Newbie setting up VPN on 871

Unanswered Question
Sep 9th, 2010

Hello,

Im used to using Sonicwalls and hav absolutly no problem setting up VPN's on them.

I have never dealt with 871's before and have come to the realization that this is NOT the most friendliest device around. They dont need to make it this complicated do they??

We have two locations each with 871 routers. All I am trying to do is fix the VPN connection that was already setup in them but disconnecting after 24 hours.

I configured each site for ESP-3DES-SHA with a preshared key.

I guess what I dont understand is this whole SDM IPsecrules.

Whenever I see an answer to these types of questions, all I see are thes "configuration" files. First of off, they files are impossible to read and understand.

After not getting this to work properly, I decided to try my hand at resetting the VPN up from scratch. When I go to add VPN connection, All I see for an interface is VLAN- 4 instead of FastEthernet which is what I need ( the connections that are already setup are using this interface).

I just dont get it. Im having a hard time finding a step by step setup procedure. (sonicwal is good at step-by-step procedures)

All I can say is after using these, Im never going to optthe use of these int he future. I just need to get these working for now though.

Thanks for any help that you can provide me :-)

Jon

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sectel123 Thu, 09/09/2010 - 06:42

I don't have time to type that much right now but best thing is to look at config examples on the

Cisco website.  You're right though - Cisco has dwelled on command lines for the longest time

and it's more complicated than it needs to be.  I've setup quite a few VPNs with Cisco

boxes and always seem to hit an issue that'd take me max. an hour to resolve.  Your debug

commands such as:  debug crypto isakmp and debug crypto ipsec (I think) can be useful.

Don't forget "term mon" and "u all" when you're done.

I know setting VPNs up on Fortigates are a piece of cake via the GUI.

Keep in mind that you have to have an access-list as well to match the traffic and sometimes

people reverse the source and destination.  Finally, I think (I repeat, I think...) that you need

a static route pointing to your next physical hop.  I'm not quite sure on that but I remember

having to do something like that.

On the Fortigates, you use "tunnel" interfaces for the IPSec setup (just like GRE Tunnels with Cisco)

but the static routes point "to the tunnel" which is more logical.

Finally, don't forget you have to apply your crypto the interface (in this case , your vlan interface I think).

Martin

jschneiter Thu, 09/09/2010 - 06:59

Martin, Thanks for such a quick response.

I guess what I dont undertand is this whole command line interface and where thats done at in SDM.

I wish there was a log screen to look at and see what is going on. Like on the SonicWalls, it will tell you what is incorrect, while its establishing the Tunnel. If there is something wrong, you know what is incorrect and you can go correct it.

Also, I think part of my problem is the terminology. What in the worls is a Crypto file?

Hopefully, some nice nice member will come along that  writeup (or point to a link) with a detailed writeup.

I appreciate all the help I can get though to get this going. If all else fails, I will suggest replacing them with something for intuitive. THe amount of time it takes just isnt worth it sometimes lol

Jon

j-marenda Thu, 09/09/2010 - 12:48

Martin, nowadays also Cisco can have ipsec encapsultion on tunnel interfaces.

which make vpn configuration very, very easy; you only must route the right traffic into the right tunnel interface or

let a routing protocoll do the work.

The Cisco 871 has one real Fastethernet-interface -Fas4, thought for the "WAN" "internet" Connection.

The other Fas0 ... Fas3 are connected to a switch and may be assigned to a vlan.

Depending on the Feature-Set, you may use up to 4 different VLANs,

and a port may also be a trunk.

The switch is also running per-vlan spanning tree which might cause problems

with an external Switch which may be connected to on of this "LAN" Ports.

A typical security enhanced switch shutes it's port down if it sees an spanning-tree bpdu

coming in.

BTW, a fortygate config-file is also not very readable ;-)

But this does not help very to solve the problem.

A View to the config-files would be a start to help,

even when SDM generated configurations tend to be more unreadble than hand-crafted ones,

and may have unwanted features enabled.

Juergen.

jschneiter Thu, 09/09/2010 - 13:39

Hello,

Here is my Config file for one side of the Tunnel. I can supply the other side if nessesary.

All private info x'd out

!This is the running config of the router: 71.86.x.x
!----------------------------------------------------------------------------
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname columbia
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$xIAQ$T6ggb6OzLqb6BBFNLeW001
!
username admin-columbia privilege 15 secret 5 $1$p9hg$zbyxGfRtpkZInS4e7xzgA.
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 10.10.100.1 10.10.100.99
ip dhcp excluded-address 10.10.100.111 10.10.100.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.100.0 255.255.255.0
   dns-server 4.2.2.1 4.2.2.2
   default-router 10.10.100.1
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip bootp server
ip name-server 4.2.2.1
ip name-server 4.2.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key xxxxxxxxxx address 206.176.x.x no-xauth
crypto isakmp key xxxxxxxxxx address 65.219.x.x no-xauth
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2-2 esp-3des esp-sha-hmac
crypto ipsec transform-set SHA-DES esp-des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to65.219.x.x
set peer 65.219.x.x
set transform-set ESP-3DES-SHA1
match address 100
!
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 71.86.x.x 255.255.255.252
ip access-group sdm_fastethernet4_in in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1350
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.100.1 255.255.255.0
ip access-group 106 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 71.86.x.x
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
!
ip access-list extended sdm_fastethernet4_in
remark SDM_ACL Category=1
remark IPSec Rule
permit ip 10.10.101.0 0.0.0.255 10.10.100.0 0.0.0.255
permit udp host 65.219.x.x host 71.86.x.x eq non500-isakmp
permit udp host 65.219.x.x host 71.86.x.x eq isakmp
permit esp host 65.219.x.x host 71.86.x.x
permit ahp host 65.219.x.x host 71.86.x.x
permit udp host 4.2.2.2 eq domain host 71.86.x.x
permit udp host 4.2.2.1 eq domain host 71.86.x.x
permit ahp host 206.176.x.x host 71.86.x.x
permit esp host 206.176.x.x host 71.86.x.x
permit udp host 206.176.x.x host 71.86.x.x eq isakmp
permit udp host 206.176.x.x host 71.86.x.x eq non500-isakmp
remark IPSec Rule
permit ip 10.10.102.0 0.0.0.255 10.10.100.0 0.0.0.255
deny   ip 10.10.100.0 0.0.0.255 any
permit icmp any host 71.86.x.x echo-reply
permit icmp any host 71.86.x.x time-exceeded
permit icmp any host 71.86.x.x unreachable
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.100.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.10.100.0 0.0.0.255 10.10.101.0 0.0.0.255
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.102.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.10.100.0 0.0.0.255 10.10.102.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.10.100.0 0.0.0.255 10.10.101.0 0.0.0.255
access-list 103 deny   ip 10.100.100.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 103 permit ip 10.10.100.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.100.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.100.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 71.86.x.x 0.0.0.3 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Jon

jschneiter Thu, 09/09/2010 - 08:09

I decided to give the Generate Mirror configuration a try. Low and behold, I have no idea what in the world

I am doing. I looked up what to do with this file and it said:

The suggested configuration for the peer device appears on the Generate Mirror screen.

  1. Click Save to display the Windows Save File dialog box, and save the file.
  2. Caution   

    Do not apply the mirror configuration to the peer device without editing! This configuration is a template that requires additional manual configuration. Use it only as a starting point to build the configuration for the VPN peer.

  3. After saving the file, use a text editor to make any needed changes to the template configuration. These are some commands that may need editing:
  4. The peer IP address command(s)
  5. The transform policy command(s)
  6. The crypto map IP address command(s)
  7. The ACL command(s)
  8. The interface ip address command(s)

What are these commands it is talking about. How is someone that has never used this device suppose to know what to do????

Not very user friendly I say.

Please anyone willing to spend some timeassiting me. I can certainly share the any config file nessesary and answer any questions needed.

Thanks in advance!!

Jon

j-marenda Thu, 09/09/2010 - 15:05

o.k, your router has 71.86.x.x (columbia) with LAN 10.10.100.1 /24

You are trying to build a VPN to 65.219.x.x with LAN 10.10.101.0/24.

You had an vpn to 206.176.214.4 with LAN 10.10.102.0/24 ?

i would suggest to either remove "ip verify unicast reverse-path" on interface fastethernet 0

or add the route to the remote LAN:

a)

telnet/ssh to the router

enable

configure terminal

int fas 4

no ip verify unicast reverse-path

end

b)

telnet/ssh to the router

enable

configure terminal

ip route 10.10.101.0 255.255.255.0 71.86.x.x
end

! not your router's 71.86.x.x but the same as behind the ip route 0.0.0.0 0.0.0.0 statement in your config file.

or both a) and b).

ip verify unicast reverse-path drops silently (sh ip int fas 4  has a coutner for that) pakets coming in to that interface when

there is no route going out thru the same interface.

This does not make sense with default-route out and may interact nicely with the remote-LAN's decrypted traffic coming in -

that traffic is also explicitly permitted in fas4's incoming access-list .

Hope this help's,

Juergen.

jschneiter Thu, 09/09/2010 - 15:13

Wow, you got all that from that file??

Now why cnat they just incorporate all that into a GUI instead of Command lines LOL

Would you like to see the other side as well?

I will try and incorporate those suggestions tommorrow and see what happens.

thanks much!!

Jon

jschneiter Mon, 09/20/2010 - 07:51

Hello, Thanks for the run down to get this working. I telnetted (is that a word lol) into both routers and made the noted changes.

I first did  a)

After I did that, I rechecked the config file and the command was not inputted.

I then did  b) and that didt affect anything.

With that I printed ou both config files and did comparing.

With knowing absolutly nothing, I did noticed a few differences.

Ill just attach the files as they are long

j-marenda Wed, 09/22/2010 - 16:18

Jon,

at this point i would tend to start from scratch,

with unconfigured routers on both ends.

But First, paint a picture of

a) WAN Connections (ip-adresses, subnet-mask, default-gateway, ...) from the two locations given you by the isp's

b) LAN Connection (ip adresses, subnet-mask, must dhcp server enabled on each router,

    other local routes to "private" networks (esp. those which must be reachable from "the other" side

c) Determine weather they must surf the internet or it's only for site-to-site connection

Verify the completeness of those informations.

Second, configure the two routers to work locally for those requirments.

Third, set up the vpn tunnel between the two sites.

Are there more ipsec-connections than this one ?

For me i can say that i do not use SDM or whatever the current tool is called.

I hand-craft the configurations to have them work as i like.

Today, i would create a tunnel-interface with ipsec encapsulation on both routers,

probably running a routing protocol (ospf) over it,

since this is an elegant way to create VPN tunnels on current Cisco IOS Routers.

I also would place the LAN side into a seperate VRF.

AFAIK all those thing cannot be done with SDM but thru the CLI.

I have just seen the config from one side (with severak XXXes) and had to guess a little bit

so my answers may also had some XXXes to be filled with the right parameters (from a) or b) )

If the configurations do not work as expected then you must start debugging to find the point of problem,

this is also done thru CLI, with the help of "show" and "debug" commands.

Without access to the routers no-one can help you with this,

we can just guess what goes wrong form the paperwork/config-files

and ask sometime for the output of some "show " commands to try to find the problem.

But probably you may need someone to assist you to configure and debug those routers,

not just the forum ?

Hope this helps,

Juergen.

Actions

This Discussion