Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on platforms which can be used to terminate various IPSec VPN services to meet the need for ubiquitous connectivity. Aamir is a product manager for remote-access VPN's in Cisco's router security group in San Jose. He is responsible for bringing advanced IOS security products to market, while integrating customer and market requirements with Cisco products and services to create solutions. He previously worked as a technical marketing engineer in Cisco's security technology group where he was responsible for building technical marketing presentations and training the Cisco partners and systems engineers on newly introduced IOS security technologies and platforms. He has over 9 years of experience in the computing and networking industry including networking, training and systems administration. Aamir has authored many Cisco online technical documents and configuration guidelines and delivered numerous technical presentations for Cisco customers and partners.

Remember to use the rating system to let Aamir know if you have received an adequate response.

Aamir might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through October 5, 2007. Visit this forum often to view responses to your questions and the questions of other community members.

50 REPLIES
New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

I'll start out with a few general questions:

It seems like the ASA and IOS are overlapping in many areas relating to site-to-site VPNs. However, the IOS offers some advanced features in many areas.

Going forward, would a company be best suited to position their site-to-site VPNs on an ASA or an IOS as a standard?

Obviously either will suit for basic needs, but, for instance, will we see faster innovation from Cisco with the IOS method and/or will the features eventualy merge to some extent?

Or does Cisco really see them as two different platforms each serving a specific need indpendently?

Thanks!

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Strine,

Thanks for being the first one to start the discussion :)

As you rightly pointed out, that the basic site-to-site functionality will always be available in both the ASA & IOS devices.

Looking at the breadth of solutions available for Site-to-Site IPSec VPN's (DMVPN, GETVPN, EasyVPN, IPSec/GRE) in the IOS software to easily deploy and scale site-to-site VPNs for any topology, from hub-and-spoke to the more complex full-mesh IPSec VPN's. In addition, the Cisco IOS Advanced Security feature set combines a rich VPN feature set with advanced firewall and extensive Cisco IOS Software capabilities including QoS, multiprotocol, multicast, and advanced routing support.

You can find more clear direction and details on our IPSec/SSL product portfolio at the following link, where we specifically discuss the IPSec/SSL solution portfolio: http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns142/netbr09186a00801f0a72.html

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Aamir,

I've some questions about VPN solutions :

1- which are the features of Cisco EZVPN ? why using it ?

2- any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?

3- when in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?

4- any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)

5- any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)

6- with DMVPN it's better OSPF or EIGRP (are there any diff.)?

7- please can you link me a good configuration example of DMVPN with vrf lite ?

8- please can you link me a good configuration example of IPSec L2L HA and load balancing ?

9- can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?

Thanks in advance

Roberto

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Roberto,

Thanks for your questions, Answers inline AW>

1- Which are the features of Cisco EZVPN ? why using it ?

AW> Cisco EasyVPN is an IPSec solution which provides both Site-to-Site and Remote-access IPSec based connectivity. More details available at: www.cisco.com/go/ezvpn

2- Any consideration about the security problems associated with the IKE v.1 (I need the IPS function on IOS/ASA (is it available ?)) ? when does the IOS/ASA support IKE v.2 ?

AW> Cisco's solution extends the Hybrid Auth model by additionally requiring a group pre-shared key for VPN group identification. The group pre-shared key is used solely to associate users with their appropriate VPN groups, followed by the XAUTH exchange that then authenticates the user. In any case, Cisco is planning to add support for IKEv2 in upcoming versions of the Cisco IOS and the Adaptive Security Appliance (ASA) software.

3- When in IOS/ASA the SHA-256 secure hash algorithm is avalable instead of SHA-1 (because of critical break in SHA-1 algorithm discovered by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu researchers from Shandong University) ?

AW> SHA-2 is already supported in the 12.4T IOS release (SHA-2 includes SHA-256 support)

4- Any consideration about the "crypto ipsec security-association lifetime seconds" and the "crypto ipsec security-association idle-time" (the default builtin EZVPN-proposals is 84600/0)

AW> Using the defaults should work just fine for most cases. Work with the TAC for your specific scenario to get their recommendation.

5- Any consideration/problems with the replay windows size ? (EzVPN supports replay-detection, no special config)

AW> No problems

6- With DMVPN it's better OSPF or EIGRP (are there any diff.)?

AW> Both work and mostly it depends on what customers are already running in their network before they deploy DMVPN. EIGRP & OSPF can both scale pretty well although EIGRP is what we normally see deployed in DMVPN deployments

7- Please can you link me a good configuration example of DMVPN with vrf lite ?

AW> http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd8034be03.shtml

8- Please can you link me a good configuration example of IPSec L2L HA and load balancing ?

AW> http://www.cisco.com/en/US/products/ps6660/products_white_paper0900aecd80278edf.shtml

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802d03f2.html

http://www.cisco.com/en/US/products/ps6635/products_white_paper0900aecd803498b1.shtml

9- Can you tell me more about the security protocols used in the "Cisco 5700 Series Integrated Encryption Routers (KG-275A, KG-275B, KG-275C)" ; are these products available also in EMEA within private use ?

AW> Please contact your local sales folks to get more details.

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

00:03:02: %OIR-SP-6-INSCARD: Card inserted in slot 6, interfaces are now online

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan10 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan30 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan150 from LOADING to FULL, Loading Done

00:03:04: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.6 on Vlan160 from LOADING to FULL, Loading Done

00:00:04: %PFREDUN-6-STANDBY: Initializing as STANDBY processor

00:00:05: %SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.

Firmware compiled 18-Apr-05 17:29 by integ Build [100]

00:01:21: %OIR-SP-STDBY-6-CONSOLE: Changing console ownership to route processor

00:01:21: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.

00:02:16: %PFREDUN-SP-STDBY-6-STANDBY: Initializing for SSO mode

00:02:16: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.

00:02:41: %SPANTREE-SP-STDBY-5-EXTENDED_SYSID: Extended SysId enabled for type vlan

00:02:42: SP-STDBY: SP: Currently running ROMMON from S (Gold) region

00:02:43: %DIAG-SP-STDBY-6-RUN_MINIMUM: Module 6: Running Minimum Diagnostics...

00:02:56: %DIAG-SP-STDBY-6-DIAG_OK: Module 6: Passed Online Diagnostics

00:03:14: %SYS-SP-STDBY-5-RESTART: System restarted --

Cisco Internetwork Operating System Software

IOS (tm) s72033_sp Software (s72033_sp-PK9SV-M), Version 12.2(18)SXD7, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

--More-- Copyright (c) 1986-2005 by cisco Systems, Inc.

Compiled Tue 13-Dec-05 22:57 by kellythw

00:03:14: %PFREDUN-SP-STDBY-6-STANDBY: Ready for SSO mode

00:03:15: %SYS-SP-STDBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output.

00:03:19: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.27.122 on Vlan10 from LOADING to FULL, Loading Done

00:03:23: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.27.124 on Vlan10 from LOADING to FULL, Loading Done

00:03:24: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.2 on Vlan10 from LOADING to FULL, Loading Done

00:03:25: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.22.121 on Vlan10 from LOADING to FULL, Loading Done

00:03:46: %OSPF-5-ADJCHG: Process 6509, Nbr 135.191.30.200 on GigabitEthernet1/36 from LOADING to FULL, Loading Done

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

I have a question for you. It might not pertain to the current discussion.

I am currently using a vpn connection with broadband internet service. i want to move to a more rural location. The only type of internet I can get there currently is satellite. Is there a satellite internet provider that I can use my vpn connection with. I need IPSec for work. Any suggestions would be appreciated.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Solucas,

Thanks for your question. I would suggest searching on www.google.com for list of Satellite Internet providers. I really donot have any recommendations in that respect.

Sorry couldn't be of more help,

Rgds,

Aamir

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi I have satellite service provider but Ive been having problem, the vpn client get disconected very often, I thing is for the delay in the core I have a cisco ASA.

Do you have some solution to this problem?

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Maiden,

My suggestion would be to increase the Idle timeout on the ASA so it doesn't drop the connection based on some missed keepalives. TAC can surely help you with that and your administrator would need to make the change on the head-end ASA

Hope this helps,

Rgds,

Aamir

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Im the administrator of the ASA, can u help me with the configuration to increase the ldle timeout on the ASA?

Thak u for your help.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Maiden,

The command to do this on the ASA is: vpn-idle-timeout x (where x stands for the time)

More details on some other suggestions to manage onnection limits and timeouts at:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/protect.html#wp1053110

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

We need to support a Hot Site Data center over an Intenet connection and need to use Site to Site VPN. The server group wants to have about 1 Gig of thruput to this site. I am sure that with the overhead of VPN and the limitation of our Internet connectio being 1 Gig we will have trouble getting this but what platform would be best to get this amount of thruput over site to site VPN?

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Grove,

I would have to say the VPN SPA module with the Cat6500 would be the best route to take. You Cisco account team can help you with the design aspects to fulfil your requirments.

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Aamir,

I have a basic question. How to configure S2S & remoteaccess VPN in a Cisco Router. Since we have to only a single crypto map for the interface when we configure remote access the S2S not able to connect.

Any good example we can look at.

Regards

Siva Prasad K.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Siva,

Here are the links for the configuration that you are looking to do: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094685.shtml

Additionally if one of the S2S peers has a dynamic IP address that you need to connect then you can look at: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Aamir,

Great... it works. Thanks for your help.

I missed out earlier the no-xauth.

Regards

Siva Prasad K

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Glad it helped :)

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

One of our clients has a requirement for a simple three site LAN 2 LAN VPN (two hubs and one spoke) to be run over long haul dark fibre. The traffic is citrix based and averages 250Kbps with 500Kbps peaks. I am currently looking the low end ISR routers.

Which would Cisco devices would be recommended to provide a low cost solution which will natively terminate Fibre LX on the box.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Mondbell,

Sorry for the delay in answering this, I was checking with the platform folks.

You can use an LX SFP in the HWIC-1GE-SFP. The 2800 series supports 1 of these interfaces and the 3800 series supports 2.

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Aamir,

I got a question, I have a client that is having trouble connecting using the cisco vpn client because of the security policy he has at another company that do not allow him to keep UDP ports 500 and 4500 open to traffic originating from outside his network

He is using cisco vpn client version 5. I got a cisco 2811 running IOS Version 12.4(11)XJ3 . I don't seem to be able to program the router to enable transparent tunneling IPSec over TCP. IPSec over UDP works fine. Please Advise.

Thank You

Ben

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Ben,

You need to use Cisco IOS 12.4(9)T Advanced security image for the IPSec over TCP support. Details available at: http://cisco.com/en/US/products/ps6635/products_white_paper0900aecd8061e2b3.shtml

The feature is called cTCP (Cisco Tunnel Control Protocol)

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi I have an ASA as VPN server all vpn client from windows work but when I want to connect with router 877 as remote ezyvpn, I connect but I cann't acces to lan, i have this message from my syslog server "deny protocl 50 ".

My question he work with simple client but thasn't work remote ezyvpn from router ?

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Khallaoui,

Below is the configuration that you should use for the IOS EasyVPN client side.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml

This would get you where you need to be, if it doesn't work then please go ahead and check your acl/firewall configuration on the router as the syslog also points out that esp (ip protocol 50) packets might be getting dropped due to some config you have here so try opening it up exclusively.

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Is it possible to support site to site and DMVPN on the same Hub router using the same interface for transition purposes? Basically we have point to point tunnels and would like to transition to DMVPN without tearing down the existing connections until the transition is complete.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi Perry,

Yes it is possible. For transitioning over to the DMVPN based solution, you would need to control the traffic flow through routing.

Basically, the order of the crypto map determines what gets encrypted and with which IPSec policy, also routing determines what traffic goes on the tunnel and the DMVPN, so if it is not going on the tunnel interface, the physical interface crypto policy takes effect.

So to transition to DMVPN, simply bring up the tunnel, with lower routing metric and it takes precedence

You should go through some of the links below to better understand the DMVPN configurations.

www.cisco.com/go/dmvpn and then you can call TAC to help you transiton over.

Hope this helps,

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Is there a document that describes configuring up a 3002 as a hardware IPSec client connecting to a ASA5540?

The 3002 will have a static outside address assigned and the inside/private network will be configured with its own IP pool.

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi

I am trying to configure the ASA 5540 (running ver 8.0) to accept VPN connections *without* encryption. To achieve this, I set the encryption to "esp-null" on the ASA.

The built-in L2TP-IPSec client on Windows XP establishes the VPN connection but drops out exactly after 1 minute and 11 seconds.

I suspect that this is some kind of timeout - do any ports need to be opened up specifically on the ASA Outside interface?

"sysopt connection permit-vpn" is present in the configuration.

Thanks for your assistance.

Cisco Employee

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Hi,

Looks like we can terminate the L2TP/IPSec connections without any problem.

I loaded up the latest 8.0.2 interim and it works as designed. I am able to stay connected and pass data with no problems (see below). If you still have a problem or wish to obtain the latest interim, please open a TAC case

Session Type: IPsec Detailed

Username : l2tp Index : 4

Assigned IP : 90.208.1.105 Public IP : 70.208.1.2

Protocol : IKE IPsecOverNatT L2TPOverIPsecOverNatT

License : IPsec

Encryption : none Hashing : MD5 SHA1

Bytes Tx : 21595 Bytes Rx : 27116

Pkts Tx : 225 Pkts Rx : 261

Pkts Tx Drop : 0 Pkts Rx Drop : 0

Group Policy : DfltGrpPolicy Tunnel Group : DefaultRAGroup

Login Time : 12:10:45 UTC Wed Oct 3 2007

Duration : 0h:04m:05s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

IKE Tunnels: 1

IPsecOverNatT Tunnels: 1

L2TPOverIPsecOverNatT Tunnels: 1

Find more details on the configuration at: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807213a7.shtml

Rgds,

Aamir

New Member

Re: ASK THE EXPERT - IPSec VPN HEAD-END PLATFORM

Is it possible to disable aggressive mode for on IOS for vpns. Using DMVPN with preshared key. what can I do to disable or mitigate aggressive mode with redesign network. I want to force main mode only. This is needed to to pass a security audit.

383
Views
12
Helpful
50
Replies
CreatePlease to create content