    set transform-set KSP
    reverse-route
    !
    !
    crypto map CLIENT_CMAP_1 client authentication list client_vpn_xauth_ml_1
    crypto map CLIENT_CMAP_1 isakmp authorization list client_vpn_group_ml_1
    crypto map CLIENT_CMAP_1 client configuration address respond
    crypto map CLIENT_CMAP_1 1 ipsec-isakmp
    description Tunnel to KSP
    set peer Peer-ip
    set transform-set KSP
    match address 102
    crypto map CLIENT_CMAP_1 65535 ipsec-isakmp dynamic CLIENT_DYNMAP_1
    !
    bridge irb
    !
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
    ip address dhcp
    ip access-group 100 in
    ip access-group 100 out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map CLIENT_CMAP_1

    !
    access-list 100 remark ACL Category=16
    access-list 100 deny tcp any any eq telnet
    access-list 100 deny tcp any any range 135 139
    access-list 100 deny udp any any range 135 netbios-ss
    access-list 100 deny udp any any eq snmp
    access-list 100 permit ip any any
    access-list 101 remark ACL Category=4
    access-list 101 permit ip 10.0.100.0 0.0.0.255 any
    access-list 101 permit ip 10.0.120.0 0.0.0.255 any
    access-list 101 permit ip 10.0.121.0 0.0.0.255 any
    access-list 102 remark IPSec Rule
    access-list 102 remark ACL Category=4
    access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.120.0 0.0.0.255
    access-list 102 permit ip 192.168.0.0 0.0.0.255 10.0.121.0 0.0.0.255
    access-list 103 remark ACL Category=4
    access-list 103 permit ip 192.168.0.0 0.0.0.255 any
    access-list 110 remark ACL Category=18
    access-list 110 deny ip 192.168.0.0 0.0.0.255 10.10.0.0 0.0.0.255
    access-list 110 deny ip 10.0.121.0 0.0.0.255 10.10.0.0 0.0.0.255
    access-list 110 deny ip 10.0.120.0 0.0.0.255 10.10.0.0 0.0.0.255
    access-list 110 deny ip 10.0.100.0 0.0.0.255 10.10.0.0 0.0.0.255
    access-list 110 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
    access-list 110 deny ip 192.168.0.0 0.0.0.255 10.0.120.0 0.0.0.255
    access-list 110 deny ip 192.168.0.0 0.0.0.255 10.0.121.0 0.0.0.255
    access-list 110 permit ip 192.168.0.0 0.0.0.255 any
    snmp-server community kspro RO
    route-map nonat permit 10
    match ip address 110
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server host radiusip auth-port 1645 acct-port 1646 key 0 radiuskey
    radius-server vsa send accounting
    !
     
  6. dschoolxlt

    dschoolxlt LI Guru Member

    ifican, thanks for the help, the changes you suggested work, and now the tunnel's established.. looks like i just had a couple syntax errors... now i just have to figure out why i cant ping across it.. seems like i may have a bad access list somewhere..
     
  7. Toxic

    Toxic Administrator Staff Member

    icmp blocked?
     
  8. dschoolxlt

    dschoolxlt LI Guru Member

    as far as i know ping isn't blocked but it appears to not pass any traffic http/ping/remote desktop etc. but the tunnel according to the cisco and the linksys is established
     
  9. dschoolxlt

    dschoolxlt LI Guru Member

    i got it working, looks as though my ACL's were what was killing it... did some googleing and set up the private ips to bypass the nat and it passes thru fine.
     
  10. ifican

    ifican Network Guru Member

    Yes that is correct, by default all of your outgoing traffic is being nat'ed including the tunnel traffic, as you had discovered you have to deny the tunnel traffic on the same acl that you permit all other nat'ed traffic making sure you put the deny traffic first. I completely forgot to mention that but good work figuring it out.
     

Share This Page