Remote access VPN to Cisco 871 ISR

Unanswered Question
Mar 2nd, 2010

Hi All

I want to change an existing Cisco 871 config, so it will support VPN client access.

I had several tries but without luck. Seems i am doing something wrong. Hope to get a good course on this subject in the near future. But for the short term perhaps someone can look this over and leave a comment.

Below first the original config. After that the things that - IMHO - should be added.

I tried to use CCP and SDM but they leave all kinds of rubbish, enormous access-lists and so on.

Thanks in advance,

Erik

==

- IOS version = c870-advipservicesk9-mz.124-24.T2.bin

- local radius authentication

- NAT

!

version 12.4

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 16348 informational

enable secret 5 xxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa group server radius rad_eap

server 10.128.7.5 auth-port 1645 acct-port 1646

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login default local

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa authorization ipmobile default group rad_pmip

aaa accounting network acct_methods

action-type start-stop

group rad_acct

!

!

!

aaa session-id common

clock timezone MET 1

clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

crypto pki trustpoint TP-self-signed-127833653

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-127833653

revocation-check none

rsakeypair TP-self-signed-127833653

!

!

crypto pki certificate chain TP-self-signed-127833653

certificate self-signed 01

3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31323738 33333635 3336301E 170D3039 31303237 32313237

32395A17 0D323030 31303130 30303030 305A3031 312A302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373833

33363533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

81008B56 5902F5DF FCE1A56E 45956514 3A63350E 1767EF73 FEC6CD16 7E982A82

B0AF8546 ABB3D35A B7C3A7E3 37A02103 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC

4EFC398B 0C8B6BE5 B28E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E

32E6B3B7 861F87FA 2E4197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C

BF8F0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603

551D1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355

1D230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D0603

551D0E04 16041484 C9223E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A

864886F7 0D010104 05000381 81002F4A F3E4AF9D 8693B599 70EC1B1A D2995276

17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3

AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4

E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E381C3 342C3AC9

2BEF6821 E4C50277 493AD5B6 2AFE

quit

dot11 syslog

!

dot11 ssid xxxxxxxxxxx

vlan 10

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 xxxxxxxxxxxxxxx

!

ip source-route

!

!

ip dhcp excluded-address 10.128.7.0 10.128.7.100

ip dhcp excluded-address 10.128.7.250 10.128.7.254

!

ip dhcp pool VLAN10-STAFF-SERVERS

import all

network 10.128.7.0 255.255.255.0

default-router 10.128.7.254

dns-server 10.128.7.5 10.128.7.15

netbios-name-server 10.128.7.5

domain-name xxxx.xx

lease 4

!

!

ip cef

no ip domain lookup

ip domain name xxxxxxxx.xx

ip inspect name MYFW tcp

ip inspect name MYFW udp

no ipv6 cef

!

multilink bundle-name authenticated

!

vpdn enable

!

!

!

username cisco privilege 15 secret 5 cisco

!

!

!

archive

log config

hidekeys

!

!

!

bridge irb

!

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

description Connection to ISP

no ip address

speed 100

full-duplex

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dot11Radio0

no ip address

!

encryption vlan 10 mode ciphers aes-ccm

!

ssid xxxxxxxxxxxxxxx

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

no cdp enable

!

interface Dot11Radio0.10

encapsulation dot1Q 10

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Vlan1

ip address aaa.bbb.140.177 255.255.255.240

no ip redirects

no ip proxy-arp

ip nat outside

no ip virtual-reassembly

no autostate

hold-queue 100 out

!

interface Vlan10

description STAFF wired

no ip address

ip nat inside

no ip virtual-reassembly

no autostate

bridge-group 10

bridge-group 10 spanning-disabled

!

interface Dialer1

mtu 1492

ip unnumbered Vlan1

no ip redirects

no ip proxy-arp

ip nat outside

ip inspect MYFW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username [email protected] password 7 xxxxxxxxxxx

!

interface BVI10

description Bridge to Staff server network

ip address 10.128.7.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

ip http authentication local

ip http secure-server

ip http secure-ciphersuite 3des-ede-cbc-sha

ip http secure-client-auth

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 101 interface Vlan1 overload

ip nat inside source static tcp 10.128.7.1 25 aaa.bbb.140.178 25 extendable

ip nat inside source static tcp 10.128.7.1 80 aaa.bbb.140.178 80 extendable

ip nat inside source static tcp 10.128.7.1 443 aaa.bbb.140.178 443 extendable

ip nat inside source static tcp 10.128.7.2 25 aaa.bbb.140.179 25 extendable

ip nat inside source static tcp 10.128.7.2 80 aaa.bbb.140.179 80 extendable

ip nat inside source static tcp 10.128.7.2 443 aaa.bbb.140.179 443 extendable

ip nat inside source static tcp 10.128.7.3 25 aaa.bbb.140.180 25 extendable

ip nat inside source static tcp 10.128.7.3 80 aaa.bbb.140.180 80 extendable

ip nat inside source static tcp 10.128.7.3 443 aaa.bbb.140.180 443 extendable

ip nat inside source static tcp 10.128.7.4 25 aaa.bbb.140.181 25 extendable

ip nat inside source static tcp 10.128.7.4 80 aaa.bbb.140.181 80 extendable

ip nat inside source static tcp 10.128.7.4 443 aaa.bbb.140.181 443 extendable

ip nat inside source static tcp 10.128.7.5 25 aaa.bbb.140.182 25 extendable

ip nat inside source static tcp 10.128.7.5 80 aaa.bbb.140.182 80 extendable

ip nat inside source static tcp 10.128.7.5 443 aaa.bbb.140.182 443 extendable

ip nat inside source static tcp 10.128.7.6 25 aaa.bbb.140.183 25 extendable

ip nat inside source static tcp 10.128.7.6 80 aaa.bbb.140.183 80 extendable

ip nat inside source static tcp 10.128.7.6 443 aaa.bbb.140.183 443 extendable

ip nat inside source static tcp 10.128.7.7 25 aaa.bbb.140.184 25 extendable

ip nat inside source static tcp 10.128.7.7 80 aaa.bbb.140.184 80 extendable

ip nat inside source static tcp 10.128.7.7 443 aaa.bbb.140.184 443 extendable

ip nat inside source static tcp 10.128.7.8 25 aaa.bbb.140.185 25 extendable

ip nat inside source static tcp 10.128.7.8 80 aaa.bbb.140.185 80 extendable

ip nat inside source static tcp 10.128.7.8 443 aaa.bbb.140.185 443 extendable

ip nat inside source static tcp 10.128.7.9 25 aaa.bbb.140.186 25 extendable

ip nat inside source static tcp 10.128.7.9 80 aaa.bbb.140.186 80 extendable

ip nat inside source static tcp 10.128.7.9 443 aaa.bbb.140.186 443 extendable

ip nat inside source static tcp 10.128.7.10 25 aaa.bbb.140.187 25 extendable

ip nat inside source static tcp 10.128.7.10 80 aaa.bbb.140.187 80 extendable

ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 110 extendable

ip nat inside source static tcp 10.128.7.10 143 aaa.bbb.140.187 143 extendable

ip nat inside source static tcp 10.128.7.10 443 aaa.bbb.140.187 443 extendable

ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 993 extendable

ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 995 extendable

ip nat inside source static tcp 10.128.7.11 25 aaa.bbb.140.188 25 extendable

ip nat inside source static tcp 10.128.7.11 80 aaa.bbb.140.188 80 extendable

ip nat inside source static tcp 10.128.7.11 443 aaa.bbb.140.188 443 extendable

ip nat inside source static tcp 10.128.7.12 25 aaa.bbb.140.189 25 extendable

ip nat inside source static tcp 10.128.7.12 80 aaa.bbb.140.189 80 extendable

ip nat inside source static tcp 10.128.7.12 443 aaa.bbb.140.189 443 extendable

!

ip access-list extended Guest-ACL

deny ip any 10.128.7.0 0.0.0.255

permit ip any any

ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

!

access-list 1 permit 10.128.7.0 0.0.0.255

access-list 101 permit ip 10.128.7.0 0.0.0.255 any

dialer-list 1 protocol ip list 1

!

!

!

!

radius-server vsa send accounting

!

control-plane

!

bridge 10 route ip

banner motd ^

******************** Unauthorized access forbidden ****************

^

!

line con 0

password 7 xxxxxxxxxxxxxxxx

no modem enable

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 111.222.111.222

end

To be added - crypto/local radius/isakmp/local ip pool/ACLs:

!

!−−− configure local radius server

!

radius-server local

nas 10.128.7.254 key local-radius

user user1 password password1 group radius

!

!−−− Enable authentication, authorization and accounting (AAA)

!−−− for user authentication and group authorization.

!

aaa new-model

!

!−−− In order to enable extended authentication (Xauth) for user authentication,

!−−− enable the aaa authentication commands.

!−−− "Group radius local" specifies RADIUS user authentication

!−−− to be used by default and to use local database if RADIUS server is not reachable.

!

aaa authentication login userauthen group radius local

!

!−−− In order to enable group authorization,

!−−− enable the aaa authorization commands.

!

aaa authorization network groupauthor group radius local

!

aaa group server radius radius server 10.128.7.254 auth-port 1812 acct-port 1813

!

!−−− Create an Internet Security Association and

!−−− Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

!−−− Create a pool of addresses to be assigned to the VPN Clients.

!
ip local pool ippool 10.16.20.1 10.16.20.200

!

!−−− Create a group that will be used to specify the

!−−− Windows Internet Naming Service (WINS) and Domain Naming Service (DNS) server

!−−− addresses to the client, along with the pre-shared key for authentication.

!

crypto isakmp client configuration group crypto-client

key cisco123

dns 10.128.7.5

wins 10.128.7.5

domain xxxx.xx

pool ippool

!

!−−− Create the Phase 2 policy for actual data encryption.

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

!−−− Create a dynamic map and

!−−− apply the transform set that was created.

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!−−− Create the actual crypto map,

!−−− and apply the AAA lists that were created earlier.

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!−−− Apply the crypto map on the outside interface.

!

interface vlan1

crypto map clientmap

!

!−−− Specify the IP address of the RADIUS server,

!−−− along with the RADIUS shared secret key.

!

radius-server host 10.128.7.254 auth-port 1812 acct-port 1813 key local-radius

radius-server retransmit 3

ip radius source-interface BVI10

!

!−−− NAT exemption rule

!−−− exempt traffic destined for VPN tunnel from NAT process

!

!Do i need this??

!Do i need this??

!

!−−− NAT Split tunnel ACL to define what traffic to encrypt

!

access-list 20 permit 10.128.7.0 0.0.0.255

crypto isakmp client configuration group crypto-client

acl 20

!

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
erikisme1 Wed, 03/03/2010 - 05:29

Thanks for your valuable input. This gives me a new perspective on the matter. It leaves me with just the following qiestions:

- do i need a NAT exemption ACL rule in order to exempt traffic destined for VPN tunnel from NAT process?

- do i need a split tunnelling ACL?

Erik

Lei Tian Wed, 03/03/2010 - 07:45

Hi Erik,

erikisme1 wrote:

Thanks for your valuable input. This gives me a new perspective on the matter. It leaves me with just the following qiestions:

- do i need a NAT exemption ACL rule in order to exempt traffic destined for VPN tunnel from NAT process?

- do i need a split tunnelling ACL?

Erik

Yes, you need to change your NAT statements.

For dynamic NAT or PAT, exclude traffic from LAN subnet to VPN pool network range; for static NAT, use conditional NAT to exclude traffic from LAN subnet to VPN pool network range.The conditional NAT is to use route-map at the end of static nat statement. Here is the configuration guide

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html

If you want VPN remote/client only route VPN traffic to VPN server and route internet traffic to internet, then you need use split tunneling ACL.

HTH,

Lei Tian

erikisme1 Fri, 03/05/2010 - 03:55

Thanks,

The "CONFIGURING CISCO VPN CLIENT AND EASY VPN SERVER WITH XAUTH" did the trick. Now i only need to enable routing on the 871 because i am not able to get into the LAN.

One question is still left. Now i get an error on the console of the router stating:

*Mar  4 16:30:57.051: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=XXX.YYY.213.27, prot=50, spi=0x94040000(2483290112), srcaddr=AAA.BBB.180.2

Do i have an issue here? CCO error message decoder is not very clear on this one IMHO.

Erik

Message was edited by: erik There seems to be a difference in vpn clients. I get this message when i use VPN client version 5.0.06.0110 and when i use 5.0.06.0160 it is not theren anymore.

Lei Tian Fri, 03/05/2010 - 08:03

Hi Erik,

That error message indicates something wrong with the ipsec SA on one side. You can clear crypto sa to force it re-negotiate.

HTH,

Lei Tian

Actions

This Discussion

Related Content