Cisco VPN 5000 Series Concentrators

Document ID: 4176

Cisco has announced the end of sales for the Cisco VPN 5000 Series Concentrators. For more information, please see the End-of-Sales Announcement.

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configure
      Network Diagram
      Configurations
Verify
Troubleshoot
      Troubleshooting Commands
NetPro Discussion Forums - Featured Conversations
Related Information

Introduction

This document gives an overview of the configuration required to establish a Generic Routing Encapsulation (GRE) tunnel between two Cisco VPN 5000 Series Concentrators. For information about how to establish basic connectivity, or reference on configuration syntax, refer to the VPN 5000 Concentrator documentation.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco VPN 5000 Concentrator software version 5.2.19US

• VPN 5001 Concentrator

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

For more information on document conventions, refer to Cisco Technical Tips Conventions.

Configure

In this section, you are presented with the information to configure the features described in this document.

Note: To find additional information on the commands used in this document, use the Command Lookup Tool ( registered customers only) .

Network Diagram

This document uses the network setup shown in this diagram.

Configurations

This document uses the configurations shown here.

• VPN Concentrator 5001A

• VPN Concentrator 5001B

[ IP Ethernet 0 ]
Mode                     = Routed
SubnetMask               = 255.255.255.0
IPAddress                = 10.1.1.1

[ IP Ethernet 1 ]
Mode                     = Routed
SubnetMask               = 255.255.255.0
IPAddress                = 100.1.1.1

[ IP Static ]
0.0.0.0 0.0.0.0 100.1.1.2 1 redist=none
20.0.0.0 255.0.0.0 vpn 1 1 redist=none

[ Logging ]
Level                    = 7
Enabled                  = On

[ General ]
VPNGateway               = 100.1.1.2
EnablePassword           =
Password                 =
DeviceName               = "VPN5001A"
EthernetAddress          = 00:00:a5:f0:c9:00
DeviceType               = VPN 5001 Concentrator
ConfiguredOn             = Timeserver not configured
ConfiguredFrom           = Command Line, from Console

[ Tunnel Partner VPN 1 ]
Peer                     = "20.0.0.0/8"
BindTo                   = "ethernet1"
LocalAccess              = "10.0.0.0/8"
Partner                  = 200.1.1.1
Mode                     = Main
KeyManage                = Manual
Authentication           = Off
Encryption               = Off
EncryptMethod            = None

[ IP VPN 1 ]
Numbered                 = Off
Mode                     = Routed

[ General ]
EthernetAddress          = 00:02:4b:9c:ba:80
IPSecGateway             = 200.1.1.2
DeviceType               = VPN 5001 Concentrator
ConfiguredOn             = Timeserver not configured
ConfiguredFrom           = Command Line, from Console
Password                 =
DeviceName               = "VPN5001B"

[ IP Ethernet 1 ]
Mode                     = Routed
SubnetMask               = 255.255.255.0
IPAddress                = 200.1.1.1

[ IP Ethernet 0 ]
Mode                     = Routed
SubnetMask               = 255.255.255.0
IPAddress                = 20.1.1.1

[ IP Static ]
0.0.0.0 0.0.0.0 200.1.1.2 1 redist=none
10.0.0.0 255.0.0.0 vpn 1 1 redist=none


[ Tunnel Partner VPN 1 ]
Peer                     = "10.0.0.0 /8"
BindTo                   = "ethernet1 "
LocalAccess              = "20.0.0.0/8"
Partner                  = 100.1.1.1
Mode                     = Main
KeyManage                = Manual
Authentication           = Off
Encryption               = Off
EncryptMethod           = None

[ IP VPN 1 ]
Numbered                 = Off
Mode                     = Routed

Verify

This section provides information you can use to confirm your configuration is working properly.

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

• show vpn partners—Shows this information:

  • VPN port number to which the peer is connected.

  • The tunnel peer's IP address.

  • The UDP port for the connection.

  • Whether the tunnel peer is connected to this VPN Concentrator's Tunnel Partner Default section instead of a specific Tunnel Partner section.

  • The IP address used as the local endpoint of the tunnel.

  • The duration of time that the partners have been connected.

• show vpn statistics verbose—Shows this information for users and Partners and the total for both:

  • Current active connections.

  • Currently negotiating connections.

  • The highest number of concurrent active connections since the last reboot.

  • The total number of successful connections since the last reboot.

  • The number of tunnel starts.

  • The number of tunnels for which there were no errors.

  • The number of tunnels with errors.

This is sample command output of the show vpn partners command.

VPN5001C#show vpn partners

Port      Partner   Partner           Default        Bindto           Connect
Number   Address     Port            Partner           Address           Time
-------------------------------------------------------------------------
VPN 1  100.1.1.1        0                No               200.1.1.1        00:00:02:57

This is sample command output of the show vpn statistics verbose command.

VPN5001C>show vpn statistics verbose

Current In High Running Tunnel Tunnel Tunnel
Active Negot Water Total Starts OK Error
--------------------------------------------------------------
Users 0 0 0 0 0 0 0
Partners 1 0 1 1 0 0 0
Total 1 0 1 1 0 0 0

Stats VPN1
Wrapped 3334
Unwrapped 3336
BadEncap 0
BadAuth 0
BadEncrypt 0
rx IP 3359
rx IPX 0
rx Apple 0
rx Other 0
tx IP 3381
tx IPX 0
tx Apple 0
tx Other 0
IKE rekey 0

Input VPN pkts dropped due to no SA: 0

Input VPN pkts dropped due to no free queue entries: 0

ISAKMP Negotiation stats
Admin packets in 0
Fastswitch packets in 0
No cookie found 0
Can't insert cookie 0
Inserted cookie(L) 0
Inserted cookie(R) 0
Cookie not inserted(L) 0
Cookie not inserted(R) 0
Cookie conn changed 0
Cookie already inserted 0
Deleted cookie(L) 0
Deleted cookie(R) 0
Cookie not deleted(L) 0
Cookie not deleted(R) 0
Forwarded to RP 0
Forwarded to IOP 0
Bad UDP checksum 0
Not fastswitched 0
Bad Initiator cookie 0
Bad Responder cookie 0
Has Responder cookie 0
No Responder cookie 0
No SA 0
Bad find conn 0
Admin queue full 0
Priority queue full 0
Bad IKE packet 0
No memory 0
Bad Admin Put 0
IKE pkt dropped 0
No UDP PBuf 0
No Manager 0
Mgr w/ no cookie 0
Cookie Scavenge Add 0
Cookie Scavenge Rem 0
Cookie Scavenged 0
Cookie has mgr err 0
New conn limited 0

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Troubleshooting Commands

Certain show commands are supported by the Output Interpreter Tool ( registered customers only) , which allows you to view an analysis of show command output.

Note: Before issuing debug commands, please see Important Information on Debug Commands.

• show syslog buffer—Allows you to view previously buffered events.

• vpn trace dump all—Shows information about all matching VPN connections. This includes information about:

  • The time.

  • The VPN number.

  • The real IP address of the peer.

  • The scripts that have been run.

  • In the case of an error, the routine and line number of the software code where the error occurred.

NetPro Discussion Forums - Featured Conversations

Related Information

• Cisco VPN 5000 Series Concentrators Support Page
• Cisco VPN 5000 Client Support Page
• IPSec (IP Security Protocol) Support Page
• Technical Support - Cisco Systems