This discussion is locked

Ask the Expert: IPsec and Secure Sockets Layer VPN Technologies

Unanswered Question
Jun 20th, 2014
User Badges:
  • Gold, 750 points or more

IPsec and Secure Sockets Layer VPN Technologies

Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about IPsec/Secure Sockets Layer (SSL) VPN technologies with Cisco subject matter expert Jay Young. 

Additionally, you may ask Jay questions regarding Dynamic Multipoint VPN (DMVPN), FlexVPN, Easy VPN, GETVPN, AnyConnect, and Internet Key Exchange (IKE) v2.

Jay Young works on the Technical Leadership Team at Cisco within the TACHis focus over the last seven years has been supporting Cisco customers with complex technical problems. Jay has achieved certification in security (CCIE no. 23723), CCNP, CCNA, CCDA, and CCNP and is also a Cisco Security Ninja White Belt. Jay received his BS degree in computer science from Rennselaer Polytechnic Institute in Troy, New York. He is a frequent speaker at Cisco Live!

Remember to use the rating system to let Jay know if you have received an adequate response. 

Because of the volume expected during this event, Jay might not be able to answer every question. Remember that you can continue the conversation in the Security  community, under subcommunity VPN, shortly after the event. This event lasts through July 3, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
nkarthikeyan Tue, 06/24/2014 - 06:50
User Badges:
  • Gold, 750 points or more

Hi Jay,

 

For one of the issue which has been put as an request in CSC forum.... ASA is configured with dual isp with site to site configured..... site to site is working fine and internet is working fine.....

he has isp1 connected using pppoe and isp2 connected with ethernet..... he wants to route all the VPN traffic through isp2 which is on ethernet.... suggestion from our side is to go with static route with track option... i.e default route is set via isp1 (pppoe) with metric 1 and other isp2 (thernet) with metric 254 along with track enabled..... and a static route to VPN peer say 1.1.1.1 with isp2 with metric 1 and isp2 with metric 254....

 

But the issue here is VPN established through ISP1 (pppoe) instead of isp2(ethernet) with prefered static route..... why is that so??? is it something because of PPPoE behaviour???

 

Its a learning scenario for me if you could help here...

 

Thanks in advance

 

Regards

Karthik

Jay Young Tue, 06/24/2014 - 08:41
User Badges:
  • Cisco Employee,

Karthik,

 

The approach you have is correct, you will need routes for both the networks and the remote peer pointing out of ISP2.  Naturally as you mentioned it is a good idea to have an SLA actively testing the second ISP so that the traffic can fail back to ISP1 if necessary.

If you believe the traffic is incorrectly being routed out of ISP1 then I would suggest using the 'packet-tracer' tool to isolate the configuration that is causing that.

for example.

packet-tracer input insideInterface icmp A.A.A.A 8 0 B.B.B.B detailed

where a.a.a.a is a local host and b.b.b.b exists over the tunnel.

 

One of the outputs will show the route that it matched on.  Something like this:

 

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via x.x.x.x, outside

 

nkarthikeyan Tue, 06/24/2014 - 09:59
User Badges:
  • Gold, 750 points or more

Hi Jay,

 

The actual problem is when he traces from LAN it takes the right path. But the L2L VPN establishment with customer site and VPN traffic alone takes the different path than the preferred static route.

is that anything needs to be configured specifically to define the ISP primary and backup set for this....

 

Something it looks like this

 

sla monitor 1
 type echo protocol ipIcmpEcho 211.11.11.9 interface OUT2
 num-packets 3
 frequency 10
sla monitor schedule 2 life forever start-time now
!
sla monitor 2
 type echo protocol ipIcmpEcho 212.12.12.12 interface OUT1
 num-packets 3
 frequency 15
sla monitor schedule 1 life forever start-time now
!
access-list ALC_VPN extended permit ip object OBJ_INS1_NET_192_168_1 object 10.41.16.0_22
!
nat (INS1,OUT2) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
nat (INS1,OUT1) source static OBJ_INS1_NET_192_168_1 OBJ_INS1_NET_192_168_1 destination static 10.41.16.0_22 10.41.16.0_22 no-proxy-arp route-lookup
!
crypto map OUT1_MAP 100 match address ALC_VPN
crypto map OUT1_MAP 100 set pfs
crypto map OUT1_MAP 100 set peer 33.33.33.33
crypto map OUT1_MAP 100 set ikev1 transform-set ESP-3DES-SHA
crypto map OUT1_MAP interface OUT2
crypto map OUT1_MAP interface OUT1
!
crypto ikev1 enable OUT2
crypto ikev1 enable OUT1
crypto ikev1 policy 100
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 33.33.33.33 type ipsec-l2l
tunnel-group 33.33.33.33 ipsec-attributes
 ikev1 pre-shared-key *****
!

 

Same way on the other end
=========================
access-list outside_cryptomap_7 extended permit ip object 10.41.16.0_22 object OBJ_INS1_NET_192_168_1 (similar like this)
crypto map outside_map 7 match address outside_cryptomap_7
crypto map outside_map 7 set pfs
crypto map outside_map 7 set peer 211.11.11.11 212.12.12.14
crypto map outside_map 7 set connection-type bi-directional
crypto map outside_map 7 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 7 set reverse-route
!
crypto ikev1 policy 7
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 211.11.11.11 type ipsec-l2l
tunnel-group 211.11.11.11 ipsec-attributes
 ikev1 pre-shared-key *****
!
tunnel-group 212.12.12.14 type ipsec-l2l
tunnel-group 212.12.12.14 ipsec-attributes
 ikev1 pre-shared-key *****
!

 

Please advice why it takes the ISP1 which is set as backup with static routing priority??

which is connected to PPPoE based internet access.

 

Regards

Karthik

 

Jay Young Wed, 06/25/2014 - 13:43
User Badges:
  • Cisco Employee,

Karthik,

Did you have the output of the packet-tracer and the routing table.  I didn't see the routing configuration being tied to the sla.

-Jay

 

Carlos Lesaige Fri, 06/27/2014 - 17:17
User Badges:

Hello Jay,

My question is - what VPN options do I have for Remote Access clients? Appreciate your help.

Thank you,

Carlos

Jay Young Sat, 06/28/2014 - 11:51
User Badges:
  • Cisco Employee,

Carlos,

You actually have a few combinations of options depending on what operating systems you need to support and what headends you currently have.

Anyconnect is Cisco's SSLVPN client that can also do IKEv2.  It is available for Windows, Mac, Linux, Android and iOS.

In addition you can utilize any standards compliant IKEv2 client (i.e. strongswan).

 

   SSLVPN:

        Anyconnect —> ASA
        Anyconnect —> IOS (ISR family)
        Anyconnect —> IOS-XE (Coming soon)

    IKEv2:
        Anyconnect —> ASA
        Generic IKEv2 Client —> ASA (Coming soon)
        Anyconnect —> IOS + IOS-XE
        Generic IKEv2 Client -> IOS + IOS-XE

 

John Ventura Mon, 06/30/2014 - 15:46
User Badges:

Hi Jay, 

What is GETVPN used for and should I switch?

Thank you,

John

Jay Young Tue, 07/01/2014 - 06:09
User Badges:
  • Cisco Employee,

John,

GETVPN is Group Encrypted Transport VPN.  The other types of VPN Cisco offers are called ‘overlays’ between two specific routers.  GETVPN isn’t an ‘overlay’ but rather just encrypts the data as it passes through a router without changing the source and destination IP addresses.  This allows for a ‘tunnel-less’ vpn that can allow for instant any-to-any communication.  This characteristic requires that GETVPN be used over a private network (like an MPLS connection from a single provider).  GETVPN can’t be used over the Internet unless combined with another technology like GRE or LISP.

-Jay

Actions

This Discussion