cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23386
Views
35
Helpful
60
Replies

Ask the Expert: IPsec VPN

ciscomoderator
Community Manager
Community Manager

Read the bioWith Marcin Latosiewicz

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to Get an update on IPsec VPN with Cisco expert Marcin Latosiewicz who will answer questions on the topic of best practices when implementing IPsec VPNs on IOS and ASA. Marcin Latosiewicz is a Customer Support Engineer at the Cisco Technical Assistance Center in Belgium, which over four years of experience with Cisco Security products and technologies including IPSec, VPN, internetworking appliances, network and systems security, internet services and Cisco networking equipment.

Remember to use the rating system to let Marcin know if you have received an adequate response. 

Marcin might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community   discussion forum shortly after the event.   This event lasts through December 9th, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

1 Accepted Solution

Accepted Solutions

Hi Kleber

Not knowing your settings and assuming some Cisco defaults it could be a problem during phase 1 rekey (86400 seconds is the default).

What I would also look into whether by any chance you do not have vpn idle timeout or vpn session timeout applied for you (what I assume is) Lan to Lan tunnels.

Check logs on ASA (we drop some logs on informational level) on failure.

If you feel like debugging - debug cry isakmp 127 .

What I would suggest regardless is to open a TAC case, there's quite a few problems we saw in the past with Sonicwall.

Mostly smaller problems with (mis)configuration, but occasionally a bug (on either side).

We need more info :-)

HTH and GL,

Marcin

View solution in original post

60 Replies 60

gouda64cisco
Level 1
Level 1

Good morning

I have on my pc win7 with Cisco client installed, the vpn to our costumer is working but i can not do a ping to this network. On my pc i have also a vmware with XP and Cisco client installed. at the XP client it is working with the same .pcf file, ping connect ..
what can be happend at the win7 client or pc?

Can you give me some info where is maybe the problem.

thanks a lot

Stephan,

Interesting question, I'm afraid there is no one simple answer.

Places I would start checking:

0) Check if ICMP is the only protocol affected or do we see similar sysmptoms for everything else.

1) Disable firewall on windows 7 and re-test.

We've had quite a few problems with this.

2) Perform sniffer trace on windows 7 physical and VPN adapter interfaces.

We're interested ito see our (ICMP) packets leaving AND coming back.

Note that on the physical interface you will see either ESP or AH, or UDP/4500 packets.

3) Enable logging on VPN client (from GUI you can set it up to level 3, but editing vpnclient.ini will all you to set it to level 15).

While performing testing check "statistics" section (mostly for discarded or bypassed bypassed) but also the logs if you see any packet drop reported.

4) Only once everything seem clear in points 1-3 I would move to checking the VPN headend.

There could be multiple causes with different resolution steps. What you need to do first is to perform some basic checks to know where the problem is located. Typically all our VPN teams in TAC can help you do it very efficiently and they can teach you a few tricks, if you're in the mood :-)

Marcin

arthursim
Level 1
Level 1

Here's my situation. I have a client with 3 offices and we're trying to use RV120W's in each location to provide IPSec VPN site to site connections. 2 of the offices have internet connections which can provide public IP addresses to the cisco router. The third office is unfortunately using a device that has no option to disable the NAT in their router.

The 2 offices with public IPs on their WAN ports have been configured and are passing along VPN traffic just fine. I can't find any information on how to allow this third office to connect through that NAT'd router. My traffic in the office goes like this, to be clear:

Office PCs (192.168.3.x) -> Cisco LAN (192.168.3.1)

Cisco WAN (192.168.0.2) -> Netgear 4G Turbo Hub (192.168.0.1) -- Netgear gets public IP from cellular network.

My other routers are using 192.168.1.x and 192.168.2.x respectively, so there aren't any common subnets either.

Any help with NAT traversal??  Thanks much.

Arthur,

This is not the Small Business section of forums, so I might not be the best person to respond to this.

But I'll give it a shot.

NAT Traversal requires that communication on port UDP/4500 and UDP/500 is allowed. I checked the device at a glance and I see that it's capable of NAT traversal (at least according to spec).

What you can do I trying to forward those ports to your RV device on the Netgear (if it has this capability), that should actually allow you to both initiate and respond the IPsec VPN.

I would first of all check if there is no place where this setting is disabled (although I would say it makes a sane default to have it on).

Another place (which reminds me of things we had in Linksys routers) is the netgear, it should ideally just allow communication coming to/from those ports. I know some small business devices "inspect" VPN.

Hope this help,  but for concrete answer I would check on small business section.

Marcin

Marcin,

Thanks for your assistance the other day on this and upon further investigation I found out the problem. I was able to determine that the third office that's using a 4G router is actually behind a 10.x.x.x private router on the ISP side. After many phone calls, the provider is not willing/able to provide us with a Public IP service or a Static IP. Port forwarding will also not work in this situation either.

A phone call to the Partner Help Desk and 15 minutes later, I was told that an ASA5505 can be configured to work through a private IP configuration such as this. So, my questions is this. Will this device be able to create an IPSec tunnel to a small business router such as the VR120W or should I get 2 of these devices?

Thanks again for all your help.

Arthur,

ASA's IPsec VPN is based on standards, if you place it behind NAT there should be no problem for it to initiate VPN connection with NAT traversal.

You might also want to add keepalives:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2236606

Now if you want to be a responder in IPsec negotiation, that's a bit different story, you will somehow need to allowed UDP/500 and UDP/4500 inside.

TL;DR ASA behind NAT, no problem with IPsec to any standard based device, but only as an initiator.

Marcin

lap
Level 2
Level 2

Hi Marcin,

We have a customer with a basic Hub and spoke IPsec network. At the headend there is a Cisco ASA and the spokes have a Cisco 1812 or a Cisco 881. there are around 100 spokes. The issue there is that when an ISP change an IP address at a spoke location then we have to send a technicican to make changes both on the spoke router and on the ASA. So I was thinking that DMVPN will be a good solution for the customer. But one om my colleague thinks that Easy VPN will be a better solution in this case as it thinks that DMVPN will add too much complexity to the customer network. There is no need for spoke to spoke traffic. But I think that spoke to spoke feature can be disabled in DMVPN. Then the customer network is really simple. The spoke locations only need to reach some servers at the headend location. Then the ASA cannot do DMVPN.

So what do you think? Should we advice DMVPN or EasyVPN?

Then I have seen that there are some new featrues in EasyVPN, is that correct?

What about FlexVPN, could it be a solution there maybe? What is the advantage of FlexVPN over DMVPN? Can it run on ASA?

Best regards,

Laurent

Laurent,

(I think we could write a chapter in a book about this one )

I'll start in bit different order than you asked your questions.

ASA support for any virtual interfaces (be it Tunnel or VTI) is on the roadmap, but it's not there yet and I would not plan on using it in the first release it's out.

What you see now is just the beginning of Flex more features and capabilities are coming. Suffice to say we took the experience of Eesy and DM VPNs, looked at what customers want, what is missing and what are the painpoints and put that to a good use. I'm afraid I cannot say too much and we will learn more during Cisco Live in January (Look for events involving Fred Detienne, if you're going).

I agree with your colleague, easy VPN would be the technology of choice here:

- simple to implement, widely used, standard based.

It will allow you to add/change config a very flexible way add new spokes and add new config on hub as it's needed.

I would suggest moving only spokes with dynamic IPs to ezvpn, and leave existing Lan-to-Lan configuration in place.

I have considered two alternatives.

Alternative (1) is to run IPsec tunnel between spoke routers and hub ASA and underneath run a GRE tunnel between spoke routers and device behind ASA capable of terminating GRE (you can run GRE from a loopback interface).

Pros:

- ASA is doing IPsec only

- Still have GRE (in case you want to send IPv6 traffic in future for example).

- Control over routing protocol

Cons:

- A lot of "moving parts"

- Additional MTU consumed by GRE

- Spokes behind NAT considerations

Alternative (2) DMVPN. As you know I'm a big fan of DMVPN in general, but since ASA cannot do it, I would re-consider if that's the way to go. Unless you have a (minimum) 2800/2900 router there behind ASA?

In which case you could split dynamic peers to terminate DMVPN on router and static IP peers to terminate lan to lan on ASA (at least initially). Start the migration of static peers later.

Pros:

- Static LAN to LAN tunnels are un-interrupted while you move dynamic peers.

- All advantages of DMVPN

Cons:

- "Difficult" to manage (at least initially) and justify (financially).

- You might not utilize full power of particular device

- Two difference devices doing "same function" (from end customer's point of view).

As I said it's not an easy topic to say one way or another without more information. There are too many factors to consider :-)

Hope that helps, though.

Marcin

Hi Marcin,

Thank you so much for your reply. Was really interesting to read you. Tunnel interface on ASA? Sounds really nice;-)

I will follow your advices. I am looking forward to hear more about FlexVPN.

Regards,

Laurent

MirzaAlibasic
Level 1
Level 1

Hi Marcin,

I have configured remote access (Cisco VPN client)  on ASA 5510. I can  connect, everything works fine (can browse local network etc) but  however I'm not able to  connect to ASA using ASDM neither telnet.

How  to allow ASDM or telnet through VPN?

Tnx in advance


Mirza,

That's not really a best practice question, but I will give this a shot. :-)

If you want to manage your device of VPN, you need to:

1) Allow the VPN IP pool to access the interface of choice (telnet, ssh, http, command)

2) Enable "management-access", as additional parameter you need to give the interface name which you used in step 1)

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2112283

Typically we terminate management over VPN on "inside" or LAN interface.

Let's say my pool is 172.16.13.0/24 and I want to use HTTP(ASDM) over my inside interface.

http 172.16.13.0 255.255.255.0 inside

management-access inside

Hope this helps,

Marcin

Hi Marcin,

If I understand you well, I need to add my vpn pool address (192.168.254.0/24) like this:

or I'm terribly wrong

Mirza,

This looks correct, although if you allow "everything" (0.0.0.0 0.0.0.0) there is no need for additional rule and all you need to add is this:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/m.html#wp2112283

Marcin

Hi Marcin.

Finally I had a chance to finish the cisco vpn client software and ASA5505 configuration to connect to office network.

It's  working fine, I can connect a laptop anywhere to internet then enable vpn  tunneling then use Cisco IP communicator to connect to our phone system and our server.

But  I have a problem when I use 3G internet connection using those usb  dongles on my laptop. I start VPNclient then it says connected, I can see that is  sends packets (they're counting) but there is no receiving packets, it  stays 0.

Do you know what could be a problem? Can it be configuration or Service provider  problem? Because other internet connections are working fine for  vpnclient.

Thanks,

Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: