Confused in setting up VPN

This is harder than I ever imagined, partly because the messages are no good to me, and the documentation starts at second base. I am a novice in setting up VPN and have just gone from a lousey Belkin router/firewall etc to a Cisco 857W. Christ what a difference!

I have set up an Easy VPN Server on the router using nearly all the defaults. Only change was using AES and updating every 20mins. I am trying to connect using VPN Client.

Am I right in thinking the VPN tunnel needs to go to the inside part of the router and not the dialer (external)?

I guess the IP I use to connect to is the NAT'd one?

If I remember correctly I got a message in the client that said "smaller SPI packet than expected" or something like that and also the fact that the router had failed to respond.

There must be so much to configure I'm not sure how much more you need to know...

Thanks for taking me on!

Reply to
Loading thread data ...

I found this hard, not helped by having a router-router VPN too.

I have stripped this out so that only the Client VPN is included. I had 4.1 IIRC.

If you edit the interfce names and IP addresses you should be able to paste this in to a router and go.

You will have NO firewall though and no NAT either.

NAT and firewall is OK as long as the VPN traffic is not blocked.

Anything after ! is a comment. Anything after !! is crypto related but not needed for this config.

############### ! On the client call your grouop - 3000client ! with the key/password/secret - VPNclientsecretkey

! Still on the client -Log in with ! USER VPNClient ! password cisco

! I have stripped this out and don't think that I have made errors but? ! Change this for your interfaces and IP addresses.

! When the remote PC connects it gets the virtual address of


! Split tunnel allow the PC to still access the Internet directly ! and not via the cenral site.

hostname router ! ! username VPNClient password cisco aaa new-model ! ! aaa authentication login userauthenticate local aaa authorization network groupauthorise local aaa session-id common

ip domain name

! Try this policy first - one of these is NOT needed no harm though? crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! ! Then have a go here - one of these is NOT needed no harm though? crypto isakmp policy 10 encr 3des hash md5 authentication pre-share

! don't think this is needed since it is for permanent router-router VPN !!crypto isakmp key cisco88 address other.vpn.endpoint.addr no-xauth ! crypto isakmp client configuration group 3000client key VPNclientsecretkey ! DNS SERVER and DOMAIN FOR THE CLIENT dns domain pool ippool acl split-tunnel ! ! crypto ipsec transform-set ciscofw2 esp-3des esp-md5-hmac ! crypto dynamic-map dynmap 5 set transform-set ciscofw2 ! ! crypto map fw1 client authentication list userauthenticate crypto map fw1 isakmp authorization list groupauthorise crypto map fw1 client configuration address respond

! Here again - Try this one first - Fixed VPN !! Removed since it's for a fixed VPN and you don't need that !!crypto map fw1 10 ipsec-isakmp !! set peer !! set security-association lifetime seconds 86400 !! set transform-set ciscofw2 !! match address 110

! Then this one - CLient VPN crypto map fw1 15 ipsec-isakmp dynamic dynmap ! ! ! interface Ethernet0 description $FW_INSIDE$ London LAN ### ip address ! interface Ethernet1 description $FW_OUTSIDE$ ISP ip address crypto map fw1 ! ! ip local pool ippool

ip route NEXT.HOP.IP.ADDRESS ! or external interface e.g. dialer1 !

ip access-list extended split-tunnel permit ip any ! Attached Internel LAN permit ip any ! Other internal LAN

access-list 105 remark ### Client VPN Crypto Map #### access-list 105 permit ip host any access-list 105 deny ip any any log

! For permanent router-router VPN !!access-list 110 remark crypto map TheCo !!access-list 110 permit ip !!access-list 110 permit ip !!access-list 110 permit ip

line vty 0 4 exec-timeout 120 0 privilege level 15 password cisco

Reply to

Thanks for this but I need my NAT and firewall rules up, and prefer to operate the router using SDM as I have no idea about these commands and what they do. Someone else suggested it may be conflicting passwords, so I will look into that too.

Do you have an equivalent of your code but in a GUI layout?


Reply to
James Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.