Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on platforms which can be used to terminate various IPSec VPN services to meet the need for ubiquitous connectivity. Aamir is a product manager for remote-access VPN's in Cisco's router security group in San Jose. He is responsible for bringing advanced IOS security products to market, while integrating customer and market requirements with Cisco products and services to create solutions. He previously worked as a technical marketing engineer in Cisco's security technology group where he was responsible for building technical marketing presentations and training the Cisco partners and systems engineers on newly introduced IOS security technologies and platforms. He has over 9 years of experience in the computing and networking industry including networking, training and systems administration. Aamir has authored many Cisco online technical documents and configuration guidelines and delivered numerous technical presentations for Cisco customers and partners.
Remember to use the rating system to let Aamir know if you have received an adequate response.
Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 5, 2007. Visit this forum often to view responses to your questions and the questions of other community members.
I'll start out with a few general questions:
It seems like the ASA and IOS are overlapping in many areas relating to site-to-site VPNs. However, the IOS offers some advanced features in many areas.
Going forward, would a company be best suited to position their site-to-site VPNs on an ASA or an IOS as a standard?
Obviously either will suit for basic needs, but, for instance, will we see faster innovation from Cisco with the IOS method and/or will the features eventualy merge to some extent?
Or does Cisco really see them as two different platforms each serving a specific need indpendently?
Thanks for being the first one to start the discussion :)
As you rightly pointed out, that the basic site-to-site functionality will always be available in both the ASA & IOS devices.
Looking at the breadth of solutions available for Site-to-Site IPSec VPN's (DMVPN, GETVPN, EasyVPN, IPSec/GRE) in the IOS software to easily deploy and scale site-to-site VPNs for any topology, from hub-and-spoke to the more complex full-mesh IPSec VPN's. In addition, the Cisco IOS Advanced Security feature set combines a rich VPN feature set with advanced firewall and extensive Cisco IOS Software capabilities including QoS, multiprotocol, multicast, and advanced routing support.
You can find more clear direction and details on our IPSec/SSL product portfolio at the following link, where we specifically discuss the IPSec/SSL solution portfolio: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/netbr09186a00801f0a72.html
Hope this helps,
I've some questions about VPN solutions :
1- which are the features of Cisco EZVPN ? why using it ?
2- any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?
3- when in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?
4- any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)
5- any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)
6- with DMVPN it's better OSPF or EIGRP (are there any diff.)?
7- please can you link me a good configuration example of DMVPN with vrf lite ?
8- please can you link me a good configuration example of IPSec L2L HA and load balancing ?
9- can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?
Thanks in advance
Thanks for your questions, Answers inline AW>
1- Which are the features of Cisco EZVPN ? why using it ?
AW> Cisco EasyVPN is an IPSec solution which provides both Site-to-Site and Remote-access IPSec based connectivity. More details available at: www.cisco.com/go/ezvpn
2- Any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?
AW> Cisco's solution extends the Hybrid Auth model by additionally requiring a group pre-shared key for VPN group identification. The group pre-shared key is used solely to associate users with their appropriate VPN groups, followed by the XAUTH exchange that then authenticates the user. In any case, Cisco is planning to add support for IKEv2 in upcoming versions of the Cisco IOS and the Adaptive Security Appliance (ASA) software.
3- When in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?
AW> SHA-2 is already supported in the 12.4T IOS release (SHA-2 includes SHA-256 support)
4- Any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)
AW> Using the defaults should work just fine for most cases. Work with the TAC for your specific scenario to get their recommendation.
5- Any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)
AW> No problems
6- With DMVPN it's better OSPF or EIGRP (are there any diff.)?
AW> Both work and mostly it depends on what customers are already running in their network before they deploy DMVPN. EIGRP & OSPF can both scale pretty well although EIGRP is what we normally see deployed in DMVPN deployments
7- Please can you link me a good configuration example of DMVPN with vrf lite ?
8- Please can you link me a good configuration example of IPSec L2L HA and load balancing ?
9- Can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?
AW> Please contact your local sales folks to get more details.
Hope this helps,
00:03:02: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online
00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 184.108.40.206 on Vlan10 from LOADING to FULL, Loading Done
00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 220.127.116.11 on Vlan30 from LOADING to FULL, Loading Done
00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 18.104.22.168 on Vlan150 from LOADING to FULL, Loading Done
00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 22.214.171.124 on Vlan160 from LOADING to FULL, Loading Done
00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor
00:00:05: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.
Firmware compiled 18-Apr-05 17:29 by integ Build 
00:01:21: %OIR-SP-STDBY-6-CONSOLE: Changing console ownership to route processor
00:01:21: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.
00:02:16: %PFREDUN-SP-STDBY-6-STANDBY: Initializing for SSO mode
00:02:16: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.
00:02:41: %SPANTREE-SP-STDBY-5-EXTENDED_SYSID: Extended SysId enabled for type vlan
00:02:42: SP-STDBY: SP: Currently running ROMMON from S (Gold) region
00:02:43: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimum Diagnostics...
00:02:56: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online Diagnostics
00:03:14: %SYS-SP-STDBY-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) s72033_sp Software (s72033_sp-PK9SV-M), Version 12.2(18)SXD7, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
--More-- Copyright (c) 1986-2005 by cisco Systems, Inc.
Compiled Tue 13-Dec-05 22:57 by kellythw
00:03:14: %PFREDUN-SP-STDBY-6-STANDBY: Ready for SSO mode
00:03:15: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.
00:03:19: %OSPF-5-ADJCHG: Process 6509, Nbr 126.96.36.199 on Vlan10 from LOADING to FULL, Loading Done
00:03:23: %OSPF-5-ADJCHG: Process 6509, Nbr 188.8.131.52 on Vlan10 from LOADING to FULL, Loading Done
00:03:24: %OSPF-5-ADJCHG: Process 6509, Nbr 184.108.40.206 on Vlan10 from LOADING to FULL, Loading Done
00:03:25: %OSPF-5-ADJCHG: Process 6509, Nbr 220.127.116.11 on Vlan10 from LOADING to FULL, Loading Done
00:03:46: %OSPF-5-ADJCHG: Process 6509, Nbr 18.104.22.168 on GigabitEthernet1/36 from LOADING to FULL, Loading Done
I have a question for you. It might not pertain to the current discussion.
I am currently using a vpn connection with broadband internet service. i want to move to a more rural location. The only type of internet I can get there currently is satellite. Is there a satellite internet provider that I can use my vpn connection with. I need IPSec for work. Any suggestions would be appreciated.
Thanks for your question. I would suggest searching on www.google.com for list of Satellite Internet providers. I really donot have any recommendations in that respect.
Sorry couldn't be of more help,
Hi I have satellite service provider but Ive been having problem, the vpn client get disconected very often, I thing is for the delay in the core I have a cisco ASA.
Do you have some solution to this problem?
My suggestion would be to increase the Idle timeout on the ASA so it doesn't drop the connection based on some missed keepalives. TAC can surely help you with that and your administrator would need to make the change on the head-end ASA
Hope this helps,
Im the administrator of the ASA, can u help me with the configuration to increase the ldle timeout on the ASA?
Thak u for your help.
The command to do this on the ASA is: vpn-idle-timeout x (where x stands for the time)
More details on some other suggestions to manage onnection limits and timeouts at:
We need to support a Hot Site Data center over an Intenet connection and need to use Site to Site VPN. The server group wants to have about 1 Gig of thruput to this site. I am sure that with the overhead of VPN and the limitation of our Internet connectio being 1 Gig we will have trouble getting this but what platform would be best to get this amount of thruput over site to site VPN?
I would have to say the VPN SPA module with the Cat6500 would be the best route to take. You Cisco account team can help you with the design aspects to fulfil your requirments.
I have a basic question. How to configure S2S & remoteaccess VPN in a Cisco Router. Since we have to only a single crypto map for the interface when we configure remote access the S2S not able to connect.
Any good example we can look at.
Siva Prasad K.
Here are the links for the configuration that you are looking to do: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml
Additionally if one of the S2S peers has a dynamic IP address that you need to connect then you can look at: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Hope this helps,
One of our clients has a requirement for a simple three site LAN 2 LAN VPN (two hubs and one spoke) to be run over long haul dark fibre. The traffic is citrix based and averages 250Kbps with 500Kbps peaks. I am currently looking the low end ISR routers.
Which would Cisco devices would be recommended to provide a low cost solution which will natively terminate Fibre LX on the box.
Sorry for the delay in answering this, I was checking with the platform folks.
You can use an LX SFP in the HWIC-1GE-SFP. The 2800 series supports 1 of these interfaces and the 3800 series supports 2.
Hope this helps,
I got a question, I have a client that is having trouble connecting using the cisco vpn client because of the security policy he has at another company that do not allow him to keep UDP ports 500 and 4500 open to traffic originating from outside his network
He is using cisco vpn client version 5. I got a cisco 2811 running IOS Version 12.4(11)XJ3 . I don't seem to be able to program the router to enable transparent tunneling IPSec over TCP. IPSec over UDP works fine. Please Advise.
You need to use Cisco IOS 12.4(9)T Advanced security image for the IPSec over TCP support. Details available at: http://cisco.com/en/US/products/ps6635/products_white_paper0900aecd8061e2b3.shtml
The feature is called cTCP (Cisco Tunnel Control Protocol)
Hope this helps,
Hi I have an ASA as VPN server all vpn client from windows work but when I want to connect with router 877 as remote ezyvpn, I connect but I cann't acces to lan, i have this message from my syslog server "deny protocl 50 ".
My question he work with simple client but thasn't work remote ezyvpn from router ?
Below is the configuration that you should use for the IOS EasyVPN client side.
This would get you where you need to be, if it doesn't work then please go ahead and check your acl/firewall configuration on the router as the syslog also points out that esp (ip protocol 50) packets might be getting dropped due to some config you have here so try opening it up exclusively.
Hope this helps,
Is it possible to support site to site and DMVPN on the same Hub router using the same interface for transition purposes? Basically we have point to point tunnels and would like to transition to DMVPN without tearing down the existing connections until the transition is complete.
Yes it is possible. For transitioning over to the DMVPN based solution, you would need to control the traffic flow through routing.
Basically, the order of the crypto map determines what gets encrypted and with which IPSec policy, also routing determines what traffic goes on the tunnel and the DMVPN, so if it is not going on the tunnel interface, the physical interface crypto policy takes effect.
So to transition to DMVPN, simply bring up the tunnel, with lower routing metric and it takes precedence
You should go through some of the links below to better understand the DMVPN configurations.
www.cisco.com/go/dmvpn and then you can call TAC to help you transiton over.
Hope this helps,
Is there a document that describes configuring up a 3002 as a hardware IPSec client connecting to a ASA5540?
The 3002 will have a static outside address assigned and the inside/private network will be configured with its own IP pool.
I am trying to configure the ASA 5540 (running ver 8.0) to accept VPN connections *without* encryption. To achieve this, I set the encryption to "esp-null" on the ASA.
The built-in L2TP-IPSec client on Windows XP establishes the VPN connection but drops out exactly after 1 minute and 11 seconds.
I suspect that this is some kind of timeout - do any ports need to be opened up specifically on the ASA Outside interface?
"sysopt connection permit-vpn" is present in the configuration.
Thanks for your assistance.
Looks like we can terminate the L2TP/IPSec connections without any problem.
I loaded up the latest 8.0.2 interim and it works as designed. I am able to stay connected and pass data with no problems (see below). If you still have a problem or wish to obtain the latest interim, please open a TAC case
Session Type: IPsec Detailed
Username : l2tp Index : 4
Assigned IP : 22.214.171.124 Public IP : 126.96.36.199
Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT
License : IPsec
Encryption : none Hashing : MD5 SHA1
Bytes Tx : 21595 Bytes Rx : 27116
Pkts Tx : 225 Pkts Rx : 261
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup
Login Time : 12:10:45 UTC Wed Oct 3 2007
Duration : 0h:04m:05s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
IKE Tunnels: 1
IPsecOverNatT Tunnels: 1
L2TPOverIPsecOverNatT Tunnels: 1
Find more details on the configuration at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml
Is it possible to disable aggressive mode for on IOS for vpns. Using DMVPN with preshared key. what can I do to disable or mitigate aggressive mode with redesign network. I want to force main mode only. This is needed to to pass a security audit.