Prestige to Cisco Tunneling
Note: Not all ZyXEL Prestige provide VPN functionality. Please check the User's Manual from the packaged CD-ROM.
This page guides us to setup a VPN connection between Prestige and Cisco router. As the figure shown below, the tunnel between Prestige and Cisco Router ensures the packets flow between them are secure. To setup this VPN tunnel, the required settings for Prestige and Cisco Router are explained in the following sections.
The IP addresses we use in this example are as shown below.
PC 1 |
Prestige | Cisco | PC 2 |
192.168.1.33 | LAN: 192.168.1.1 WAN: 172.21.10.50 |
LAN: 192.168.2.1 WAN: 140.113.10.50 |
192.168.2.2 |
Note:
1. When using Cisco Router to establish VPN, back-to-back connection is not applicable. In other words, the WAN IP of Prestige and Cisco router can't be in the same subnet.
2. The following configurations are supposed both two VPN gateways have fixed IP addresses. If one of VPN gateways uses dynamic IP, we enter 0.0.0.0 as the secure gateway IP address. In this case, the VPN connection can only be initiated from dynamic side to fixed side to update its dynamic IP to the fixed side. From this connection, the source IP is obtained and then update to the previous 0.0.0.0 field. However, if both gateways use dynamic IP addresses, it is no way to establish VPN connection at all.
If the WAN IP of Prestige is also dynamic IP, we enter 0.0.0.0 as its
My IP Address. When this IP is given by ISP, it will update to this field.
2 Setup Cisco
There are two ways to configure Cisco VPN, use commands from console or use Cisco ConfigMaker. Cisco ConfigMaker is an easy-to-use Windows 98/Me/NT/2000 application that configures Cisco routers, switches, hubs, and other devices. We will guide you how to setup IPSec by using Cisco ConfigMaker in section 2.1. If you prefer to use commands from console, please go to section 2.2.
2.1 Setup Ciscro by ConfigMaker
You can download Cisco ConfigMaker from http://www.cisco.com/warp/public/cc/pd/nemnsw/cm/index.shtml.
See the screen shot:
See the screen shot:
See the screen shot:
See the screen shot:
See the screen shot:
See the screen shot:
See the screen shot:
Note that, in order to setup Cisco by commands, you have
to connect your PC and Cisco route by a console cable. Enter the following commands one
per line.
Cisco1720#config
Cisco1720#<start typing the commands below>
! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Cisco1720 ! logging rate-limit console 10 except errors enable password 7 1543595F50 ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ! ! no ip domain-lookup ! ip dhcp pool 1 network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 3600 crypto isakmp key 12345678 address 172.21.10.50 ! ! crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac crypto mib ipsec flowmib history tunnel size 200 crypto mib ipsec flowmib history failure size 200 ! crypto map cm-cryptomap local-address Ethernet0 crypto map cm-cryptomap 1 ipsec-isakmp set peer 172.21.10.50 set transform-set cm-transformset-1 match address 100 ! ! ! ! interface Ethernet0 description connected to Internet ip address 140.113.10.50 255.255.0.0 half-duplex crypto map cm-cryptomap ! interface FastEthernet0 description connected to EthernetLAN_1 ip address 192.168.2.1 255.255.255.0 speed auto ! router rip version 1 passive-interface Ethernet0 network 140.113.0.0 network 192.168.2.0 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0 no ip http server ! access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! snmp-server community public RO ! line con 0 exec-timeout 0 0 password 7 06575D7218 login line aux 0 line vty 0 4 password 7 11584B5643 login line vty 5 15 login ! no scheduler allocate end |
After all of the settings, if PC1 and PC2 can reach each other, then IPSec VPN has been established successfully. There is also a useful command to debug IPSec VPN, "debug crypto ipsec".