I found this hard, not helped by having a router-router VPN too.
I have stripped this out so that only the Client VPN is included. I had 4.1 IIRC.
If you edit the interfce names and IP addresses you should be able to paste this in to a router and go.
You will have NO firewall though and no NAT either.
NAT and firewall is OK as long as the VPN traffic is not blocked.
Anything after ! is a comment. Anything after !! is crypto related but not needed for this config.
############### ! On the client call your grouop - 3000client ! with the key/password/secret - VPNclientsecretkey
! Still on the client -Log in with ! USER VPNClient ! password cisco
! I have stripped this out and don't think that I have made errors but? ! Change this for your interfaces and IP addresses.
! When the remote PC connects it gets the virtual address of
10.10.166.x
! Split tunnel allow the PC to still access the Internet directly ! and not via the cenral site.
hostname router ! ! username VPNClient password cisco aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common
ip domain name global.com
! Try this policy first - one of these is NOT needed no harm though? crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! ! Then have a go here - one of these is NOT needed no harm though? crypto isakmp policy 10 encr 3des hash md5 authentication pre-share
! don't think this is needed since it is for permanent router-router VPN !!crypto isakmp key cisco88 address other.vpn.endpoint.addr no-xauth ! crypto isakmp client configuration group 3000client key VPNclientsecretkey ! DNS SERVER and DOMAIN FOR THE CLIENT dns 192.168.168.1 domain local.PCs.global.com pool ippool acl split-tunnel ! ! crypto ipsec transform-set ciscofw2 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 5 set transform-set ciscofw2 ! ! crypto map fw1 client authentication list userauthenticate crypto map fw1 isakmp authorization list groupauthorise crypto map fw1 client configuration address respond
! Here again - Try this one first - Fixed VPN !! Removed since it's for a fixed VPN and you don't need that !!crypto map fw1 10 ipsec-isakmp !! set peer 6.223.40.110 !! set security-association lifetime seconds 86400 !! set transform-set ciscofw2 !! match address 110
! Then this one - CLient VPN crypto map fw1 15 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 description $FW_INSIDE$ London LAN ### ip address 192.168.166.254 255.255.255.0 ! interface Ethernet1 description $FW_OUTSIDE$ ISP ip address 6.7.8.130 255.255.255.240 crypto map fw1 ! ! ip local pool ippool 10.10.166.1 10.10.166.254
ip route 0.0.0.0 0.0.0.0 NEXT.HOP.IP.ADDRESS ! or external interface e.g. dialer1 !
ip access-list extended split-tunnel permit ip 192.168.166.0 0.0.0.255 any ! Attached Internel LAN permit ip 192.168.58.0 0.0.0.255 any ! Other internal LAN
access-list 105 remark ### Client VPN Crypto Map #### access-list 105 permit ip host 192.168.166.1 any access-list 105 deny ip any any log
! For permanent router-router VPN !!access-list 110 remark crypto map TheCo !!access-list 110 permit ip 192.168.166.0 0.0.0.255 192.168.58.0
0.0.0.255 !!access-list 110 permit ip 10.10.166.0 0.0.0.255 192.168.58.0
0.0.0.255 !!access-list 110 permit ip 10.1.166.0 0.0.0.255 192.168.58.0 0.0.0.255
line vty 0 4 exec-timeout 120 0 privilege level 15 password cisco