Thursday, 18 June 2009

Router to Cisco VPN Client

Fairly similar to the Router to Router, but it does have some key differences.


1) As we are using ACS we need to set that up:


aaa new-model
!
!
aaa authentication login USERAUTH group radius
aaa authorization network GROUPAUTH local
!
!
radius-server host 192.168.0.45 auth-port 1645 acct-port 1646 key cisco123


2) Define ISAKMP policy

crypto isakmp policy 110
encr 3des
authentication pre-share
group 2


3) Set up group configuration:

crypto isakmp client configuration group VPNGROUP
key letmeinvpngroup
dns 192.168.0.3
domain cisco.local
pool IPPOOL
acl SPLIT_TUNNEL


4) Define IPPOOL

ip local pool IPPOOL 10.8.0.2 10.8.0.20


5) Define SPLIT_TUNNEL

ip access-list extended SPLIT_TUNNEL
permit ip 192.168.15.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 16.0.0.0 3.255.255.255 10.8.0.0 0.0.0.255
permit ip 192.168.23.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.34.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip 192.168.12.0 0.0.0.255 10.8.0.0 0.0.0.255
permit ip host 1.1.1.1 10.8.0.0 0.0.0.255
permit ip host 2.2.2.2 10.8.0.0 0.0.0.255
permit ip host 3.3.3.3 10.8.0.0 0.0.0.255
permit ip host 4.4.4.4 10.8.0.0 0.0.0.255


6)Set up Transform Set:

crypto ipsec transform-set USER_TRANSFORM esp-3des esp-sha-hmac


7)Set up Dynamic Map:

crypto dynamic-map DYNAMAP 10
set transform-set USER_TRANSFORM


8) Bring it all together with a Crypto Map:

crypto map CLIENTMAP client authentication list USERAUTH
crypto map CLIENTMAP isakmp authorization list GROUPAUTH
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMAP


9) Finally Apply it to the interface:

interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CLIENTMAP


10) Set up VPN client:
Group name is from this line above:
crypto isakmp client configuration group VPNGROUP
and the password is from this line:
key letmeinvpngroup



11) Set up ACS:


12) Adding a user to ACS is too easy for a picture, you will have to work that one out yourself :)

2 comments:

Bradley White said...

Great article.Thank you.
top10-bestvpn.com

Richard B. McCall said...

Thanks a lot.Nice post about solution for VPN client.
Cool configuration for Cisco router.
10webhostingservice