hel27n
join:2007-11-14
| Do I need a VPN, if so how do I setup???
Can someone please advise me on how I can ping an IP address sitting behind a Netgear DG843 from another site?
I take it I will need to setup a VPN but am unsure on how to approach this, please help
Current setup:-
Site 1:
Netgear Router DS843 Static IP : 81.130.211.x
Netgear Router LAN: 192.168.0.1
PC (I want to ping): 192.168.0.50
Site 2:
Cisco Router 1841 Static IP: 217.46.156.x
Cisco Router 1841 LAN: 192.168.1.1 (can ping 81.130.211.x but not 192.168.0.50) |
|
DocLarge
Premium
join:2004-09-08
2 edits | The good news is that it can be done. I run vpn connections from SOHO devices to an IOS router all of the time.
Here's the link to the Netgear site demonstrating how to setup your Netgear side:
»kbserver.netgear.com/kb_web_file···1569.asp
------------------------------------------------------------
Next, here's what you'll need for your 1841. NOTE: I can't advise you on how to use the gui interface because I'm more of a command line person. I you can't figure it out via command line, use the gui:
Enter router global configuration mode
router> enable
router# config t
router(config)# (You're now in config mode when the prompt looks like this).
Once you get here, configure the following commands:
Phase I- Create Crypto Policy
crypto isakmp enable
crypto isakmp policy 10 (random sequence number)
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp identity address
crypto isakmp key 1234 address 81.130.211.x no-xauth (DG834G's WAN Address)
crypto isakmp keepalive 3600
crypto ipsec df-bit clear (permits fragmentation)
Phase II - Create Security Translations
crypto ipsec transform-set netgear esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit 192.168.1.0 0.0.0.255 any
Phase III - Create Crypto Maps
crypto map netgear 110 ipsec-isakmp (110 is random number)
set peer 81.130.211.x
match address 110 (based on access-list 110 permit statement)
set pfs group2
set transform-set netgear
set security-association lifetime seconds 28800
Phase IV - Define traffic not to be inspected
route-map nonat
match ip address 111
Phase V - Apply "IP NAT" command to interface
ip nat inside source route-map nonat int e0/0 overload
Phase VI - Apply crypto map to interface
router(config)#int e0/0
router(config-if)#crypto map netgear
Checking your configuration
Once you get your tunnel up, use this command to check for NAT traffic:
router# sh ip nat translations
and
router#sh ip nat statistics
To see if your tunnel is active, use the following:
router#sh crypto ipsec sa (Look for the word "Active")
or
router#sh crypto isakmp sa
And this is a simple cisco ios vpn config in a nutshell!
Yet, an additional way to confirm your tunnel is up and running between the two sites is to do a simple ping...
Open up a command prompt on the Netgear side and ping the 1841 side:
ping 192.168.1.1 ---- router's ip address
If you get a reply, the tunnel is up!
Jay |
|
DocLarge
Premium
join:2004-09-08
| reply to hel27n
Okay, hel27n,
I'll do you one better. I put my FSV114 on-line and have set up a tunnel between it and my Cisco 871w. The tunnel structure of the FSV114 is "similar" to the Netgear DG834G (I just realized you had the numbers switched because I have one of these also).
I'll put together a video tutorial if you're interested so it makes things easier...
Jay |
|
hel27n
join:2007-11-14 | Hi Jay,
Thanks for your posts, the video would be great if you don't mind.
Helen. |
|
DocLarge
Premium
join:2004-09-08
1 edit | Okay,
here's the video for setting up the netgear side. Additionally, you will have to download this codec to view both videos:
»www.techsmith.com/download/codecs.asp
Jay |
|
DocLarge
Premium
join:2004-09-08
1 edit | reply to hel27n
Here's the video for configuring your Cisco 1841.
By the way, when I was talking about using "any" in the access list, I meant to say that using "any" was the same as 0.0.0.0 (for the ip address) 0.0.0.0 (subnet mask)
Jay |
|
hel27n
join:2007-11-14
| Hello Jay,
Thank you so much for the time & effort you spent putting the videos together. Sorry I took so long I was sick for a few days.
I have now completed all commands on both the Netgear & Cisco Router & now have a furhter question. Should I be able to ping 192.168.0.50 (pc behind Netgear) from the Router 192.168.1.1 or a PC behind the Cisco 192.168.1.5?
I cannot do this at present.
Thanks,
Helen |
|
DocLarge
Premium
join:2004-09-08
1 edit | reply to hel27n
You should be able to ping "any" machine from behind "either" router. Once the tunnel is up, any machine behind the netgear router should be able to ping any computer behind your cisco router.
Are you still having problems?
jay
By the way, if you see a little blinking "yello" envelope in the upper left hand corner, thats' a pm from me... |
|
hel27n
join:2007-11-14
| Yes, I have Tested the Tunnell (via Config Console) and 2 problems relating to Routing were reported. See attached |
|
DocLarge
Premium
join:2004-09-08 | Just a second... |
|
DocLarge
Premium
join:2004-09-08
| reply to hel27n
Ahhh,
you're using the PDM. I'm not a big pdm user, however, if the tunnel is running, the pdm will verify it.
Unfortunately, I'm not running the PDM on my ISR because I need the memory (space). Are you any good at command line?
Jay |
|
hel27n
join:2007-11-14 | I was able to follow your video as anyone would. I am only familar with the basics on Cisco Routers sorry |
|
hel27n
join:2007-11-14 | The Status of the Tunelis 'Down' |
|
DocLarge
Premium
join:2004-09-08 | Okay,
take a look at the upper left hand corner of your screen and look for a yellow flashing envelope. I'm going to send you another pm...
Jay |
|
hel27n
join:2007-11-14 | Can you let me know when you have sent the file as I can't see it yet? |
|
hel27n
join:2007-11-14 | Hi Ray,
Just wondering if you had a chance to put the new instructions together? |
|
DocLarge
Premium
join:2004-09-08
| Mawnin' Helen...
There were no new instructions; I was just letting you know I was going to "send" you a pm...
That being said, is there any way you can provide a screen shot of your Netgear and CISCO configurations so we can get a look? Be sure to cover up/omit your WAN addresses if you do 
Jay |
|
hel27n
join:2007-11-14
| Please see attaced file for Config |
|
