This sample configuration illustrates a router configured for wild-card pre-shared keys—all PC clients share a common key. A remote user enters the network, keeping its own IP address; data between the PC of a remote user and the router is encrypted.
There are no specific prerequisites for this document.
The information in this document is based on the software and hardware versions below.
Cisco IOS® Software Release 12.2.8.T1
Cisco Secure VPN Client version 1.0 or 1.1—End-of-Life
Cisco router with DES or 3DES image
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
For more information on document conventions, refer to Cisco Technical Tips Conventions.
In this section, you are presented with the information to configure the features described in this document.
This document uses the network setup shown in the diagram below.
This document uses the configurations shown below.
Current configuration: ! version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname RTCisco ! enable password hjwwkj ! ! ip subnet-zero ip domain-name cisco.com ip name-server 184.108.40.206 ! ! crypto isakmp policy 10 hash md5 authentication pre-share crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0 ! ! crypto ipsec transform-set mypolicy esp-des esp-md5-hmac ! crypto dynamic-map dyna 10 set transform-set mypolicy ! crypto map test 10 ipsec-isakmp dynamic dyna ! ! interface Serial0 ip address 220.127.116.11 255.255.255.252 no ip directed-broadcast no ip route-cache no ip mroute-cache crypto map test ! interface Ethernet0 ip address 18.104.22.168 255.255.255.0 ! ! ip classless ip route 0.0.0.0 0.0.0.0 22.214.171.124 ! ! line con 0 transport input none line aux 0 transport input all line vty 0 4 password cscscs login ! end
|VPN Client Configuration|
Network Security policy: 1- Myconn My Identity Connection security: Secure Remote Party Identity and addressing ID Type: IP subnet 126.96.36.199 255.255.255.0 Port all Protocol all Connect using secure tunnel ID Type: IP address 188.8.131.52 Authentication (Phase 1) Proposal 1 Authentication method: Preshared key Encryp Alg: DES Hash Alg: MD5 SA life: Unspecified Key Group: DH 1 Key exchange (Phase 2) Proposal 1 Encapsulation ESP Encrypt Alg: DES Hash Alg: MD5 Encap: tunnel SA life: Unspecified no AH 2- Other Connections Connection security: Non-secure Local Network Interface Name: Any IP Addr: Any Port: All
This section provides information you can use to confirm your configuration is working properly.
show crypto isakmp sa —Shows Phase 1 security associations.
show crypto ipsec sa —Shows Phase 1 security associations and proxy, encapsulation, encryption, decapsulation, and decryption information.
show crypto engine connections active —Shows current connections and information regarding encrypted and decrypted packets.
This section provides information you can use to troubleshoot your configuration.
Note: Before issuing debug commands, refer to Important Information on Debug Commands.
Note: You must clear security associations on both peers. Perform the router commands in non-enable mode.
Note: You must run these debugs on both IPSec peers.
debug crypto isakmp —Displays errors during Phase 1.
debug crypto ipsec —Displays errors during Phase 2.
debug crypto engine —Displays information from the crypto engine.
clear crypto isakmp —Clears the Phase 1 security associations.
clear crypto sa —Clears the Phase 2 security associations.
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.