Lan to Lan Connection Using IPSec

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

View attachment spoke_configv2.doc View attachment SysGate_Router_Config110420v2.doc

Hi,

I'm trying to create a secure tunnel between our office & my home. The aim being that if I ping a 192.168.100.x number (the office), then it works, even if I'm sat on my 192.168.3.x number at home.

I've followed a cisco document on how to create this and have come up against a slight issue. If I apply this to my interface (BVI1) I can't get on the internet on the same interface. The BVI is the bridge between the lan ports & the wireless. I would like the wireless to be able to access the internet or the office router. I am quite a novice so any help would be appreciated.

I've attached my configs for anyone to check against & make sure I haven't done other bits wrong.

Thanks for looking

Rob

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

if you take a look at the attached config then you should be able to figure out where you are going wrong......

The document has a quick draw up on the config for one router that i currently use with a few bits ommitted (not needed). The VPN works a treat and so does the internet.

Take a look and see if it helps, if not then let me know what routers you have and i will try to create a config for you......this will be last resort as im a firm believer in trying first!

Good luck!
Jon

 

Basically what jonny7_2002 has said...

So it looks to me like your trying to implement a Site-2-Site VPN, i have this setup to my brothers router so i can vnc/remote desktop from my private subnet 10.14.0.x to his private subnet 192.168.1.x without having to worry about security or public IPs and port forwarding, poking holes in firewalls etc etc,

So basically what you need to bring up the IPSEC tunnel (IKE Phase 2) is the following information;
# Remote IP or Hostname (most commonly IP)
# Key distribution method (level of diffie hellman)
# Authentication method (pre-shared keys or certificates)
# Encryption Algorithm ( what size and strength of symmetric encryption to use for IKE Phase 1 tunnel)
# Hash Algorithm (MD5 or SHA-1 - hashing is making sure that the data within the packet does not change/is tampered with from start to finish)
# Lifetime (How long does the tunnel live for)

In order for the Tunnel to work, the key is symmetry, everything has to match either side, so router A has have the same policy as router B, so for the VPN below i have used;

Encryption: AES-128bit
Hashing: SHA-1
Authentication: Pre-Shared
DH level: 2
Lifetime: 86,400 (24 hours, but the config takes it in seconds)

So this is the information i have used in a policy on both sides of the router, you can have multiple policies ...because the router will work its way down the list of policies until it finds a match, if it does not find a match the tunnel will not be brought up (so hence the bit about matching above is CRUCIAL)

Now we know what we want to use we need to map out how we want to secure the IPSEC tunnel (IKE Phase 2) It is abit like FTP, in how their is a port for the connection plane (TCP Port 20), then one for the data (TCP Port 21) anyways ...

This is done with the follow;
# Transform Set (Level of encryption and hashing - AES and DES etc)
# Peer Information (Remote IP)
# Interesting traffic designation (What needs to be encrypted)

I have used the following Encryption and Hashing (which is pretty secure, better than the default policy, and is a good compromise between speed and security):

Encryption: ESP-AES
Hashing: ESP-SHA-HMAC

So bearing in mind the above, these are the parts of my config of interest:

!
!
crypto isakmp policy 10
encr aes
authentication pre-share (im using pre-shared keys not certificates)
group 2
crypto isakmp key example address 92.29.1x6.xx (Public IP of remote router, example is the Pre-Shared key you would use for authentication, this needs to match on both sides, so example could be cisco or whatever u like)
!
!
crypto ipsec transform-set BRUVVPN esp-aes esp-sha-hmac (my transform set is called BRUVVPN, so i no what the hell it is in the config)
!
crypto map S2S-VPN 100 ipsec-isakmp (try and name the map something meaningful, this is short for Site-2-Site)
description Tunnel to 92.29.116.xx (Public IP of remote router)
set peer 92.29.1x6.xx (Public IP of remote router)
set transform-set BRUVVPN (name of the transform as defined above)
match address S2S-VPN-TRAFFIC (Interesting traffic designation)
!
!
!

We then need to place the crypto map to an interface;

interface Dialer0
description ==-WAN-==
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
ip route-cache flow
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname MYADSL USERNAME
ppp chap password 7 MY ADSL PASSWORD
ppp pap sent-username MYADSL USERNAME password 7 MY ADSL PASSWORD
crypto map S2S-VPN - HERE IT IS, this name is the name of the crypto map


Now we need to setup NAT as you normally would, but instead of an access-list we use a route map;

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

The route map above used for NAT is below;
!
!
route-map SDM_RMAP_1 permit 1
match ip address NAT (So i have an access list that is called NAT as shown below)
!
!

here are the access-lists needed for the routemap/nat;

ip access-list extended NAT
deny ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255 (this is my local subnet - source, going to a destination of my brothers local subnet, dont want this NAT'ed)
permit ip 10.14.0.0 0.0.255.255 any (now i need to NAT the rest of my local subnet so i can access the internet!)


This is the "interesting traffic i mentioned early in an access list" so it is allowing my local subnet to my brothers.

ip access-list extended S2S-VPN-TRAFFIC
permit ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255


Now the configure on the other router needs to match this, but you need to swap a few bits over, such as the source and destination parts on the access-lists.

so u should end up with something like;

2621XM-A#show crypto map
Crypto Map "S2S-VPN" 100 ipsec-isakmp
Description: Tunnel to 92.29.1x6.xx
Peer = 92.29.1x6.xx
Extended IP access list S2S-VPN-TRAFFIC
access-list S2S-VPN-TRAFFIC permit ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255
Current peer: 92.29.1x6.xx
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={
BRUVVPN,
}
Interfaces using crypto map S2S-VPN:
Virtual-Access2
Dialer0


now you need to bring the VPN as it is currently down, so send a ping across from your local subnet to your office, but remember to change the ping source to your local subnet (otherwise it will be NAT'ed and wont come from a source of your local network, but will be public IP and the tunnel wont come up) see below;

2621XM-A#ping 192.168.1.1 source fa0/0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.14.0.1 (the packet is NOT NAT'ed)
.!!!!
Success rate is 80 percent (4/5) (remember you need to allow for ARP, hence the one lost packet), round-trip min/avg/max = 88/92/104 ms

So now the tunnel is up, check it with;

2621XM-A#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
92.29.1x6.xx 109.170.1x7.xx QM_IDLE 1004 0 ACTIVE

IPv6 Crypto ISAKMP SA

Woolia, all good in the hood! hope that makes sense

 

Thanks a lot for the responses

worked my way through keconnect sparky example it & couldn't get it quite right (but at least i could still get on the net!) - so I wondered whats the easiest way to trouble shoot this?

Also once I get this going - my home ip isn't static & would like to alter the config on the work one to be more dynamic

Thanks a lot for the help - I really do appreciate it

Rob

 

Glad ur getting somewhere Robt800,

Could you show me the output of these commands on both the home and office routers;
show crypto map
show ip access-lists
show run | s crypto

Thats how i would troubleshoot it, it mainly comes down to making sure the configs are identical (well, to some degree...all it takes is a wrong wildcard mask in an access-list or an interface not assigned to a crypto map...)

 

View attachment spoke110504.doc View attachment SysGate110504.doc

Hi,

I've had a look through the outputs & corrected some minor probs - but still having some issues pinging the office (& remembering to put the source address on).

If you wouldn't mind having a look for me

Thanks a lot

Rob

edit: just noticed an old crypto cisco123 - could the router be scanning & trying to use this one first?

 

The only way the router would use an old policy is if the policy number was lower (lower the better) i presume we are talking about isakkmp policies, ie;

crypto isakmp policy 10 would be used to bring up the first part of the isakmp tunnel with the other router first over say crypto isakmp policy 50, but if the router could not find a match on the other router it would then try using policy 50 .....

Are you sure the host(s) you are pinging on the other side are set to reply to icmp? i.e the local firewall is not blocking it?

if you run

#show crypto isakmp sa

this will show you if the tunnel is up (but you will need to send traffic to the other side first, to trigger the VPN...)

 

post both your configs again......

 

Hi guys,

Sorry for the delay in coming back (hate being slow to reply when people are taking the time to help me out) - just been really busy at work with a new client.

Can't get to my router at the min - but will check a few things tomorrow (I think the office one does block icmp - as I'm sure I can't ping servers from the outside, but can rdc onto them)

I'll also post the full configs as now

Thanks

Rob

 

Right - managed to sit down with router a bit this morning

Attached are the configs - as you can see icmp is blocked on the office router. Does this need allowing in order for the tunnel to connect?

I've also attached the show crypto command & output

Thanks

Rob View attachment SysGate110507.doc View attachment show crypto.doc View attachment spoke110507.doc

 

Okay, so the VPN tunnel is still not up, looks like you got a few issues in the two configs, only small minor errors, see below;

remove these lines from sysgate110507.doc config

crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

ip nat source list 1 interface FastEthernet0/1

add this line (which is the PSK for the two routers, this needs to be the same on the other side, except the peer address)
crypto isakmp key (a key of your choice) address (IP of the other router)


This part of the config needs to change from:

ip nat inside source route-map RMP_1 interface Dialer0 overload

to

ip nat inside source route-map RMAP_1 interface Dialer0 overload


Now the other router, On router in config doc spoke110507 remove line;

ip nat inside source list 1 interface Dialer0 overload


now add the PSK line as you did on the other router;
crypto isakmp key (the same key you choose on the other router) address (IP of the other router)


that should do it, the ping in my example, was just some traffic to fire the VPN connection up thats all (as its quick/simple and i know my hosts respond to IMCP), in your case it could be an RDP session or anything you like......

 

Well thanks to all the help I seem to be making progress!

I think the tunnel is working, because when I run the:
show crypto isakmp sa

I get details of the tunnel & the fact that it is active. (but interestingly shows deleted in brackets next to the active column?)

However I still can't rdp onto any of the usual servers. I presume this is a firewall as port 3389 is defined as user protocol 2. I've tried changing some of the policy maps that include the user protocol 2 from inspect to allow, but this hasn't sorted it yet.

I plan on having another look at this tomorrow night with a clear head!

Thanks

Rob

 

Post your config mate and when I get 5 minutes I will tell you where the problem is.

 

Config is attached

Cheers

Rob
View attachment sysgate110511.doc

 

OK mate, first of all lets strip your config back to basics, don't use the SDM Firewall as it can play havoc with traffic passing across a VPN tunnel and in this instance, lets get it working then apply firewall rules afterwards.

Config is below, I have changed your encryption to 3DES SHA, so you will need to do the same the other end, you had dynamic VPN policies being applied as well and no acces lists on the outside interface. I have tidied this up, it should all make sense

Edit: The NAT Policies and the ACL outside-in allow you to access the RDP and other services behind this router.

Current configuration : 4354 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SysGate
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$y9A/$zxuPun550Xm2d8cYTxbpH.
!
aaa new-model
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1700639775
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1700639775
revocation-check none
rsakeypair TP-self-signed-1700639775
!
!
crypto pki certificate chain TP-self-signed-1700639775
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373030 36333937 3735301E 170D3032 30333031 30303037
30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303036
33393737 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AA5C 8DE8734F 0F0BC288 4852B19D 64DEAA6B 6CFC6301 6466B152 E0952B20
7DDC5382 4B38551A D5F275FF C44EBD45 E84C3D31 4BED11BD 699515FF 82D9FF5A
1160854C 3448A49B 93992C2B 6C1B66B4 F53EB315 F69F3A56 240BBC2E 150AF6BE
78CBAC50 94DD5886 E8159511 5EC26B77 3E37727A 0F75189B C9475EC3 B00A078C
97450203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 143E1BD5 547FF670 50378120 6B18773E 93DE9398
28301D06 03551D0E 04160414 3E1BD554 7FF67050 3781206B 18773E93 DE939828
300D0609 2A864886 F70D0101 04050003 8181000A AB5AA14A D6AB637C AE2EB022
8066F0A9 072003B8 FBBB3323 FD6F4D94 64CE0416 46AD3058 8FACE0EA 278A5360
0CCDE6EC 10FC403E B4E0DE03 56623A47 B8DA1DC5 41A0FC70 52F15CE0 D3B3BACD
FB5098E7 8FC39EDB 2A049076 7A0F1E9D 1850FB01 2DA9DC33 D6BB583C 9A857C2C
EC43E90A 592B7939 38275663 E8D7CA94 14775B
quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
!

!
!
no ip domain lookup
ip domain name SysServers.local
!
!
!
username admin privilege 15 secret 5 $1$uOuY$w7wuCGXV9Saio7xLLEhbc1
!
!
crypto isakmp policy 10
hash sha
authentication pre-share
group 2
crypto isakmp key password address IPAddress no-xauth
!
!
crypto ipsec transform-set Myset esp-3des esp-sha-hmac
!
crypto map s2s-vpn 10 ipsec-isakmp
set peer IP Address
set transform-set Myset
match address s2svpn
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description LAN
ip address 192.168.100.1
ip access-group lantraffic in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip access-group outside-in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname [email protected]
ppp chap password 7 ISP Password
crypto map s2s-vpn
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 192.168.100.234 3389 3389 IP Address 3389 extendable
ip nat inside source static tcp 192.168.100.242 10783 IP Address 10783 extendable
ip nat inside source static tcp 192.168.100.242 12373 IP Address 12373 extendable
ip nat inside source static tcp 192.168.100.244 21 IP Address 21 extendable
ip nat inside source static tcp 192.168.100.243 21 IP Address 21 extendable
!
ip access-list extended lantraffic
permit ip any any
ip access-list extended nat
deny ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
ip access-list extended s2svpn
permit ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
ip access-list extended outside-in
permit icmp any any
permit tcp any eq 3389 host 192.168.100.234 eq 3389
permit tcp any eq 10783 host 192.168.100.232 eq 10783
permit tcp any eq 12373 host 192.168.100.242 eq 12373
permit tcp any eq 21 host 192.168.100.244 eq 21
permit tcp any eq 21 host 192.168.100.243 eq 21
permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
!
no cdp run
!
!
!
control-plane
!
banner motd ^C ##### No Unauthorised Access ##### ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 Password
transport input ssh
!
scheduler max-task-time 5000
end

 

On another note, you could just use tunnel interfaces......? I find using these is easier and is more logical in my head

Attached a 2 minute design diagram...

On the SysGate router.......

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
description VPN_TO_SPOKE
ip address 192.168.0.1 255.255.255.252
tunnel source Dialer1
tunnel destination <SPOKE PUBLIC IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
!
ip route 192.168.1.0 255.255.255.0 Tunnel0

On the Spoke router.......

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set transform-set T1
!
interface Tunnel0
description VPN_TO_SYSGATE
ip address 192.168.0.2 255.255.255.252
tunnel source Dialer1
tunnel destination <SYSGATE PUBLIC IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile P1
ip route 192.168.100.0 255.255.255.0 Tunnel0

If you want a basic firewall .......
You could put this on both routers and ammend it to any specific needs of the site.....

ip access-list extended BLOCK_ALL
permit ip host <REMOTE ROUTER PUBLIC IP> any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any

ip inspect name DIALER_OUT cuseeme
ip inspect name DIALER_OUT ftp
ip inspect name DIALER_OUT h323
ip inspect name DIALER_OUT icmp
ip inspect name DIALER_OUT netshow
ip inspect name DIALER_OUT rcmd
ip inspect name DIALER_OUT realaudio
ip inspect name DIALER_OUT rtsp
ip inspect name DIALER_OUT esmtp
ip inspect name DIALER_OUT sqlnet
ip inspect name DIALER_OUT streamworks
ip inspect name DIALER_OUT tftp
ip inspect name DIALER_OUT tcp router-traffic
ip inspect name DIALER_OUT udp router-traffic timeout 300
ip inspect name DIALER_OUT vdolive
ip inspect name DIALER_OUT dns

interface Dialer1
ip access-group BLOCK_ALL in
ip inspect DIALER_OUT out

Hope this doesnt confuse matters too much!

Cheers
Jon

 

Well thanks a lot for all the help.

Spoke to the boss & he wasn't too keen on me stripping out the firewall. So he gave me an 1800 series router to configure as the new replacement that we can test with & get spot on before replacing the existing one.

Doddle I thought! Trying to get the existing config onto the new test router, but there is no atm interface. Searched the internet, but cant find any answers?

Would somebody mind explaining it to me? All this is spot on learning & I do appreciate all the help

Rob

 

Is there a physical DSL interface??
if you type "show ip int brie" or "show int" what does it show?

 

Yep as Jonny7 mentions if might not have the HWIC ADSL Card.

One of my colleagues recently implemented a Site to Site VPN using a Cisco 877 and using the SDM to put in place the Firewall on the low setting, it blocked AD replication!

 

View attachment interface.doc
Attached is the show ip interface brief.

If this wont work with adsl, would somebody mind explaining why - just to help further my understanding

Thanks a lot