No ezvpn please!

 | 31 Oct 2007 23:44

Had a nice piece of homework cut out with getting site-to-site ipsec working between a relatives Netgear and my Cisco 877. UniverCD once again provided to be crucial in my understanding and working out what should go where. Thanks to Ilya for reminding me to browse that site rather than just search it.

Well my working config turned out to be:

crypto keyring Daniel
pre-shared-key address 1.2.3.4 key s3cr3t
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp client configuration group Daniel-grp
key s3cr3t
crypto isakmp profile Daniel
keyring Daniel
match identity address 1.2.3.4 255.255.255.255
crypto isakmp profile Daniel-ez
match identity group Daniel-grp
!
crypto ipsec transform-set tset1 esp-3des esp-sha-hmac
!
crypto map Daniel 10 ipsec-isakmp
set peer 1.2.3.4
set transform-set tset1
set isakmp-profile Daniel
match address 102
!
Interface Dialer 1
crypto map Daniel
!
access-list 102 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ip route 192.168.1.0 255.255.255.0 1.2.3.4 name Daniel

Also I had to prevent traffic destined for the ipsec tunnel being natted, this meant adding a simple deny line in the NAT ACL. 1.2.3.4 is the remote site IP address, 192.168.100.0/24 my local LAN, 192.168.1.0/24 the remote LAN. As opposed to the ezvpn tunnel I tried earlier this tunnel is dynamic and a static route is required rather than routes being added dynamically. Personally I think ezvpn can be quite cool for remote access (read client access) but I have sslvpn working fine for that, which was much easier to set up to boot.

No Responses to “No ezvpn please!”