Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Welcome to the Cisco Networking Professionals Connection Ask the Expert conversation. This is an opportunity to discuss configuring Cisco IPSec VPNs with Cisco expert Mike Wenstrom. Mike is a training manager in the VPN and Security Services business unit at Cisco. Feel free to post any questions relating to Configuring Cisco IPSec VPNs.

Mike may not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. When posting a question, please be sure it is as specific as possible. Mike will be unable to address questions that require significant time commitments, such as requests for entire network designs or configurations, or vague questions that require follow-up with the poster.

This event lasts through December 21. Visit this forum often to view responses to your questions and the questions of other community members.

55 REPLIES
New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I have a problem with a three sight VPN configuration. I use three routers (one Cisco 3640 and two Cisco 1720). I can´t connect to the Ms Exchange server behind the Cisco 3604 from the two Cisco 1720 sights. If i remove the static IP assignment applyed for the Ms Exchange server in the Cisco 3640 it works. How should i configure the routers... with the static included in the config?

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Kalle,

I assume that you have the 3640 at a central site, and the 1720's remote connecting over a WAN to the central site, and that you are using IPSec to secure traffic from the networks behind the 1720's to the MS Exchange server behind the 3640, I would recommend the following:

Routing

Set up static routes: ip route mask <3640_address>

VPN

configure isakmp policy in routers that matches, config isakmp key or ca support

set up crypto ipsec transform sets in routers

configure access lists to select traffic:

access-l source=net_behind_1720 dest=MS_exchange

configure crypto map: set peer=router's tunnel endpoint

apply crypto map to router dirty interface

test and check with show crypto commands

Hope this answers your question.

Mike.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I need to install and configure an enterprise firewall solution for my network. This solution should use IPSec with Certificate based authentication and needs to create on demand VPN's to about 20 servers located around the country. The 20 servers will have a small firewall configured to route packets only to the PIX firewall and will not have any other internet access. What PIX firewall product best fits this situation.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I would recommend a PIX 525 for your Enterprise core Firewall. It can handle about 256Mbps (30Mbps 3DES) throughput, 2000 IPSec tunnels, and 6000 connections per second. The PIX-525 can also be upgraded with a VPN accelerator card which gives 100Mbps 3DES performance

I would recommend the PIX 506 for the remote sites.

Is supports about 10Mpbs (4Mbps 3DES) throughput.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

When will a VPN concentrator 3000 client be available for Windows 2000 ?

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Cisco VPN 3000 Client Release 3.0 runs on Windows 2000. It is in beta test now. Your Account Manager / Systems Engineer can get you involved in the beta. The Rel 3.0 client will be released on March 5th, 2001.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Will Cisco VPN Client Release 3.0 also run

on Windows ME? The Client 2.5.2 will not

work proberly on Windows ME!

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I do not see VPN client rel 3.0 support on Windows ME, but will forward question to product manager for direct answer. MW

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Correction, I have heard that a customer is using the VPN 3K client 2.5.2 on Windows ME (which is essentially Win 98) just fine. What is not working? Is the client not installing correctly? Please clarify.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

DUN is not working proberly.... I have also heard

from a customer, whice created a TAC incident that

the TAC supporter said that Win ME is not working

proberly with client 2.5.2

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Under Windows ME I can't get the VPN Client Authentication to get past "Negotiating Security Profiles". It comes back with "Unable to Negotiate IPSec".

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

This sounds like a configuration problem. Ensure the group name and passwords match between the client and concentrator.

Contact TAC for help with your Win ME install problem with DUN.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I have three Cisco routers (2610 in London, 1720 in Singapore and 1603 in Brazil) that I have been configuring for a small VPN solution using RSA Encryption.

The VPN between the 2610 and the 1603 works perfectly. I am now trying to do the same thing between the 2610 and the 1720. The problem I am having is with the encryption. The IKE completes successfully. IPSEC Security Associations are created successfully. Authentication, Integrity and Encapsulation work perfectly but as soon as I add DES encryption into the Transform Set the data across the link comes to a standstill.

Any help with this would be much appreciated

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I would think you could do DES encryption on a low volume of traffic with no problem.

Double-check all of your crypto config for errors.

If you need, post the configs and I can take a look at them.

A possible problem is the throughput capacity of a 2610

with software encryption. A 2600 can attain up to about 1000K

packets per second with DES encryption with a 512 byte packet size.

A solution to this is to fine-tune your access lists to only encrypt the vital traffic you need to protect,

and not encrypt all traffic between the routers. This will expose the unencrypted traffic, which may or may not be a factor in your case.

Another possible solution is to increase the capacity of the 2610 with a

Cisco 2600 series Modular Multiservice router Virtual Private Network Modules

(VPN Module) to optimize the platforms for

virtual private networks (VPNs).

The Cisco 2600 AIM-VPN/BP advanced interface module (AIM) can be added to all current Cisco 2600 models to

provide hardware-based encryption services with up to 6-Mbps triple Data Encryption Standard (3DES) performance.

Hope this helps!!

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I recieved the following information from my counterpart in Japan. I am to install a VPN using a Cisco router with them... I would like a router that is compatiable with the following and also allow me to use dialup/remote access into my network through the VPN.

When you will purchase a router, We would recommend the

purchase by a combination of "cisco router + IOS + Feature

Set (manual IPsec(DES56bit))".

It is setting of a command base, and setting of a cisco

router seems to be considerably complecate that it is

an opinion of LAN Technical-center of Fujitsu (cisco connection).

To avoid load during test period, we want to confirm connection

before the test in Japan.

(1) Please confirm the product(cisco router + IOS + Feature Set)

which you can purchase mentioned in above.

Please advise version information & Feature Set.

Connection with "1999.12 cisco4700 ios v 11.3" has confirmed

in Japan.

There seems to be a similar product as equivalent to the cisco 2600.

(2) In Fujitsu office, cisco and safegate(SDK Firewall soft)

environment will be established and confirm connection through test.

(3) We refer to the test result into account and set SDK and INC.

Then proceed to test with Inc.

If you will need our further assistance, please inform us.

I am a rookie but want to set this up correct and I believe that if we both you Cisco routers this will be an extreme advantage. I already have a Cisco 2600 router. I will purchase a new one to hang off a seperate DSL line. Any help you could give me on direction for this would be great. The IPSec is very important..

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Here are some suggestions based on your request.

Please resubmit comments if you need further clarification.

MW.

1. Product/Router

I would recommend a Cisco-3660 WAN/Access router based on interface capacity, IPSec throughput, and cost comparable to a 4700:

The 3660 is appropriate for a larger branch office or a smaller central site.

It is recommended for customers desiring a 4700 which is end of life.

It provides great interface and capacity expansion capability.

It allows installation of the wide range of 3600 series WAN and other modules.

CISCO 3661-AC with appropriate WAN interfaces (for example, E1 NM-HDV-1E1-30)

Description: 10/100E Cisco 3660 Series, 6-slot multiservice platform with IP software, 8-MB Flash, 32-MB SDRAM, one AC power

supply, 19" rackmount kit .

Performance: Provides approximately 3.8 Mbps 56-bit DES with a 512 byte input packet

Recommended option for high performance:

AIM-VPN/HP DES/3DES VPN Encryption AIM for 3660-High Performance gives up to 6 MBps 3DES performance

Keep in mind the ADSL WAN (wide-area network) Interface Card for the Cisco 1700, 2600,

and 3600 Series of modular access routers (available on the Cisco 1700 end

of September and on the Cisco 2600 and 3600 in Q1 of 2001)

A lower cost alternative is Cisco-3640, which has less modular expansion capacity.

A 2611 or 2621 may also work as you mentioned, although it is of less capacity than 3640.

The 2600 would be fine for a branch office.

See http://www.cisco.com/warp/partner/synchronicd/cc/pd/rt/3600/prodlit/36kmp_ds.htm

or http://www.cisco.com/warp/public/cc/pd/rt/2600/

for more information.

2. SW Release

You could use Cisco IOS Release 12.1(5)

ENTERPRISE/FW/IDS PLUS

IPSEC 56

Requires 16 MB Flash and 64 MB RAM

Actually, use any feature set meeting your need that includes IPSEC 56 or IPSEC 3DES

See http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml

IPSec is supported in 11.3(T) and later releases.

3. Configuration Steps

IPSec configuration is complicated.

Here is a synopsys of the tasks, steps, and commands:

Task 1-Prepare for IPSec

Step 1-Determine IKE (IKE phase one) policy.

Step 2-Determine IPSec (IKE phase two) policy.

Step 3-Check the current configuration.

show running-configuration

show crypto isakmp policy

show crypto map

Step 4-Ensure the network works without encryption.

ping

Step 5-Ensure access lists are compatible with IPSec.

show access-lists

Task 2-Configure IKE

Step 1-Enable or disable IKE.

crypto isakmp enable

Step 2-Create IKE policies.

crypto isakmp policy

Step 3-Configure pre-shared keys.

crypto isakmp key

Step 4-Verify the IKE configuration.

show crypto isakmp policy

Task 3-Configure IPSec

Step 1-Configure transform set suites.

crypto ipsec transform-set

Step 2-Configure global IPSec SA lifetimes.

crypto ipsec security-association lifetime

Step 3-Create crypto access lists.

access-list

Step 4-Create crypto maps.

crypto map

Step 5-Apply crypto maps to interfaces.

interface serial0

crypto map map_name

Task 4-Test and Verify IPSec

Display your configured IKE policies.

show crypto isakmp policy

Display your configured transform sets.

show crypto ipsec transform set

Display the current state of your IPSec SAs.

show crypto ipsec sa

Display your configured crypto maps.

show crypto map

Enable debug output for IPSec events.

debug crypto ipsec

Enable debug output for ISAKMP events.

debug crypto isakmp

Key points:

Plan it out, ensure routing works without encryption.

Design the crypto access lists to encrypt desired traffic.

Account for all crypto peers.

Test it on a small network, then scale it up.

See Cisco IOS Docs for more help at following URL or on Cisco Doc CD:

Security Configuration Guide

Security Command Reference

http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/secur_c/scprt4/index.htm

Or attend our Security certification courses:

Cisco Secure Virtual Private Network (CSVPN)

http://www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSVPN.html

I authored the course.

Hope this covers it.

Sorry for the delayed response.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I need help configuring ipsec on pix

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Hi Ali,

Here is my reply, sorry for a late response:

What follows is a summary of the major tasks, steps, and commands for configuring IPSec on PIX.

Also included at the end are references to Cisco Docs and training.

Regards, MW.

PIX Tasks

Task 1-Prepare for IPSec

Step 1-Determine IKE (IKE phase one) policy.

Step 2-Determine IPSec (IKE phase two) policy.

Step 3-Check current configuration.

write terminal

show isakmp [policy]

show crypto map

Step 4-Ensure the network works.

ping, send interesting traffic unencrypted

Step 5-Ensure access lists are compatible with IPSec.

show access-lists

Task 2-Configure IKE

Step 1-Enable or disable IKE.

isakmp enable

Step 2-Create IKE policies.

isakmp policy priority

Step 3-Configure pre-shared keys.

isakmp key keystring

Step 4-Validate the configuration.

show isakmp [policy]

Task 3-Configure IPSec Parameters

Step 1-Configure crypto access lists

access-list access-list-number

Step 2-Configure transform set suites

crypto ipsec transform-set transform-set-name

Step 3-Configure global IPSec security association lifetimes

crypto ipsec security-association lifetime

Step 4-Configure crypto maps

crypto map map-name seq-num ipsec-isakmp

Step 5-Apply crypto maps to an interface

crypto map map-name interface interface-name

Step 6-Verify IPSec configuration

Verify general access lists permit IPSec traffic

show access-list

Verify correct IKE configuration

show isakmp

show isakmp policy

Verify crypto access lists and crypto map

show access-list

show crypto map

Verify correct IPSec configuration

show crypto ipsec transform-set

Verify correct global IPSec SA lifetimes

show crypto ipsec security-association lifetime

View current state of IKE and IPSec SAs

show isakmp sa

show crypto ipsec sa

Clear IKE SA

clear isakmp

Clear IPSec SA

clear crypto ipsec sa

Debug IKE and IPSec

debug crypto isakmp

debug crypto ipsec

Example Debug Result for Successful IPSec SA Setup

return status is IKMP_NO_ERROR

TaskX---Configure CA Support

Step 1-Manage Flash memory usage (optional).

Step 2-Configure the PIX's time and date.

Step 3-Configure the PIX's host name and domain name.

Step 4-Generate RSA key pairs.

Step 5-Declare a CA.

Step 6-Configure CA communication parameters.

Step 7-Authenticate the CA.

Step 8-Request signed certificates.

Step 9-Save the configuration.

Step 10-Verify the CA support configuration.

Step 11-Monitor and maintain CA support (optional).

PIX IPSec commands and procedures are listed in:

IPSec User Guide for the Cisco Secure PIX Firewall Version 5.3

On Cisco doc CD or at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/index.htm

Some training resources

PIX VPN is taught in

Cisco Secure Virtual Private Network (CSVPN)-Dedicated IPSEc course on PIX, Cisco IOS, Cisco VPN 3000 series

http://www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSVPN.html

Cisco Secure PIX Firewall Fundamentals (CSPFF)

http://www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSPFF.html

Cisco Secure PIX Firewall Advanced (CSPFA)

http://www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSPFA.html

Managing Cisco Network Security (MCNS)

http://www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-MCNS.html

Hope this meets your needs!

MW

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I have upgrade our PIX 515 to 5.2(3) and have installed IPSEC 56bit key. I have the VPN clinet version 1.1. How do I configure our PIX 515 to allow VPN clients? Our Customers will be dialing up using a ISP or DSL coming into our network to access resources and mail. I just need a simple config example to get me going..and explain how the VPN works once our User's try to connect..what is taking place on the PIX? Thanks

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Hi,

First I would recommend that you use the VPN 3000 client version 2.5 or higher. It is the preferred VPN client, although the ver 1.1 client works fine.

The 2.5 client is easier to administer as the security policy is controlled by the PIX administrator.

The 2.5 client is part number CVPN3000-CLNT-25=.

I think it provides an unlimited licence.

You may be able to download it over CCO at no cost if you are a registered CCO user.

Configuring the PIX for the VPN 3000 2.5 client is shown below for example:

isakmp client configuration address-pool local dealer outside

isakmp policy 10 authentication pre-share

access-list 80 permit ip host 192.168.P.2 10.0.Q.0 255.255.255.0

ip address outside 192.168.Q.2 255.255.255.0

ip local pool dealer 10.0.P.20-10.0.P.29

(Can also use external DHCP server in PIX 5.2)

nat (inside) 0 access-list 80

aaa-server t+ protocol tacacs+

aaa-server t+ (inside) host 10.0.P.10 tacacskey timeout 5

(you will need a RADIUS or TACACS+ server such as CS ACS)

(Administrator determines IPSec transform, etc):

crypto ipsec transform-set aaades esp-des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set aaades

crypto map vpnpeer client configuration address initiate

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer client authentication t+

crypto map vpnpeer interface outside

vpngroup student1 address-pool dealer

vpngroup student1 idle-time 1800

vpngroup student1 password ********

(group name {student1 here} and pw must match that configured on VPN client.)

Additional tasks:

Install and configure VPN client, configure group name and PW to match vpngroup name and pw)

IPsec setup is as follows:

1. User makes connection via ISP, activates VPN client

2. Client connects to PIX via IKE phase 1, negotiates policy, prompts user for auth (username/pw), proxies auth to AAA server, auth OK.

3. IKE Phase 1 negotiation complete, set as per PIX config

4. IKE phase 2 negotiation is made, set as per PIX config

5. Client inside IP address set per vpn pool on PIX.

6. Communications continues.

See IPSec User Guide for the Cisco Secure PIX Firewall Version 5.2, URL:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/ipsec/index.htm

OR attend CS VPN class:

Cisco Secure Virtual Private Network (CSVPN)-Dedicated IPSEc course on PIX, Cisco IOS, Cisco VPN 3000 series

www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSVPN.html

Hope this meets your needs!

MW

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I am currently running a PIX 515 w/ VPN. I would like to setup a vpn connection with a client that is utilizing a Cisco VPN concentrator. This client needs acces to our web servers for the purpose of taking a web survey and no access to the remaining internal LAN. What would it take to setup a secure connection between the two sites with minimal access to our internal LAN. Would it be a good idea to setup a DMZ for the webservers that the client needs to access?

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I recommend the following setup:

Client

Cisco VPN 3000 Client, ver 2.5x

Concentrator

Cisco VPN 3015-3080 depending on capacity (has 3 interfaces)

Refer to http://www.cisco.com/warp/public/cc/pd/hb/vp3000/prodlit/vpn3k_ds.htm

for help in choosing model.

Security Policy

It seems that you have a trust relationship with this client, so you may not need as strong security, so the recommended simple design should be OK

Toplogy

Simple Design

VPN 3000 Concentrator

Public interface to perimeter router/ISP router

Private interface to inside network

DMZ interface to DMZ where you place webservers

Advanced design

If needed, you could use the PIX and Concentrator together:

PIX providing max security

Place VPN 3K on PIX 3rd interface, aka "VPN 3K on a stick"

Config PIX to acommodate IPSec traffic from outside to dmz interface (static, conduit, or access-list)

Config PIX to route clear traffic from VPN 3K to dmz to inside interface.

Place Web server on inside network.

2nd alternative, more secure: use a total of 4 interfaces:outside, inside, then dmz1 to VPN3K public interface, dmz2 to VPN 3K private interface.

Configure traffic through interfaces: more difficult to config, more secure.

Recommendation: use the simple design in your case!

Configuration for Simple Design

Configure clients to point to concentrator public interface to terminate IPSec

Configure clients with group name and password to match those on Concentrator

Configure concentrator to limit access to DMZ only

Use VPN 3000 concentrator GUI (web browser-based) quick configuration to easily config the setup.

Tune the setup to only permit remote clients to access the DMZ network/webservers using the NETWORK LIST feature:

1. Set up the network list to permit destination to DMZ network only

2. Apply the network list to the group you place users in

Hope it works for you!

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I have a Pix 520 with 5.1(1) and want to add ipsec, how do I get the 520 to prompt me for the new activation keys that I have.

jni
New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

You need to re-tftp the file to the pix for the activation key prompt to appear.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Yes, TFTP the file with the copy tftp command.

Reboot the PIX to activate the new image, and you will be prompted to enter the activation key.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

I tried to tftp the same file 5.1(1), but did not get prompted for activation keys.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

We have a PIX 515 running 4.4(4). We want to connect remote offices, which use DSL, back to our corporate site. Do I need to upgrade our PIX to version 5.1 to allow VPN with IPSEC?

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Hi,

Yes, I would upgrade to PIX 5.2(3).

You could use 5.1(2) if desired.

4.4(4) does not support IPSec.

It sounds like you plan a site-to-site topology,

with the PIX at the head end.

You could have PIX or Cisco IOS at the remote end.

The key is to configure access lists on the PIX and device at the remote end to select the traffic to secure based on IP address, network, protocol, and/or port.

PIX IPSec commands and procedures are listed in:

IPSec User Guide for the Cisco Secure PIX Firewall Version 5.3

On Cisco doc CD or at:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/index.htm

Some training resources

PIX VPN also taught in:

Cisco Secure Virtual Private Network (CSVPN)-Dedicated IPSEc course on PIX, Cisco IOS, Cisco VPN 3000 series

www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSVPN.html

Cisco Secure PIX Firewall Fundamentals (CSPFF)

www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSPFF.html

Cisco Secure PIX Firewall Advanced (CSPFA)

www.cisco.com/warp/public/10/wwtraining/cust/classes/C-TRN-CSPFA.html

Hope it works fine for you.

New Member

Re: ASK THE EXPERT- CONFIGURING CISCO IPSEC VPNs

Hi, the VPN3000 concentrator is new to me, and I

would just like to ask if it is possible to set

up a GRE-tunnel between an IOS-router and the

concentrator ? for the purpose of running a dynamic

routing protocol(eigrp), and all wrapped up in IPSEC.

70
Views
0
Helpful
55
Replies
CreatePlease login to create content