UC520 Dual ISP and VPN Server

Unanswered Question
Feb 19th, 2010

I have a client with dual ISPS - on via cable and one via PPPoE DSL.  I had to put the DSL link on the FastEthernet 0/0 since that was the only place to check the box in CCA for PPPoE.  Now he wants to setup VPN on the Cable internet link.  I created another WAN interface (using another Vlan, addin one swtichport to this VLAN and turning on DHCP on the Vlan interface) and am using reliabel static routing with object tracking to determine if the link is up, essentially providing failover for the internet.  Problem is VPN server configuration won't allow me to select this virtual interface in CCA as the "outside" untrusted interface.  Is there any workaround or am I forced to do this via CLI only?  TIA

mh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Platts Fri, 02/19/2010 - 12:42

You should specify the default WAN interface as the untrusted interface for the Easy VPN server. Easy VPN server configuration in CCA 1.9 and later uses the DVTI interface, and the Easy VPN configuration in CCA actually does not hardcode WAN IP addresses.

mhulliga Mon, 02/22/2010 - 07:33

John,

If I undertand correctly then it doen't matter which outside interface the actual IPsec traffic arrives over for the Easy VPN Server to function correctly? I'm unusre what DVTI refer to.   I apologize if I seem obtuse!

mh

John Platts Mon, 02/22/2010 - 07:47

Here is a sample Easy VPN server configuration on the UC520:

aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key ezvpnkey1
pool EZVPN_POOL_1
acl 106
max-users 10
!
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
ip local pool EZVPN_POOL_1 192.168.10.245 192.168.10.254
!
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 10.1.10.0 0.0.0.3 any
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 permit ip 10.1.1.0 0.0.0.255 any
!

Note that this configuration will actually terminate Easy VPN traffic coming in on either WAN interface. Note that settings in the example configuration might not be the correct settings on your UC520. CCA 1.9 and later configure the Easy VPN server similar to the configuration shown above.

Actions

This Discussion