dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4991
share rss forum feed

markysharkey
Premium
join:2012-12-20
united kingd

[HELP] Small VPN conundrum!

Morning all,
I have a 2901 router that I want to set up for both Cisco VPN Client access and a site to site tunnel to carry VoIP and internal traffic. I'm all good with the configs, it's applying the crypto map xxxx that's the issue. I have 2 crypto maps (obviously) but I can only apply one at a time to an interface. How do I get both VPN types to work simultaneously? Do I need loopbacks or sub-if's or something?
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2

2 edits
Use sequence numbers, make sure the dynamic map comes last.
crypto map YourCryptoMap 2000 ipsec-isakmp
 description site-to-site
 set peer x.x.x.x.x
 set transform-set AESset
 match address peer_addr
 reverse-route static
crypto map YourCryptoMap 3000 ipsec-isakmp dynamic vpn_client
 

Or you could use a Virtual-Template and VTI Tunnels:
interface Virtual-Template2 type tunnel
 description Classic Cisco VPN Client
 ip unnumbered YourLANinterface0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
 

and not use crypto maps at all.

interface Tunnel1
 description site-to-site
 ip address 1.1.1.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination Z.Z.Z.Z
 tunnel mode ipsec ipv4
 tunnel checksum
 tunnel protection ipsec profile VTI-Set
 

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to markysharkey
2nd the idea of using xVTI interfaces... just got done doing a remote access VTI config between two client
softwares, VTI let me specify two different sets of phase 1 / phase 2, though I haven't had a chance to test
if both clients can access simlutaneously yet.

Regards

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey
Thanks guys. I'll lab those and see how I get on.
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2
»www.cisco.com/en/US/docs/ios-xml···nnl.html

Referenced by HELLFIRE in a similar thread. Solid Cisco documentation in there on VTIs.

markysharkey
Premium
join:2012-12-20
united kingd
Looooooong document and I get lost after a few lines... nothing new there but I will persevere. BUT... Could I use the VTI interfaces for the site to site tunnel whilst keeping the "standard" crypto map config for VPN client connectivity? I appreciate that may over complicate things a bit, but I do at least understand how that would work.
I can't get my head around the crypto map sequence number option at all. If I could see the complete config for the sequence number option I'm sure that would help.
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2

1 edit
said by markysharkey:

Could I use the VTI interfaces for the site to site tunnel whilst keeping the "standard" crypto map config for VPN client connectivity?

Sure thing. You'll also need a transform set and a very brief profile.

!
crypto isakmp key 0 For_I_say_fortunately_I_always_carry_a_spare_set_of_feathers address Z.Z.Z.Z no-xauth
!
crypto ipsec transform-set VTI-Set esp-aes esp-md5-hmac
 mode transport
crypto ipsec profile VTI-Profile
 set transform-set VTI-Set
!
interface Tunnel1
 description site-to-site
 ip address 1.1.1.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination Z.Z.Z.Z
 tunnel mode ipsec ipv4
 tunnel checksum
 tunnel protection ipsec profile VTI-Profile
!
!
ip route 10.11.12.0 255.255.255.0 Tunnel1
 

markysharkey
Premium
join:2012-12-20
united kingd

2 edits
I don't see a crypto map entry that I would place under an interface for the VPN client. Clearly I'm missing something. How does the above config get me both a site to site tunnel as well as grant access to VPN clients? I see the tunnel1 interface for the tunnel. I have questions about that too, but where does the VPN client connection come in?

But from the above config...

no-xauth - what's that for?
tunnel destination Z.Z.Z.Z - would that be 1.1.1.2 255.255.255.252? or 10.11.12.x ?
I take it I can use any RFC1918 or other "non routable" address for the tunnel interfaces?
tunnel checksum - what's this for?
tunnel protection ipsec profile VTI-Profile - ditto

ip route 10.11.12.0 255.255.255.0 Tunnel1 - I think it would help if I could see the other end of the tunnel config. I assume this is the path to the far end destination. There would be a reciprocal entry far end pointing back to this router?

I think I get the crypto ipsec profile. It's used to define the transform set on the interface... isn't it?
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2

1 edit
said by markysharkey:

I don't see a crypto map entry that I would place under an interface for the VPN client. Clearly I'm missing something. How does the above config get me both a site to site tunnel as well as grant access to VPN clients? I see the tunnel1 interface for the tunnel. I have questions about that too, but where does the VPN client connection come in?

Ah, that's just the VTI tunnel config, you need to append it to your regular crypto map setup, of course the crypto map will only need to take in statements for dynamic clients now.

quote:
no-xauth - what's that for?

If you have site-to-site and dynamic crypto on the same device, "no-xauth" will not prompt the end device for authentication (i.e. "Hey i'm not a Cisco VPN Client, i'm trying to do site-to-site with you, i don't care about credentials")

quote:
tunnel destination Z.Z.Z.Z - would that be 1.1.1.2 255.255.255.252? or 10.11.12.x ?

None. That would be the public IP address of the remote router.
Your crypto peer.

quote:
I take it I can use any RFC1918 or other "non routable" address for the tunnel interfaces?

Yes. IPv6 too

quote:
tunnel checksum - what's this for?
tunnel protection ipsec profile VTI-Profile - ditto

Configuring End-to-End Checksumming

Some passenger protocols rely on media checksums to provide data integrity. By default, the tunnel does not guarantee packet integrity. By enabling end-to-end checksums, the Cisco IOS software drops corrupted packets.

quote:
ip route 10.11.12.0 255.255.255.0 Tunnel1 - I think it would help if I could see the other end of the tunnel config. I assume this is the path to the far end destination. There would be a reciprocal entry far end pointing back to this router?

No. It's a simple static route statement so that packets sent to 10.11.12.0/24 will be sent via Tunnel1, encrypted as per tunnel protection statement.

quote:
I think I get the crypto ipsec profile. It's used to define the transform set on the interface... isn't it?

In this case, yes. It can do much more though.
Post your running-config after you apply the changes you see best fit. We can work with that.

markysharkey
Premium
join:2012-12-20
united kingd
Thanks, I will do. Just reading that document again as I go through my current "basic" site to site with crypto and "migrate" the config to the VTI options. I'll come back to this in due course.
Thanks for the help and explanations so far.
--
Binary is as easy as 01 10 11

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey
Click for full size
OK, here's my config and a diagram...
Routers are all 1841's. R_1 and R_3 are the endpoints. R_2 is "the internet" with EIGRP as the dynamic protocol. The 192.168.x.0 networks are NOT being advertised by EIGRP, natch.

R_1
R_1#sho run
Building configuration...
!
hostname R_1
!
enable password cisco
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool Internet
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 8.8.8.8 8.8.4.4
   lease 3
!
!
no ip domain lookup
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
username xxxxxxx privilege 15 password xxxxxxxxxx
!
!
crypto isakmp key password address 20.1.1.2 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set VTI esp-aes esp-md5-hmac
!
crypto ipsec profile VTI_Profile
 set transform-set VTI
!
!
interface Tunnel1
 description site-to-site
 ip address 172.16.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 tunnel source FastEthernet0/0
 tunnel destination 20.1.1.2
 tunnel mode ipsec ipv4
 tunnel checksum
 tunnel protection ipsec profile VTI_Profile
!
interface Loopback1 (simulating a LAN host)
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
router eigrp 1
 network 10.1.1.0 0.0.0.255
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 192.168.3.0 255.255.255.0 Tunnel1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 15 0
 logging synchronous
 no login
 transport input all
!
end
 

And R_3
R_3#sho run
Building configuration...
 
Current configuration : 1986 bytes
!
hostname R_3
!
enable password cisco
!
no aaa new-model
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.3.1 192.168.3.100
!
ip dhcp pool STS
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 8.8.8.8 8.8.4.4
   lease 3
!
!
ip cef
no ip domain lookup
!
multilink bundle-name authenticated
!
!
username xxxxxxxx privilege 15 password xxxxxxxx
archive
 log config
  hidekeys
!
crypto isakmp key password address 10.1.1.1 no-xauth
!
!
crypto ipsec transform-set VTI esp-aes esp-md5-hmac
!
crypto ipsec profile VTI_Profile
 set transform-set VTI
!
!
interface Loopback1 (simulates a LAN host)
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Tunnel1
 description site-to-site
 ip address 172.16.1.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 tunnel source FastEthernet0/1
 tunnel destination 10.1.1.1
 tunnel mode ipsec ipv4
 tunnel checksum
 tunnel protection ipsec profile VTI_Profile
!
!
interface FastEthernet0/1
 ip address 20.1.1.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
router eigrp 1
 network 20.1.1.0 0.0.0.255
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 20.1.1.1
ip route 192.168.1.0 255.255.255.0 Tunnel1
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
!
access-list 1 permit 192.168.3.0 0.0.0.255
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 exec-timeout 15 0
 logging synchronous
 no login
 transport input all
!
scheduler allocate 20000 1000
end
 

Pings from either side are as follows:
From R_1
ping 192.168.3.1 source 192.168.1.1 fails U.U.U
ping 20.1.1.1 succeeds !!!!!
ping 20.1.1.1 source 192.168.1.1 succeeds !!!!!

The reverse pings from R_3 give the same results. At this point I don't even know what to look for to diagnose it!

--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2

3 edits
Ah, put in `mode transport` under your transform-set. You need to be in transport mode, not L2L tunnel. You only encrypt traffic between your two public IP addresses, not forming any tunnel on the fly. I missed that in my snippet. My bad.

crypto ipsec transform-set VTI esp-aes esp-md5-hmac
 mode transport
 

1. Check if your crypto phase 1 & 2 is formed.
#show crypto isakmp sa
#show crypto session brief
 

2. Remove ip nat inside from Tunnel1 on both ends. You don't need it, it doesn't make sense, you're only trying to talk to another subnet at the other end.

3. show int Tunnel1 (check if it comes up)

4. Debug with Traceroute

markysharkey
Premium
join:2012-12-20
united kingd
Tunnel doesn't come up. Pings and traceroute...

R_1#ping 192.168.3.1 source 192.168.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
U.U.U
Success rate is 0 percent (0/5)
R_1#tracer
R_1#traceroute 192.168.3.1
 
Type escape sequence to abort.
Tracing the route to 192.168.3.1
 
  1 10.1.1.2 0 msec 4 msec 0 msec
  2 10.1.1.2 !H  *  !H
 

And for reference a ping to the outside interface of R_3 from the loopback on R_1

R_1#ping 20.1.1.2 source 192.168.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
 
--
Binary is as easy as 01 10 11

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to markysharkey
show crypto isakmp sa -- for phase 1

show crypto ipsec sa -- for phase 2

debug crypto ? -- is also recommended as well.

Question : in site to site, aren't you supposed to have a phase 1 proposal as well? Typically with a

crypto isakmp policy
 

statement? Or am I out to lunch on that?

Regards


kamikatze

join:2007-11-02
kudos:2
oh that too! Yes, phase1 is always nice to have

markysharkey
Premium
join:2012-12-20
united kingd
Pretend I don't know anything!

crypto isakmp policy 2
 authentication pre-share
 group 2
 encryption 3des
 hash sha
 lifetime 86400
 

Assuming that's right and that I need to do the same to both ends, then what?

--
Binary is as easy as 01 10 11

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to markysharkey
...so what's "show crypto isakmp sa" show then, markysharkey See Profile ?

ANY sort of output at all?

Regards


kamikatze

join:2007-11-02
kudos:2
reply to markysharkey
Sorry mate haven't done this crypto thingy in a while now, bear with me here.
Somehow i assumed you already had a working config and you only want to convert it to VTI, but let's start over. Get the phase1 policy in place then give us some output. ANY output but crypto not ICMP.

markysharkey
Premium
join:2012-12-20
united kingd
reply to HELLFIRE
No, nothing...

!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 20.1.1.2 no-xauth
no crypto isakmp ccm
!
!
crypto ipsec transform-set VTI esp-aes esp-md5-hmac
 mode transport
!
crypto ipsec profile VTI_Profile
 set transform-set VTI
!
!
interface Tunnel1
 description site-to-site
 ip address 172.16.1.1 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 20.1.1.2
 tunnel mode ipsec ipv4
 tunnel checksum
 tunnel protection ipsec profile VTI_Profile
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 

R_1#sho crypto isakmp sa
dst             src             state          conn-id slot status
 
R_1#
 
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2
You need to generate some traffic first so ipsec gets triggered. Try to ping the other side (192.168.x.x), then show cry isakmp sa

markysharkey
Premium
join:2012-12-20
united kingd
R_1#ping 192.168.3.1 source 192.168.1.1
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
U.U.U
Success rate is 0 percent (0/5)
R_1#
R_1#sho crypto isa
R_1#sho crypto isakmp sa
dst             src             state          conn-id slot status
 
R_1#
 
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2
#sh int tu1
#debug crypto isakmp
#terminal monitor

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey
Spotted a mistake with R_3 now corrected.
Sorry guys. My bad. It works!!!
--
Binary is as easy as 01 10 11

markysharkey
Premium
join:2012-12-20
united kingd
reply to markysharkey
Next task is to add a "normal" VPN client set up to R_3. I'd appreciate the pointers for that now, if you can bear it!
--
Binary is as easy as 01 10 11


kamikatze

join:2007-11-02
kudos:2
First you need another phase1 proposal for the "vintage" VPN Client. A more laid back one.
Something like:
crypto isakmp policy 1
 lifetime 86400
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
 

Set your aaa (i'm assuming your VPN client credentials are verified against the local IOS database)

aaa new-model
!
aaa authentication login vpn local                                                 
aaa authorization network vpn local
 

Then sprinkle in some more stuff:
!
! This should be in a subnet of its own
ip local pool VPN-Pool 192.168.33.1 192.168.33.254
!
! Also your split tunnel traffic matching
access-list 33 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
!
crypto isakmp client configuration group VPNClientGroup
 key SomeSecret
 dns 8.8.8.8 8.8.4.4
 domain breakfastLabs.local
 pool VPN-Pool
 acl 33
 
crypto isakmp profile VPNClientProfileP1
   match identity group VPNClientGroup
   client authentication list vpn
   isakmp authorization list vpn
   client configuration address respond
   keepalive 60 retry 15
   virtual-template 2
 

Now a new transform-set for VPN Client (tunnel mode). Phase 2.

!
crypto ipsec transform-set VPNClientSet esp-3des esp-md5-hmac
 mode tunnel
!
crypto ipsec profile VPNClientProfileP2
 set transform-set VPNClientSet
!
 

And finally the Virtual Template. Because traffic has to flow through some sort of ..tube.
interface Virtual-Template2 type tunnel
 description Cisco Vintage VPN Client
! This is your LAN interface
 ip unnumbered fa0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPNClientProfileP2
 

Hey! No crypto-maps!
But Jesus Christ you avoid one thing and use 20 more config lines. Well.. how do i put this.. JunOS is nicer to read! :)

markysharkey
Premium
join:2012-12-20
united kingd
I'm gonna lab that tomorrow 'cos here in the UK, it's bed time. I'll let you know how I get on. But if there's a better way, now's the time

BIG MASSIVE thank you's to Kamikatze and Hellfire for sticking with me.

Never even seen a Junos device... We're a Cisco house. Say it loud, say it proud!!!
--
Binary is as easy as 01 10 11


Paulg
Displaced Yooper
Premium
join:2004-03-15
Neenah, WI
kudos:1
reply to kamikatze
Why 3des for the client? the Cisco VPN client is capable of AES-256; I can't see any reason to configure it with a weaker cipher. Additionally, the mac client will flat out refuse to connect to certain weaker ciphers.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to markysharkey
said by markysharkey:

Next task is to add a "normal" VPN client set up to R_3. I'd appreciate the pointers for that now

Was going to say you can pretty much crib mine and Network Guy See Profile 's learning experience from this thread.
Crypto configs all confirmed to be working without issue... just watch out if you plan any ACL / firewall configs.

Here's another config freebie for you markysharkey See Profile, which offers SVTI, DVTI, SSL VPN and L2TP over IPSec in one.

said by Paulg:

Why 3des for the client? the Cisco VPN client is capable of AES-256;

2nded Paulg See Profile, tho seriously the limitations of the old 5.x client make me rather hesitant, especially if
you are doing this with "secure" in mind. From my most recent learning experiences

- what hash algors it doesn't support is unknown
- DH Group 5 (which is "depreciated" per Suite B), and also needs certificates to be installed
- PFS support / behavior is whacky as heck...

said by kamikatze:

Well.. how do i put this.. JunOS is nicer to read!

_IF_ you're a programmer, which I'm not kamikatze See Profile...

Regards


Paulg
Displaced Yooper
Premium
join:2004-03-15
Neenah, WI
kudos:1
For the most part, I have ceased building IPSec RA tunnels into my configs for routers I deploy to customers. Sell them an SSL cert and Anyconnect and away we go. A much easier platform for the user to use, and a much more robust set of ciphers, not to mention the fact that the IPSec client is EOS and EOL; and doesn't work on Windows 8.

markysharkey
Premium
join:2012-12-20
united kingd
reply to HELLFIRE
Yes I've been visiting the thread you had going with Network Guy. There's a LOT of config in there that I need to pick apart.

PaulG.. Mac client? Over my dead body!

I seem to have read somewhere that AES256 *requires* DH Group 5 and that in turn requires certificates os some other "extra" configuration that just makes life more complicated.

This VPN stuff is a journey for me. 1st is to get it going with VTI tunnels (or Site-to-Site VPN with crypto maps if I must...) whilst allowing Cisco VPN 5.0.44.xxx client software to connect. Once I have that config understood I'll move on to QuickVPN and from there to SSL VPN, so I have a way to go yet!

With regard to VTI + Cisco VPN client, I need to revists Kamikatze's first post as I fear I may not have understood his offering there for tunnels + VPN client connectivity. More lab work which will no doubt lead to more questions!

Edited to add, PaulG yes I know the VPN Client is going EOL, but it will be with us for a while yet. But I *want* to move on to SSL VPN and the IOS configuration requirements thereof. I also need to know which SSLVPN .exe I need to download from Cisco 'cos they don't exactly make it clear.

--
Binary is as easy as 01 10 11