This discussion is locked

Ask the Expert: IPsec VPN

Answered Question
Nov 28th, 2011

Read the bioWith Marcin Latosiewicz

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to Get an update on IPsec VPN with Cisco expert Marcin Latosiewicz who will answer questions on the topic of best practices when implementing IPsec VPNs on IOS and ASA. Marcin Latosiewicz is a Customer Support Engineer at the Cisco Technical Assistance Center in Belgium, which over four years of experience with Cisco Security products and technologies including IPSec, VPN, internetworking appliances, network and systems security, internet services and Cisco networking equipment.

Remember to use the rating system to let Marcin know if you have received an adequate response. 

Marcin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community   discussion forum shortly after the event.   This event lasts through December 9th, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
Correct Answer by Marcin Latosiewicz about 2 years 4 months ago

Hi Kleber

Not knowing your settings and assuming some Cisco defaults it could be a problem during phase 1 rekey (86400 seconds is the default).

What I would also look into whether by any chance you do not have vpn idle timeout or vpn session timeout applied for you (what I assume is) Lan to Lan tunnels.

Check logs on ASA (we drop some logs on informational level) on failure.

If you feel like debugging - debug cry isakmp 127 .

What I would suggest regardless is to open a TAC case, there's quite a few problems we saw in the past with Sonicwall.

Mostly smaller problems with (mis)configuration, but occasionally a bug (on either side).

We need more info :-)

HTH and GL,

Marcin

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (8 ratings)
gouda64cisco Tue, 11/29/2011 - 00:04

Good morning

I have on my pc win7 with Cisco client installed, the vpn to our costumer is working but i can not do a ping to this network. On my pc i have also a vmware with XP and Cisco client installed. at the XP client it is working with the same .pcf file, ping connect ..
what can be happend at the win7 client or pc?

Can you give me some info where is maybe the problem.

thanks a lot

Marcin Latosiewicz Tue, 11/29/2011 - 01:14

Stephan,

Interesting question, I'm afraid there is no one simple answer.

Places I would start checking:

0) Check if ICMP is the only protocol affected or do we see similar sysmptoms for everything else.

1) Disable firewall on windows 7 and re-test.

We've had quite a few problems with this.

2) Perform sniffer trace on windows 7 physical and VPN adapter interfaces.

We're interested ito see our (ICMP) packets leaving AND coming back.

Note that on the physical interface you will see either ESP or AH, or UDP/4500 packets.

3) Enable logging on VPN client (from GUI you can set it up to level 3, but editing vpnclient.ini will all you to set it to level 15).

While performing testing check "statistics" section (mostly for discarded or bypassed bypassed) but also the logs if you see any packet drop reported.

4) Only once everything seem clear in points 1-3 I would move to checking the VPN headend.

There could be multiple causes with different resolution steps. What you need to do first is to perform some basic checks to know where the problem is located. Typically all our VPN teams in TAC can help you do it very efficiently and they can teach you a few tricks, if you're in the mood :-)

Marcin

arthursim Tue, 11/29/2011 - 09:44

Here's my situation. I have a client with 3 offices and we're trying to use RV120W's in each location to provide IPSec VPN site to site connections. 2 of the offices have internet connections which can provide public IP addresses to the cisco router. The third office is unfortunately using a device that has no option to disable the NAT in their router.

The 2 offices with public IPs on their WAN ports have been configured and are passing along VPN traffic just fine. I can't find any information on how to allow this third office to connect through that NAT'd router. My traffic in the office goes like this, to be clear:

Office PCs (192.168.3.x) -> Cisco LAN (192.168.3.1)

Cisco WAN (192.168.0.2) -> Netgear 4G Turbo Hub (192.168.0.1) -- Netgear gets public IP from cellular network.

My other routers are using 192.168.1.x and 192.168.2.x respectively, so there aren't any common subnets either.

Any help with NAT traversal??  Thanks much.

Marcin Latosiewicz Tue, 11/29/2011 - 11:47

Arthur,

This is not the Small Business section of forums, so I might not be the best person to respond to this.

But I'll give it a shot.

NAT Traversal requires that communication on port UDP/4500 and UDP/500 is allowed. I checked the device at a glance and I see that it's capable of NAT traversal (at least according to spec).

What you can do I trying to forward those ports to your RV device on the Netgear (if it has this capability), that should actually allow you to both initiate and respond the IPsec VPN.

I would first of all check if there is no place where this setting is disabled (although I would say it makes a sane default to have it on).

Another place (which reminds me of things we had in Linksys routers) is the netgear, it should ideally just allow communication coming to/from those ports. I know some small business devices "inspect" VPN.

Hope this help,  but for concrete answer I would check on small business section.

Marcin

arthursim Fri, 12/02/2011 - 08:02

Marcin,

Thanks for your assistance the other day on this and upon further investigation I found out the problem. I was able to determine that the third office that's using a 4G router is actually behind a 10.x.x.x private router on the ISP side. After many phone calls, the provider is not willing/able to provide us with a Public IP service or a Static IP. Port forwarding will also not work in this situation either.

A phone call to the Partner Help Desk and 15 minutes later, I was told that an ASA5505 can be configured to work through a private IP configuration such as this. So, my questions is this. Will this device be able to create an IPSec tunnel to a small business router such as the VR120W or should I get 2 of these devices?

Thanks again for all your help.

Marcin Latosiewicz Fri, 12/02/2011 - 08:45

Arthur,

ASA's IPsec VPN is based on standards, if you place it behind NAT there should be no problem for it to initiate VPN connection with NAT traversal.

You might also want to add keepalives:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2236606

Now if you want to be a responder in IPsec negotiation, that's a bit different story, you will somehow need to allowed UDP/500 and UDP/4500 inside.

TL;DR ASA behind NAT, no problem with IPsec to any standard based device, but only as an initiator.

Marcin

lap@axcess.dk Wed, 11/30/2011 - 00:39

Hi Marcin,

We have a customer with a basic Hub and spoke IPsec network. At the headend there is a Cisco ASA and the spokes have a Cisco 1812 or a Cisco 881. there are around 100 spokes. The issue there is that when an ISP change an IP address at a spoke location then we have to send a technicican to make changes both on the spoke router and on the ASA. So I was thinking that DMVPN will be a good solution for the customer. But one om my colleague thinks that Easy VPN will be a better solution in this case as it thinks that DMVPN will add too much complexity to the customer network. There is no need for spoke to spoke traffic. But I think that spoke to spoke feature can be disabled in DMVPN. Then the customer network is really simple. The spoke locations only need to reach some servers at the headend location. Then the ASA cannot do DMVPN.

So what do you think? Should we advice DMVPN or EasyVPN?

Then I have seen that there are some new featrues in EasyVPN, is that correct?

What about FlexVPN, could it be a solution there maybe? What is the advantage of FlexVPN over DMVPN? Can it run on ASA?

Best regards,

Laurent

Marcin Latosiewicz Wed, 11/30/2011 - 01:57

Laurent,

(I think we could write a chapter in a book about this one )

I'll start in bit different order than you asked your questions.

ASA support for any virtual interfaces (be it Tunnel or VTI) is on the roadmap, but it's not there yet and I would not plan on using it in the first release it's out.

What you see now is just the beginning of Flex more features and capabilities are coming. Suffice to say we took the experience of Eesy and DM VPNs, looked at what customers want, what is missing and what are the painpoints and put that to a good use. I'm afraid I cannot say too much and we will learn more during Cisco Live in January (Look for events involving Fred Detienne, if you're going).

I agree with your colleague, easy VPN would be the technology of choice here:

- simple to implement, widely used, standard based.

It will allow you to add/change config a very flexible way add new spokes and add new config on hub as it's needed.

I would suggest moving only spokes with dynamic IPs to ezvpn, and leave existing Lan-to-Lan configuration in place.

I have considered two alternatives.

Alternative (1) is to run IPsec tunnel between spoke routers and hub ASA and underneath run a GRE tunnel between spoke routers and device behind ASA capable of terminating GRE (you can run GRE from a loopback interface).

Pros:

- ASA is doing IPsec only

- Still have GRE (in case you want to send IPv6 traffic in future for example).

- Control over routing protocol

Cons:

- A lot of "moving parts"

- Additional MTU consumed by GRE

- Spokes behind NAT considerations

Alternative (2) DMVPN. As you know I'm a big fan of DMVPN in general, but since ASA cannot do it, I would re-consider if that's the way to go. Unless you have a (minimum) 2800/2900 router there behind ASA?

In which case you could split dynamic peers to terminate DMVPN on router and static IP peers to terminate lan to lan on ASA (at least initially). Start the migration of static peers later.

Pros:

- Static LAN to LAN tunnels are un-interrupted while you move dynamic peers.

- All advantages of DMVPN

Cons:

- "Difficult" to manage (at least initially) and justify (financially).

- You might not utilize full power of particular device

- Two difference devices doing "same function" (from end customer's point of view).

As I said it's not an easy topic to say one way or another without more information. There are too many factors to consider :-)

Hope that helps, though.

Marcin

lap@axcess.dk Wed, 11/30/2011 - 11:35

Hi Marcin,

Thank you so much for your reply. Was really interesting to read you. Tunnel interface on ASA? Sounds really nice;-)

I will follow your advices. I am looking forward to hear more about FlexVPN.

Regards,

Laurent

MirzaAlibasic Wed, 11/30/2011 - 03:10

Hi Marcin,

I have configured remote access (Cisco VPN client)  on ASA 5510. I can  connect, everything works fine (can browse local network etc) but  however I'm not able to  connect to ASA using ASDM neither telnet.

How  to allow ASDM or telnet through VPN?

Tnx in advance


Marcin Latosiewicz Wed, 11/30/2011 - 03:36

Mirza,

That's not really a best practice question, but I will give this a shot. :-)

If you want to manage your device of VPN, you need to:

1) Allow the VPN IP pool to access the interface of choice (telnet, ssh, http, command)

2) Enable "management-access", as additional parameter you need to give the interface name which you used in step 1)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2112283

Typically we terminate management over VPN on "inside" or LAN interface.

Let's say my pool is 172.16.13.0/24 and I want to use HTTP(ASDM) over my inside interface.

http 172.16.13.0 255.255.255.0 inside

management-access inside

Hope this helps,

Marcin

MirzaAlibasic Wed, 11/30/2011 - 04:26

Hi Marcin,

If I understand you well, I need to add my vpn pool address (192.168.254.0/24) like this:

or I'm terribly wrong

firestormnet Wed, 11/30/2011 - 08:31

Hi Marcin.

Finally I had a chance to finish the cisco vpn client software and ASA5505 configuration to connect to office network.

It's  working fine, I can connect a laptop anywhere to internet then enable vpn  tunneling then use Cisco IP communicator to connect to our phone system and our server.

But  I have a problem when I use 3G internet connection using those usb  dongles on my laptop. I start VPNclient then it says connected, I can see that is  sends packets (they're counting) but there is no receiving packets, it  stays 0.

Do you know what could be a problem? Can it be configuration or Service provider  problem? Because other internet connections are working fine for  vpnclient.

Thanks,

Regards,

sistemas_konkatel Wed, 11/30/2011 - 09:19

Hi Marcy,

I set up in a Cisco 1801 a site-to-site vpn between site A and site  B, also I set up the Cisco 1801 as a Easy VPN server. Everything works  fine ...

The site-to-site vpn traffic from A to B has to do a source NAT to xxx.xxx.xxx.xxx address to be able to arrive to B site.

The remote vpn traffic is arriving to the LAN of site A

The problem that i am facing is that i don't know how to set up the Cisco 1801 to manage the remote vpn traffic to site B. I think i have to do a source nat of the remote vpn traffic to xxx.xxx.xxx.xxx address but i don't know how, should i use a ip nat inside or a nat outside command?

Thanks in advanced

Marcin Latosiewicz Wed, 11/30/2011 - 10:36

Alejandro,

What you need to remember is that NAT is done before encryption and after decryption.

So if you NAT traffic you need to most likely take it into consideration for routing and/or VPN.

Let's take this scenario:

X - one network

Y - network two

Z - network I would like X to be visible as on when traversing to Y.

A - device with X on LAN

B - device with Y on LAN

X -----A --- (internet) ---- B ---- Y

Scenario 1.

What I would typically do is on A.

ip nat inside source static X Z /24 [route-map RMAP1]

Route-map I can use to make sure this translation is only done when going from X to Y.

And when specifying interesting traffic for VPN I woud do on A:

permit ip Z Y

while on B:

permit ip Y Z

Scenario 2)

On B:

ip nat outside source static X Z /24

ACL for VPN on A:

permit X Y

ACL for VPN on B:

permit Y X

Let me know if this answers your question, I might have gotten your scneario wrong.

Marcin

sistemas_konkatel Wed, 11/30/2011 - 14:28

Hi Marcin,

Thanks for your reply,

I think i expolian myself not very clear. The site-to-site VPN with nat is already in use , that part is ok. The problem that i have is that i Also set up the router as an Easy VPN for remote users.

The traffic of these remote uses is the one that i want to route to site B through the site-to-site VPN.

So remote uses traffic has to be natted into xxxxx in orden to be accepted by site B.

                                                                                                VPN-Site-to-Site

(Remote users-10.0.1.0/24) -----Easy VPN----ROUTER (site A) --------(nat xxxxxx)---------SITE B

The principal problem that i have is that i don't know where to do the nat for the remote users VPN traffic to be translated into address xxxxxx when is routing to site B.

I am not sur e if this escenario is possible.

Alejandro

Marcin Latosiewicz Thu, 12/01/2011 - 00:12

Alejandro,

Gotcha, much more clear now.

What I would suggest is switching to DVTI deployment on router A in your topology.

This will allow you to enable "ip nat inside" on virtual-template and then use normal source NAT for remote users going out to the internet or to site B.

Example confrim (- NAT)  is here:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1519564

(I made the assumption you have "ip nat outside" on your WAN-facing interface)

Marcin

sistemas_konkatel Thu, 12/01/2011 - 12:38

Marcin,

The DVTI was the answer, thank you so much.

Best regards,

Marcin Latosiewicz Wed, 11/30/2011 - 10:25

Firesotrmnet,

From your description it could be a problem with ISP, although I can tell you that it's rare nowadays.

My immediate suggestion is to perform a sniffer trace (wireshark or whathaveyou) on the interface associated with 3g dongle.

You should ESP or UDP/4500 packets leaving, but we're interested if you see anything going back.

What CAN be a problem is the packets coming back but are corrupted (not that uncommon over cellular networks).


If you don't see any return packets coming in you can confirm on the ASA that that you see encapsulations and decapsulations in "show crypto ipsec sa peer IP_ADD_RE_SS". If the values are non-zero it mean that we're processing traffic, if any (or both) are zero, we have some problem on the ASA or on the route to ASA.

Marcin

corey.mckinney Wed, 11/30/2011 - 11:43

Hi Marcin

I want to assign static IPs to  users that login to IPSec VPN using Group Authentication in ASA 8.2.   They authenticate through a Windows RADIUS server.  Right now, they are  connecting just fine and pulling an IP from the pool I have configured  in the IPSec policy. 

What would the best way to assign static IPs through VPN??

Thank you,

Corey

Marcin Latosiewicz Wed, 11/30/2011 - 14:38

Corey,

Truth be told, assigning statically to everyone does not scale for large deployments, although it's a neat control mechanism in small and medium setups.

You need to modify/double check two settings.

1) You need to make sure ASA can accept IP addresses for VPN users from AAA servers.

vpn-addr-assign aaa

2) Framed-IP-address RADIUS attribute can be sent from RADIUS as an AV pair (

IETF-Radius-Framed-IP-Address).

For more information about supported attributes on ASA.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html

You can also check how you can assign statically from ASA itself (with local AAA auth)

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

Hope this helps,

Marcin

NelsonCBN Wed, 11/30/2011 - 19:51

Good day Marc.

Please I have a problem that needs urgent help. I have a T1 card installed on my 1841 router but my providers are giving me an E1 link and their complain is that it will not work with the E1 line. But i think it should be possible to use an E1 link with a T1 interface card depending on the configuration. Am really lost. Can you help me?

Icharus83 Thu, 12/01/2011 - 01:02

Good day marc,

i have three asa 5505 and they all share the same problem, vpn over  ipsec does work sometimes for week very good, but suddenly it can stop working (clients can always connect but cant ping or connect to remote recourses).

Two of asa's are running 7.2 and yesterday i updated one to 8.42, but no help.

Most of the time when vpn is not working, client can only ping once a remote server. No matter if client is using 3g or wired connection.

Ping statistics for 192.168.100.2:

    Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),

Approximate round trip times in milli-seconds:

    Minimum = 11ms, Maximum = 11ms, Average = 11ms

then suddenly, after 5min or 2 days..vpn connection all the time open or after reconnect,

Ping statistics for 192.168.100.2:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 12ms, Maximum = 16ms, Average = 13ms


Client use xp and windows 7...no difference.

Second problem is that remote dns name's does not work, so i cannot use for example mapped home folder with server name, i have to use those with server's ip..


Running configuration (of 8.42)

Result of the command: "sh run"

: Saved

:

ASA Version 8.4(2)

!

hostname ciscoasa

domain-name domain

enable password *** encrypted

passwd ***  encrypted

multicast-routing

names

name 213.139.x.x ulkoip description gw

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.100.1 255.255.255.0

ospf cost 10

!

interface Vlan2

nameif outside

security-level 0

ip address 213.139.x.x 255.255.255.248

ospf cost 10

!

interface Vlan3

no forward interface Vlan1

nameif dmz

security-level 50

ip address 192.168.50.1 255.255.255.0

ospf cost 10

!

boot system disk0:/asa842-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 192.168.100.2

name-server 62.241.198.245

domain-name domain

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.100.0

subnet 192.168.100.0 255.255.255.0

object network obj-192.168.1.0

subnet 192.168.1.0 255.255.255.0

object network obj_any-01

subnet 0.0.0.0 0.0.0.0

object network obj_any-02

subnet 0.0.0.0 0.0.0.0

object network obj-0.0.0.0

host 0.0.0.0

object network obj_any-03

subnet 0.0.0.0 0.0.0.0

object network obj_any-04

subnet 0.0.0.0 0.0.0.0

object-group network obj_any

access-list inside_nat0_outbound extended permit ip 192.168.100.0 255.255.255.0 192.168.100.0 255.255.255.0

access-list as extended permit ip 192.168.1.0 255.255.255.0 192.168.1.0 255.255.255.192

access-list domainVPN_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list domainVPN_splitTunnelAcl_1 standard permit 192.168.1.0 255.255.255.0

access-list domainVPN_splitTunnelAcl_2 standard permit 192.168.1.0 255.255.255.0

access-list kissa_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list Sisaverkko standard permit 192.168.100.0 255.255.255.0

access-list tunneliryhma_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list inside_nat0_outbound_1 extended permit ip any any

access-list inside_test extended permit icmp any host 192.168.100.2

access-list Outside_In extended permit icmp any any unreachable

access-list Outside_In extended permit icmp any any time-exceeded

access-list Outside_In extended permit icmp any any echo-reply

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool VPNpooli2 192.168.100.20-192.168.100.29 mask 255.255.255.255

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit host 192.168.100.21 inside

icmp permit any outside

icmp permit host 192.168.100.21 outside

asdm image disk0:/asdm-645-206.bin

no asdm history enable

arp timeout 14400

nat (inside,any) source static obj-192.168.100.0 obj-192.168.100.0 destination static obj-192.168.100.0 obj-192.168.100.0 no-proxy-arp

nat (inside,inside) source static any any no-proxy-arp route-lookup

!

object network obj_any-01

nat (inside,outside) dynamic interface

object network obj_any-02

nat (inside,outside) dynamic obj-0.0.0.0

object network obj_any-04

nat (dmz,outside) dynamic obj-0.0.0.0

route outside 0.0.0.0 0.0.0.0 ulkoip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

eou allow none

url-cache dst 10

http server enable

http 192.168.100.0 255.255.255.0 inside

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map outside_dyn_map 1 set pfs

crypto dynamic-map outside_dyn_map 1 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 40 set pfs

crypto dynamic-map outside_dyn_map 40 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set pfs

crypto dynamic-map outside_dyn_map 60 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set pfs

crypto dynamic-map outside_dyn_map 80 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set pfs

crypto dynamic-map outside_dyn_map 100 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set pfs

crypto dynamic-map outside_dyn_map 120 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set pfs

crypto dynamic-map outside_dyn_map 140 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 160 set pfs

crypto dynamic-map outside_dyn_map 160 set ikev1 transform-set ESP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp nat-traversal 30

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd domain domain

!

dhcpd address 192.168.100.20-192.168.100.149 inside

dhcpd dns 192.168.100.2 62.241.198.246 interface inside

dhcpd wins 192.168.100.2 interface inside

dhcpd domain domain interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

enable outside

group-policy domainVPN internal

group-policy domainVPN attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value Sisaverkko

address-pools none

username Vantaa password *** encrypted

username Vantaa attributes

service-type remote-access

username Hannes password ***  encrypted privilege 15

username Hannes attributes

vpn-group-policy domainVPN

username poysant password ***  encrypted

username poysant attributes

vpn-group-policy domainVPN

tunnel-group domainVPN type remote-access

tunnel-group domainVPN general-attributes

address-pool (inside) VPNpooli2

address-pool VPNpooli2

default-group-policy domainVPN

tunnel-group domainVPN ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 4096

policy-map global_policy

class inspection_default

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect dns preset_dns_map

  inspect ip-options

  inspect icmp

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

compression anyconnect-ssl

call-home reporting anonymous prompt 2

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:cb5f8ee4bdc6a10462fe89b5a2c4d313

: end

Marcin Latosiewicz Thu, 12/01/2011 - 04:11

Hannes,

Neither of the questions is really on best practices in IPsec VPN, but I can give this a shot.

Problem 1)

I would suggest opening a TAC case to get to the bottom of this, but here are a few things you can check on your own:

- Check if clients behind NAT and clients with public IP address are affected in the same way.

- Check if ASA is processing those packets and sending replies (show crypto ipsec sa, is a good place to start).

- Since the problem persists between two very distinct ASA versions and on three devices, I would be also interested if same ISP involved.

- Are all clients affected when the problem starts or only a few ones?

- Is there anything in topology that might try to understand ESP or UDP/4500 packets (some firewalls and broadband routers are known to "inspect" VPN flows).

Problem 2)

It's not clear to me whether you have problems with name resolution or with connection after name resolution is done.

For example did you check if the names resolve properly in "nslookup" and whethere there is a difference when looking up "server" and "server.mydomain.tld". If you inspect "ipconfig /all" do you see proper DNS and domain suffic applied to interface?

HTH,

Marcin

Marcin Latosiewicz Thu, 12/01/2011 - 04:18

Nelson,

The problem you mention is not related to IPsec VPN best practices :-)

What I would suggest is to open up a TAC case specifying:

1) Information about WIC/module you're using for E1/T1?

2) Purpose of E1/T1 (uplink to ISP for data, voice trunk)?

3) software information about router.

4) "show diag", "show inv", "show logg", "show tech outputs".

Marcin

jvardhan29 Sat, 12/03/2011 - 21:52

Hi Marcin,

I have been a regular viewer of your documents in the forum and appreciate your contribution . Can you please throw some light on how to evaluate performance or calculate the throughput across Site to Site VPN .For eg: usually we calculate the throughput of firewall (ASA) from the output of show interface and using the statistics over there (bytes / sec , pps etc) .But how do we know how much VPN traffic is contributing and if the firewall is getting overwhelmed because of the VPN traffic and not because of the clear text traffic

Regards

Jayesh

Marcin Latosiewicz Mon, 12/05/2011 - 02:26

Jayesh,

Thanks for interest in our docs, I hope you're getting meaningful information out of it :-)

Now regarding your question I see several levels here.

1) Are IPsec flows contributing to any soft of "oversubscription" of the ASA.

The answer is "yes, they can". IPsec packets will still occupy interface buffers. But it's treated like any other frame in the buffer.

Packet encryption and decryption is handled by special accelerator engine, so that part should not overwhelm the CPU (which is the shared resource for entire platform).

The best way to monitor whether it is IPsec that is causing the problems is monitor the connection table, to see if there is not abnormally high amount of connections related to particular tunnel.

For example:

show conn detail address 192.168.1.1-192.168.1.254

2) Now regarding calculating of throughput.

There are two possible answers here.

a) Maximum throughput.

In which case I suggest running a iperf with UDP of 1400 bytes which should give you a good enough max throughput via tunnel.

Link to iperf http://sourceforge.net/projects/iperf/

b) Plotting current throughput of IPsec and IKE on ASA.

Best to monitor:

cipSecTunOutOctets
cipSecTunInOctets

cikeTunOutOctets

cikeTunInOctets

Reference:

ftp://ftp.cisco.com/pub/mibs/v2/CISCO-IPSEC-FLOW-MONITOR-MIB.my

(Please note that tunnel index is not persitent - I can't find related enhancement request, will update this post when/if found)

Note that if you want to know what OIDs are supported on ASA you can do.

show snmp-server oidlist  !it's a hidden command.

c) Plotting current throughput on IOS.

We already recommend using virtual interfaces. (Tunnel, DVTI or SVTI).

You can monitor tunnel bandwidth by reading interface stats.

Remember to make ifindex persistent over reload

PE2_872(config)#snmp-server ifindex persist

Please note that we can probably write a whole book chapter on this topic I just wanted to provide you a place to start.

HTH,

Marcin

FIDLAFIDLA Mon, 12/05/2011 - 12:32

Hello Marcin,

I have an question.

My written security policy says that vpn client should be able to connect just from known locations.

          namely:

               Home office,

               Specific branch,

               customers host network.

I know IPs (ranges, IP addresses aso.) but I dont know how to limit this user to connect from his home office, and another from another home office network.

So my questions are:

     1. How to limit ability to login into VPN (IPsec or better SSL VPN) just from specific IPs.

     2. How to limit ability to login into VPN just from specific IPs, specified per user.

Thank you,

Tomas

Marcin Latosiewicz Mon, 12/05/2011 - 15:27

Tomas,

That's an interestingly structured policy :-)

1) No problem for static peers (especially if they are IPsec).

For SSL you can look at CSD pre-login policy - it can identify IP addresses, but is far from scalable in terms of managment (especially in a very dynamic environment) and has some limitations (for example, what happens when a peer is behind NAT).

IOS devices can implement a very basic ACL check on the WAN-facing interface (to allow connection from known IPs/DNS names to UDP/443, TCP/443 and UDP/500) , something which is a bit harder on ASA.

2) Obviously one of the biggest problems is how do you inform you VPN headend about the IP addresses your users will specify, and how scalable it is (imagine all your users behdind a dynamic IP).

Let's assume for a moment that the IP address is somehow made available for us in our AAA server (RADIUS, LDAP/AD).

We could create a DAP policy to compare the IP address used for connection and the one in LDAP/AD...

It's after midnight here, I'll check if it's doable tomorrow and edit this post hopefully in the morning.

Marcin

FIDLAFIDLA Mon, 12/05/2011 - 22:13

Thank you.

static peers? ... you mean that static peer can be limited to more then 1 IP address, like for a list of IPs?

Scalability is not a problem (it is not for milions of people )... but intention is, that they login just from permited sites, like user "APPLE" is permited to enter just if he is in sites with public IPs 78.21.21.0/24 or 85.25.13.11/32. We want to allow him if he is behind NAT, but just from thouse sites.

ACL ... I had this adea too, It is not ideal, but better something then nothing (It doesnt limit per user, but generally)... You know some working config example for ASA?

Marcin Latosiewicz Tue, 12/06/2011 - 08:40

Tomas,

One of the spcifics of ASA as compare to IOS is the way we treat incoming to the box traffic.

On IOS to the box traffic is still subject to interface ACL check, while we have special control plane ACLs on ASA.

Plus ACLs do not solve the problem "Maybe Apple should not connect from this IP, my Orange might?".

I.e. we only know that a IP is matching user after authentication is done.

Now regarding pre-login policy check, one of the problems you will face is that initially you don't know who the user is.

Have you considered checking for example that hostname of computer agrees with username.

For example that user "apple" can connect from "apple-laptop" or "apple-dekstop" :]

What would be a bit easier.

Alternative is to create a CSD pre-login policy matching your users.

Later on you could match this policy it a user in DAP. And if username is bart and policy chosen is not bart, you would fail.

I think it's safe to say, DAP can be the only way out on ASA ;-)

I'm not a big fan of this solution. Whenever I'm implementing something, I'm asking myself "How long will it take, for whoever comes to manage this device next, to understand this setup?".

The simpler the better, that's the way I see it :-)

M.

FIDLAFIDLA Wed, 12/07/2011 - 03:35

Thank you for your responses...

but what I dont understand is, why we cannot match user access priviledge against IP address of client, that is seen by ASA.

(IP address of client that ASA is seeing is listed on any lines in log: Goup user IP Connection AnyConnect: The following DAP records were selected for this connection:DfltAccessPolicy). So the information is already there..

Is there another way, like without installing CSD on clients?

BTW: on UNIX system I can program such a thing in a few minutes. It is just creating a file with usernames and ipaddresses and add few lines of code to server software (if it not support this), to parse this file after username is known and thats all. No need for any client side SW.

Marcin Latosiewicz Wed, 12/07/2011 - 08:24

Tomas,

As I said the closest thing that can make a decission baded on logical experssions in DAP.

The line you indicated is already at the end of connection process only then do you know:

- What is the IP address used for connection?

- Who is the user?

- What group do they belong to?

- what DAP policies were applied.

Before this we know only parts of the info.

The scenario that I mentioned.

User Alice can log in from IP address X, but does it mean that Bob can log in from X?

Is it important that Bob cannot log in from Alice's IP?

And yes I think you could even write a script that would go into ASA via SSH perform "show vpn-sessiondb ..." and based on certain criteria disconnect users :-)

But hey, I'm just one guy feel free to run this by your SE.

Marcin

gabelchris Mon, 12/05/2011 - 17:58

Hi Marcin,

I have a simple site to site vpn setup using 2 cisco 2901 routers.

Initially I had an active connection, but limited ping ability and connectivity.

I added "reverse-route", to my crypto map on both routers and now have full connectivity.

I don't have any experience with this command and haven't seen it in many configs.

Do you know why this would fix my connection issues?

Thanks!

Chris

Marcin Latosiewicz Tue, 12/06/2011 - 01:27

Chris,

On IOS when you add reverse-route (we call it RRI - reverse route injection) under crypto map, router will add a static route pointing towards the remote subnet in it's routing table, when the IPsec tunnels is up (that's the default setting in newer releases).

When we're talking about crypto maps, a router needs to add a route poiting through the interface which we have the crypto map applied on.

RRI is quite a simple concept, but with many possibilities.

For example a very common deployment is to have VPN clients/remote sites connect in and redistribute corresponding static routes from routing table to dynamic routing protocol. This should typically provide end to end connectivity.

Configuration guide about RRI

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject_ps10591_TSD_Products_Configuration_Guide_Chapter.html#wp1053023

Command reference:

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/reauthentication_time_through_rsa-pubkey.html#GUID-693630A4-5CD1-48FB-9732-7323206F5981

What you can try is to spot the different in routing table between the scenarios when RRI is enabled and when it's disabled.

show ip route REMOTE_IP_ADDRESS

show ip cef REMOTE_IP_ADDRESS

HTH,

Marcin

seanbakers Tue, 12/06/2011 - 03:53

hi

i have a Ipsec between a 5510 & a router, at specific times the vpn goes down, we thought i might be some scheduled tasks on the remote server b ut these have been disabled & the link still goes down. Do the timers at both ends have to match?  

I have attached the configs & syslog details showing some errors, im not very good in this area so any help would be great.







Marcin Latosiewicz Tue, 12/06/2011 - 05:19

Sean,

The phase 2 negotiation if sailing because of a phase 2 mismatch.

All IPSec SA proposals found unacceptable!

I assume that 19x.6x.21x.10x is the IP address of your ASA? If so your router doesn't have PFS configured.

Try adding:

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel_to_xxxxxxxx

set peer 19x.6x.21x.10x

set transform-set VPN-xxxxx

match address 107

set pfs group2

I'm suggesting, but note that I do not have full view (however on your ASA all configured tunnel have PFS enabled).

HTH,

Marcin

seanbakers Tue, 12/06/2011 - 05:32

hi Marcin

sorry but what is PFS?

192.x.x.x is the asa address.

seanbakers Tue, 12/06/2011 - 06:29

Hi

makes sense now, but with PFS only configured at one end, would it cause the connection to go down?

Marcin Latosiewicz Tue, 12/06/2011 - 06:38

Sean,

I think a better question would be "Why does it work initially and fail later?" and the answer is - we'd need to understand a bit more how the initial establishment works and a bit more about the failure itself.

As you pointed out parameters on both sides should match for tunnel establishment to go through.

Having only a limited view of your network/debugs it's hard for me to say more.

Marcin

seanbakers Wed, 12/07/2011 - 02:30

hi Marcin,

The 2 end points are not managed by me which makes it more difficult, i have however been given the configs.

I have noticed that on the ASA there are timers:

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 92.103.186.50

crypto map outside_map 1 set transform-set ESP-AES-128-SHA

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 217.128.83.102

crypto map outside_map 2 set transform-set ESP-AES-128-SHA

crypto map outside_map interface outside crypto isakmp enable outside

crypto isakmp policy 10 authentication pre-share

!

encryption aes

hash sha

roup 2 lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

however on the router these are missing:



crypto ipsec transform-set VPN-xxxx esp-aes esp-sha-hmac

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel_to_xxxxxxx

set peer 212.99.29.178

set transform-set VPN-xxxxx

match address 105

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel_to_xxxxxx

set peer 194.62.210.63

set transform-set VPN-xxxx

match address 106

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel_to_xxxxxx

set peer 194.62.210.108

set transform-set VPN-xxxxx

match address 107

set pfs group2

Marcin Latosiewicz Wed, 12/07/2011 - 02:46

Sean,

We're talking about phase 2 paramaters, by default phase 2 lifetime is one hour, neither of the configs shows any change of those parameters. You can try disabling PFS on your side and give it a try ;-)

Marcin

seanbakers Wed, 12/07/2011 - 03:04

Hi marcin

i have now got PFS enabled on the router as suggested yesterday

crypto map SDM_CMAP_1 3 ipsec-isakmp

description Tunnel_to_xxxxxxxx set peer 19x.6x.21x.10x

set transform-set VPN-xxxxx

match address 107

set pfs group2

so now PFS is enabled at both ends, are you saying if i disable PFS at both ends the tunnel should not time out?

Marcin Latosiewicz Wed, 12/07/2011 - 08:15

Sean,

All I'm saying, during rekey there was problem with mismatch of attributes ;-)

Of of which I was spotted was a discrepency in PFS.

Will that give you stability? I don't know I do not have full view of debugs and your network. I think it's step in the right direction ;-)

Open up a case with TAC if you want us to analyse this properly.

Marcin

gabelchris Thu, 12/08/2011 - 13:16

Marcin,

Thanks for the information on reverse route.

Quick question, is it normal that the site to site vpn can only be brought up from one direction?

Also when I do a test of the tunnel using the CCP, i get an active connection but I get the error message stating:

"A ping with data size of this VPN interface MTU size and 'Do no Fragment' bit set to the other end VPN device is failing. Issue the command crypto ipsec df-bit clear under the VPN interface to avoid packets dropped due to fragmentation.

I added this command to the outside interface on each router but it didnt seem to make a difference.

Thanks,

Chris

Marcin Latosiewicz Fri, 12/09/2011 - 05:30

Chris,

It definitely not good that the tunnel establishes only one way. But consider that we need to have a route pointing through crypto-enabled interface for the tunnel to be brought up. 

When you bring it up from one side RRI kicks in and a route should be present for return traffic.

Some setups may benefit from "reverse-route static" option, give it a try it MAY resolve the problem (if routing is the only underlying problem).

For what CCP is telling you, we never allow that option by defeult. It's a way to kill performance of any network.

We suggest enabling it only in certain scenarios (big UDP packets - LWAPP for example).

For majority of internet traffic adjusting MSS on LAN interface (ip tcp adjust-mss ... a decent value to start with is 1360) should be enough.

I think CPP is trying to perform a ping with DF-bit set with packet size of 1500 - but it's hard to say, we almost never use CPP/SDM internally or for troubleshooting.

Marcin

dianewalker Tue, 12/06/2011 - 19:17

Marcin,

Is there a way to calculate the throughput and evaluate performance on Cisco VPN client?  We are going to upgrade VPN appliances from VPN 3000 Concentrators to ASA 5510.

Thanks.

Diane

Marcin Latosiewicz Wed, 12/07/2011 - 00:32

Diane,

I see several levels to this question.

1) VPN client's throughput will depend on available CPU power (unlike almost all Cisco platform, where we do encryption/decyption in a special hardware chip, VPN client is using CPU power) and path quality between VPN client and headend (i.e. packet drop, latancy, maximum MTU).

We don't typically measure this, since the outcome will depend on factors external to VPN client itself.

You can probably tweak the performance by a few microseconds switching to aes from 3des, but it should not give a great benefit.

If you're really interested to take measurement, use iperf (it's free). Run two streams of UDP 1400bytes (one in each direction) and see what is the rate you can achive. 

2) Since ASA 5510 is a newer platform (than VPN3k) I doubt you will hit any bottle necks on ASA's side after migration.

There is a more powerful crypto chip built in and way more CPU power to push traffic around.

Does that answer your question?

Marcin

P.S.

Cisco VPN client is going to be retired:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_eol_notices_list.html

Actions

Login or Register to take actions

This Discussion

Posted November 28, 2011 at 9:40 AM
Stats:
Replies:60 Avg. Rating:5
Views:15345 Votes:0
Shares:0

Related Content

Discussions Leaderboard