Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14881
Views
5
Helpful
4
Replies

Configuring IPSec VPN tunnel Cisco ISR 2921 router with watchguard firebox

jlabitag0510
Level 1
Level 1

‎08-29-2012 01:44 PM - edited ‎02-21-2020 06:18 PM

I am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. I will appreciate any input or advise at this point. Should I do the crypto map on g 0/0 or dialer 1?

aaa new-model

!

!

!

!

!

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

no ip mfib

ip dhcp excluded-address 192.168.9.10

!

ip dhcp pool net-pool

network 192.168.9.0 255.255.255.0

default-router 192.168.9.1

dns-server 205.171.3.65 205.171.2.65 4.2.2.2 8.8.8.8

!

!

ip domain name yourdomain.com

ip name-server 205.171.3.65

ip name-server 205.171.2.65

!

multilink bundle-name authenticated

!

vpdn enable

!

vpdn-group 1

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-2237670851

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2237670851

revocation-check none

rsakeypair TP-self-signed-2237670851

!

!

crypto pki certificate chain TP-self-signed-2237670851

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32323337 36373038 3531301E 170D3132 30353134 31373438

  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32333736

  37303835 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E320 1DC4AC90 080058C1 08DA93E6 09A7B0FF D8D706F4 68C54F01 B030077A

  97896835 6CCA359A D1DB90A4 176F5D97 31129690 947751AE 8FA1BDC1 D2AC683B

  F6FA54D4 13B4DDC4 286BFD6C ABF5F147 4646A9A5 8F75D03B 46E92925 BB943EF3

  CBB3FDC5 38BE1517 07851CCE C9AE596D A58EA082 33EC0FCD A2EB253A 9312A7D6

  CABF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1454702D 174F7FBB E501B514 C48A500C ECCF0160 F0301D06

  03551D0E 04160414 54702D17 4F7FBBE5 01B514C4 8A500CEC CF0160F0 300D0609

  2A864886 F70D0101 05050003 81810060 1D2DFD78 41F1C3FF BFD5B193 4B9CCA3F

  014DC751 36763A64 6C4A8C77 FB08E80A AAEB8984 8E117B2D D606F0DA 67D668E6

  D16A1436 92B2B4DE 7869E391 6C126E38 A272E1E2 28433220 54473A6A 1B2B38D6

  7E615EFF 0BC8CF41 74F35DFD 272DAC25 A3321B18 CC7ACD18 72D87F07 230E5FC8

  E42D5282 4D600A6B CE68F610 C24197

        quit

license udi pid CISCO2921/K9 sn FGL1620105M

!

!

username cts privilege 15 secret 4 FSdPUzdNhPsmsoWy1av0ajAiJ9HFqwVJ5JqhnviI97w

!

redundancy

!

!

!

!

!

!

crypto isakmp policy 1

authentication pre-share

!

crypto isakmp policy 9

hash md5

authentication pre-share

crypto isakmp key XXXXXXXX address 206.169.224.30

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Jobcloud esp-aes esp-sha-hmac

crypto ipsec transform-set jobcloud esp-aes esp-sha-hmac

!

crypto map jobcloud 1 ipsec-isakmp

set peer 206.169.224.30

set transform-set jobcloud

match address 100

!

!

!

!

bba-group pppoe global

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ADSL WAN Interface

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface GigabitEthernet0/1

ip address 192.168.9.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1436

duplex auto

speed auto

!

interface GigabitEthernet0/2

no ip address

duplex auto

speed auto

!

interface Virtual-Template1

ip address negotiated

ppp ipcp route default

!

interface Virtual-Template2

ip address negotiated

ppp ipcp route default

!

interface Dialer1

description ADSL WAN Dialer

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1460

ip flow ingress

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1436

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ctstechnicalserv

ppp chap password 0 GK8g9Da3

ppp pap sent-username ctstechnicalserv password 0 GK8g9Da3

ppp ipcp route default

ppp ipcp address accept

no cdp enable

crypto map jobcloud

!

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended NAT

permit ip 192.168.9.0 0.0.0.255 any

!

access-list 50 permit 192.168.9.0 0.0.0.255

access-list 50 permit 63.0.0.0 0.0.0.255

access-list 50 permit any

access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

Below is the output for show crypto map and show crypto ipsec sa

Jobcloud#show crypto map
Crypto Map IPv4 "jobcloud" 1 ipsec-isakmp
        Peer = 206.169.224.30
        Extended IP access list 100
            access-list 100 permit ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255
        Current peer: 206.169.224.30
        Security association lifetime: 4608000 kilobytes/86400 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={
                jobcloud:  { esp-aes esp-sha-hmac  } ,
        }
        Interfaces using crypto map jobcloud:
                Dialer1

                Virtual-Access3


Jobcloud#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: jobcloud, local addr 63.224.36.214

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer 206.169.224.30 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

aaa new-model

!

!

!

!

!

!

!

Labels:
0 Helpful
4 Replies 4

Karsten Iwen
VIP
VIP

‎08-29-2012 03:09 PM 

Should I do the crypto map on g 0/0 or dialer 1?

On the interface that has IP enabled. That is the Dialer in your case.

There are a couple of problems with your config:

1) isakmp-policies:

MD5 shouldn't be used any more for new deployments.

Both policies use DES and DH-Group1, Both are not considered secure.

2) ipsec-transforms:

You have two transforms, but you use only one of them. Delete the other.

3) IPSec-SA-Lifetime

Is the long lifetime of one day really wanted/needed? The default of one hour is more secure.

4) NAT

Your outgoing VPN-traffic is NATed to your public IP and then will not match the crypto-ACL any more. You have to deny that traffic in the ACL "NAT"

5) There is no incoming ACL on the Dialer. Your router and network is opened up for attacks from the internet.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

johnlloyd_13
Level 9
Level 9

‎08-29-2012 07:24 PM

hi joseph,

in addition to what karsten posted, kindly provide the watchguard's IPsecVPN setup.

the crypto map on the 2921 is correctly applied under the dialer interface.

0 Helpful

jlabitag0510
Level 1
Level 1
In response to johnlloyd_13

‎08-30-2012 09:46 AM

Thanks for the reply Karten and John. This is a brand new router and will be securing it soon.

The cisco router doesnt have a static IP it is getting it via century link. I have PPPOE enabled. I dont think this is the issue as I saw a few people setup vpn via dynamic IP from the provider.

Here is the Tunnel and gateway image from the watchguard. There is also a BOVPN in/out policy that allows the gateway and tunnel access with port any opened.

0 Helpful

johnlloyd_13
Level 9
Level 9
In response to jlabitag0510

‎08-30-2012 07:33 PM

hi joseph,

thanks for the screenshots! kindly amend these on your cisco 2921 and do a ping from a host on the 192.168.9.0/24 subnet.

post your show crypto isakmp sa and show crypto ipsec sa afterwards.

crypto isakmp policy 1

encryption 3des

hash sha

group 1

no crypto ipsec transform-set jobcloud esp-aes esp-sha-hmac

crypto ipsec transform-set jobcloud esp-3des esp-sha-hmac

ip access-list extended NAT

deny ip 192.168.9.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.9.0 0.0.0.255 any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents