Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update from Cisco expert Sunil Cherukuri how to deploy Virtualized Network Based Security services like IPSec, IPSec VTI, EzVPN, SSL VPN, Firewalls etc on IOS platforms for large scale VPN networks. Sunil is a solutions engineer at Cisco's Network Solutions & Test Engineering (NSITE) team, with over five years of experience with network based security services. His current focus is on testing scaling and performance of large scale network based security services. He also assists service providers and major enterprises in the design and deployment of such services.
Remember to use the rating system to let Sunil know if you have received an adequate response.
Sunil might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through July 28, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
I'm happy to start this session.
My simple question is, i have two VPN concentrators 3015 and 3020, i need to install both of them for load balance and share. We can enable load balance over both concentrators but you need to take the configuration changes from one to the other, and the other needs swap configuration wich needs reload. I think it is a very bad. imagine that you have every day or less changes!
For me, I have ACS 3.3. and i will give VPN users access authorization from the ACS to overcome the huge config. changes over the VPN boxes. I will create per Group/user downloadable ACL at the ACS.
Now the question, Does Cisco will support GLBP over the VPN concentrators in the near future? or overcome the configuration changes problem? I hope the configuration from the primary/master VPN box will be pushed to the secondary one, i think it can be done by Cisco, right?
hi sunil it;s to have u back in the forum.hi i have some doubts abt vpn concentrators. since the asa has been out for quite some time it suppotr all the features that our vpndoes and also heard from some sales rep that vpn i going end of life soon.can u give me some idea over it.and is the 4.7 the last release for it or will there be further releases for it. cause in the new ccie security lab the vpn is there it means it wouldn;t be end of life very soon. i fell since it;s a hardcore vpn termination box it should support atleast gre tunnels in it. except for cisoc router none of the cisco security devices support gre tunnels. do u think it's going to be implemented soon. waiting for ur reply. see ya
I'm not as much uptodate with the appliances as with IOS !
The ASA is the next gen appliance for vpn and f/w and as such will ultimately replace the 3k and pix. As to the timeframes for eos/eol, images etc, you'd be better served by posting on a 3k forum or contacting your Cisco SE. Even if its eol, I would think it would be supported in the near future.
As for GRE, the reason for using GRE was for running routing protocols, multicast, sna/ipx etc. So this is really suited in a vpn environment on IOS platforms, and not been supported on appliances. Dont think or aware of any such support in the future.
I understand your concern since the vpn3k and asa clustering does not provide for config sync. With the ASA you can use the ASDM for easing the configuration changes.
Cisco does support config sync feature for pix/asa/fwsm failover scenarios, but not for clustering.
And the clustering currently uses a proprietary mechanism for redirects and for load metrics.
As to when/if we will support clustering config sync or GLBP for load balancing, you'd better be server by posting on a 3k forum, or contacting your local Cisco SE/account team. They could give you more uptodate info or help in putting forward feature requests.
I am going through setting up VPNs. I have a security question thou. I have a 3660 and PIX. The 3660 is my outside router which is connected to the outside interface.
I NAT from the instead to another range between the PIX and 3660 and then NAT again from the 3660 to internet addresses.
I have this question - which is better to let the PIX outside interface have a internet IP therefore allowing VPN connection to the PIX or getting VPNs to connect to the 3660?
Is there a way to connect to the 3660 then pass it through to the PIX for auth ??
Which is the higher security risk? Would it be better to have a VPN accellorator in either and which one has the better VPN security with these cards. The PIX is a 520.
Thanks for any pointers
Not sure I understand why you NAt twice, first on the PIX then on the 3660.
As to which one should be used for VPN termination, its a hard question.
VPN security/risk wise both are same. The IPSec is RFC compliant, so no difference there. Both are different platform/images so have some differences in features. If you prefer IOS vpn features go for the 3660. From a load perspective, you might want to keep the vpn on 3660 and FW on Pix.
My main considerations would be the scale and throughput - number of tunnels and encrypt/decrypt traffic throughput.
cannot make a recommendation since I'm not sure what encryption module the 3660 has. We had the AIM-BP, AIM-EP, AIM-HP encryption cards before; and now have teh AIm-VPN and AIM-2 cards. So each has different capabilities.
The AIM-BP/EP/HP cards are EOS now I think.
Also, the Pix 520 is EOL and also end of support this year.
Will have to make a call based on these factors.
Hope this helps.
So I guess
Im getting the idea that a PIX515E would be the best option, otherwise a VAC+ in the PIX520. We a edu/charity so money is tight as normal. Im not doing L2L which the 3660 would be better at.
I would have prefered to start the VPN termination at the 3660 but that would mean a lot of router coming from the internal network to the 3660 on the permimeter which might not be that secure ???
I NAT twice just for added security more than anything or is this a bad thing ?
Pix 515 or 520 would be fine, just that the 520 is end-of-life and end of support.
So you'ree doing ezvpn termination not L2L. Both the 3660/Pix would be ok for that.
Based on your concern, it would be preferable to do the termination on the PIX. Or if you can reposition the PIX in front of 3660. So PIX does firewall/nat, and the 3660 does vpn termination.
As I said before the real choice is based on scale/throughput and what kind of encryption cards the 3660/pix have.
As for double NAT, I dont think that buys you any additional security.
I have an 8 site VTI hub-spoke setup. I'm using Cisco 2851's at the head end and Cisco 871's out in the fields.
The problem I'm having is bad performance. All of these sites are through satellite connections.
Problem: Without using encryption we are gettng 300Kbps down and 44Kbps up. With encryption we are getting only 56k down and 8-9K up. We are running OSPF across the links.
I have adjusted the MTU to 1300 on the virtual-template and also the MSS size.
I haven't had the opportunity to do a packet analysis yet, but I will in the next couple of days. Our configurations are right of Cisco's examples.
Have you seen this before? I'm going to run a few more tests.
I havent seen this issue before.
Is this using Static VTI tunnels?
All the routers have hardare accelerators?
Look for a few things
1) CPU on routers. Any other services like cbac, nat, qos etc applied on VTI ?
2) Interface drops
3) Errors from 'sh crypto ipsec sa detail' and from the hardware accelerator statistics. Basically looking for encr/decr errors, replay errors, buffer full/drops etcetc.
4) See if OSPF is flapping. Increase the interface hold-queue in and out if possible.
First lets determine where the drops are happening, and let me know if I can be of further assistance.
Thank-you for your reply Sunil
I haven't seen any issues of the sort mentioned here. However, we did a download test without IPSec and we had 220Kbps. With IPSec we are getting 10Kbps.
I did a performance test on an ADSL line we got 2.1Mbps download rate without VPN and 1.9 with VPN. I don't think it's the IPSec configuration at this point.
I tried to implement ACL-RBSCP. It gave us 14Kbps download rates (40% increase). But it would crash the router with "out of memory" error eventually.
From 2.1 M to 1.9 M I can understand due to the overhead for IPSec.
220k to 10k doesnt seem right. Pleas try to do additional troubleshooting to determine where/what is causing the drop.
ACL-RBSCP works with ipsec (ipsec on one intf, acl-rbscp on other), but I havent used it. The out of memory should be addresses Have you raised a case with Cisco TAC? What about trying regular RBSC wih tunnel configuration.
We are running FWSM ver 2.2(1). Can you advice if the FWSM can be used to terminate a VPN tunnel and if so, what is the maximum number of termination?
The FWSM can terminate IPSec only for management purposes. So uou can use IPsec to login to the FWSM (instead of telnet,ssh etc) and manage it. But the FWSM cannot be used for IPSec VPN termination for data traffic.
If the FWSM cannot be used to terminate the IPSec VPN, can it be achieved on the Catalyst 6500 with VRF-lite implementation?
Can you please provide a guide for the management VPN configuration on the FWSM? Will be VPNing in from a remote PC via the internet to the FWSM.
Yes, sure we can terminate IPSec tunnels on the 6500 into global, vrf-lite, or mpls-vpn. But you would need the vpnsm (eol now) or ipsec-spa encryption modules. While the IOS can terminate in s/w, you would need the h/w module for performance and scale.
Let me know if I can be of any help with this.
Below are some links for the ipsec spa.
For the FWSM, you can use ipsec for management only from the outside interface.
Below is a config guide
thank you the conversation on such topic.
I have the deployment with central site (two ASA's as the VPN concentrator point) and few branches with Cisco IOS routers. We have to connect the branches to the central site over the Internet using VPN (NAT will not be used).
IOS router on the branch site has to be connected to ASA1 and as a backup peer has to serve ASA2.
How would you design and configure such a situation including routing on a branch router?
At this moment there is one crypto map with two peers (ASA1,ASA2) and static routing.
Hopefully there can be better solution with the VPN peer status detection. How to design routing to the central site networks?
Thanks in advance for any suggestions.
You're on the right track with having 2 set peers under the crymap on the IOS branch router. As for routing, with crymap ipsec we do not carry routing protocls thru the tunnel. I guess you're referring to routing for the tunnel endpoint addresses, not the inner/original ip address routing.
So the branch has one wan link, one cry map and 2 peers. Its internal routing is pointing to the crymap interface to reach the HUB private addresses. Routing (static or dynamic, specific or default route) for the tunnel endpoint addresses (the public addresses of the 2 peers) also points out this wan interface.
Branch brings up tunnel to Hub-1.
If you have IKE Keepalives or Dead Peer Detection (DPD) configured, we'll send DPD or KA messages to detect peers liveliness.
So if Hub-1 is down, spoke deletes tunnel to Hub-1 and brings up tunnel to Hub-2
From HUB's point of vuew, both HUB's have specific or default routes to the Internet for reaching the spoke's public addres.
Each hub is also configured with crypto map with Reverse Route Injection (RRI) to install routes to the Spoke's private address when the tunnel is established.
Or you can have static routes internally to point to the HUB device. But would be better to use RRI to tie in routing to tunnel status. The RRI route is installed based on the crypto acl. In IOS we now have the capability to install the route only if the tunnel is active.
If yu need routing through the tunnel for true end-end dynamic routing, you'll need to use IPSec+GRE or IPSec VTI.
Hope this helps.
Its (the branch router, SPOKE) internal routing is not pointing to the crymap int. But this is maybe what is wrong. There is only cryptomap defined and bounded to the outside interface. Routing for the tunnel endpoint addresses (behing the HUBs) is pointing to the Internet. This scenario is working but a few times has happened that the tunnels to both HUBs(ASA's) were active, which is not desired. So I thought there's something wrong in the design.
ASA supports only IPSec tunnel mode so I cannot use tunnel int. on bothe sides (hub and spoke). How would you specify crypto int?
Thanks in advance.
When having 2 set peers under a crypto map, you should not see both tunnels up at same time. Maybe you caught it when one was being deleted (the IKE sa shows for a few mts as deleted state) after a new tunnel has been established?
True, ASA does not support gre or VTI. My earlier comment was generic. Sorry for the confusion.
The spoke should have routes to the HUB private addresses pointing to the crymap intf.
Say spoke has f0/1 as wan crymap intf 126.96.36.199
and has private lan n/w 10.1.1.x
HUB1 has public wan crymap intf ip 188.8.131.52
HUB2 has 184.108.40.206
HUB's are connected to LAN n/w 20.1.1.x
Spoke should have routes for 20.1.1.x and 200.1.1.x pointing out via crymap f0/1 intf. Or have a default route, which I gather is what you have.
Similarly both HUB's must have routes for 10.1.1.x and 100.1.1.x pointing out via crymap intf.
Or you can use RRI to inject route for 10.1.1.x which HUB then distributes to its LAN routing protocol.
Problem with 2 hub failover is with static crymap and RRI, the route always exists on both HUB's. SO on return path you might have problems sending traffic to the HUB which actually has the tunnel.
One alternative is to use ezvpn. In this case, spoke always initiates tunnel, and only the active hub has the RRI route.
Another alternative is to use HSRP based failover, either stateless or stateful. Now spoke only has one peer, the HSRP VIP address. And only the HSRP active HUB has the SA's and RRI routes.
Loook at the following links for some failover confgis (for IOS hubs and asa hubs).
IOS stateless failover
IOS Stateful failover
having 2 set peers under a crypto map, you should not see both tunnels up at same time, that's what I thought too.
After the conectivity is established after a network failure on any sites, the tunnels are established with wrong ISAKMP.
dst src state conn-id slot status
SPOKE HUB2 QM_IDLE 8 0 ACTIVE
SPOKE HUB1 QM_IDLE 7 0 ACTIVE
And few minutes later there was:
[spoke]#sh crypto isa sa
dst src state conn-id slot status
SPOKE HUB1 QM_IDLE 10 0 ACTIVE
SPOKE HUB2 QM_IDLE 9 0 ACTIVE
As you can see, the connection-id is incremented and SPOKE is designated as DST.
On the HUB site it looks similar. I know there is a solution to clear the session to let is established once again, but maybe there is a solution (ISA configuration change) to avoid such behavior.
So from the description, you have both tunnels up intially. And after some failover event, you still have 2 new tunnels to both the HUBS.
This could happen with 2 peer static crypto map scenario if the backend routing is not controlled correctly.
In my previous posting I explained this problem.
If both hubs are receiving interesting traffic, they both will bring up tunnels to the Spoke. So Spioke has 2 tunnels. You will have to control routing so that traffic only goes to the active hub, so only the active hub brings up the tunnel to spoke.
As I explained in my previous posting, one way around this is to use EzVPN wit dynamic crypto maps, or use the 2 HUBS in a stateless/stateful failover scenario, so that only the active HUB has the routes back to the Spoke's private addresses.
Pleas look through the links in my last post.
My query is as follows.
I do have connectivity like this,
PIX 515---CLOUD----VPN 3005(IOS 3.1)----LAN with NON MANAGABLE SWITCH (5 LAPTOPS with Cisco VPN Client 4.7)
-- Here in my scenerio PIX 515 is configured for IP SEC VPN as a Remote Access VPN which is locarted remotely.
-- And my all the laptops are installed Cisco VPN Client version 4.7.00.
-- Configuration of VPN 3005 is Default routing pointing to my ISP gateway IP ADDRESS and NAT with Port Mapping enable, this translates my internal network 192.168.1.xx serias ip address to the my single assigned IP ADDRESS xx.xx.xx.xx.
-- Now my query is when i try to establish VPN from any of laptop by keeping my laptop behind the NAT is allows me to establish by showing the status message. But when i try to ping my remote internal network (also behind NAT)of the range 172.xx.xx.xx it wont allow me to do so. While my remote office administrator report me that he can see my laptop ip address in PIX 515 as attempting for PING and also that PIX is replying me to 192.168.xx.xx.
-- But if i connect directly my laptop to DSL line comming from my ISP and configure my laptop (can say if i am not behind NAT), and than i can establish VPN as well i can ping easily to my Remote Internal Network.
-- Additionaly i did try from other network like personaly from my home pc (also behind NAT of other ISP), and there i can do well, i can access all the resources of my Remote Office Local Network.
I am not getting this issue...
Can you lookafter this and ill good for your reply..
I'm not sure what the 3005 is doing here.
You said it does NAT, does it also do an ipsec tunnel. So is there a lan-lan tunnel between the 3005 and it is nating the private address to another address rane before encypting to Pix?
From your description seems like 3005 is not doing ipsec, just nat.pat to the outside address? I'm not sure the 3005 can do this.
In any case, if you have a lan-lan tunnel b/w 3005 and pix, dont see the reason for another vpn tunnel b/w the pc's and the pix. If you're doing this, could be the reason why you're not able to ping.
If this is not the case, and the pc 192.168.x.x is natd to xx.xx.xx.xx and brings up easyvpn tunnel to pix. So pix should assign a private ip address to the PC - say yy.yy. So on Pix you should see tunnel establisedto xx.xx but after decryption PIX would only see the ip yy.yy and return traffic should be to yy.yy
You said the remote administrator is seeing return traffic to 192.168.x.x
this shouldnt be the case, if the tunnel is setup corretcly.
Please provide more details on what the 3005 is doing, and what addresses the tunnel is etsablished to/from etc.
I have a problem with my VPN clients. It started about 3 days ago. They were working fine but at some point the client pc, after the user gave the username and password, would not create a connection. It just said not connected. if another user was used from the same terminal the connection would be ok and the usual username and password would start working again in a couple of hours.
I'm am using a PIX 515E with 7.0 software. No configuration have been made recently.
One more strange thing is that lately the PIX is using 89% of it's processor and it's not going down. I have a total of 10 users and the limmit of connection is 2000, so i don't think there is a problem with connection number, just the users go crazy sometime.
Could you help me
I am designing a VPN network with my 2 B.O and 1 H.O and 1 DC.
H.O and 2 B.O will be in dynamic routing VPN (EIGRP) and 2 B.O and DC will be site2site VPN.
The 2 B.O is also connected between them thru 100MFTT line.
So when one ISP A goes down then the B.O A`s traffic will be routed to ISP B of B.O B and vice-versa too.
Now I want to design the VPN like that to my H.O and DC from 2 B.O, when one of the ISP of any B.O goes down, the VPN traffic should automatically redirect to others VPN tunnel.
Can you please suggest some methods, how to design it and what all are the points to look for?
I have attached a design with equipments, which currently we have got, and also a rough design plan.
I want to clarify that I understood your Q right.
Yuu have DMVPN b/w BO and HO currently.
Need Site-Site IPSec b/w BO and DC
Each BO has only 1 ISP, not 2 ISP links per BO.
If ISP link goes down, want to send traffic from BO1 to BO2 thru direct link.
This is the failover you're asking for. Not failover b/w the DMVPN n/w and the IPSec n/w?
There is no link b/w the DC and HO.
If so, this is simple.
The DMVPN EIGRP brings HO n/w's to BO
Now, run point-point GRE+IPSec from BO to DC router (or use DMVPN or even IPSec VTI which can carry routing potocols). So this GRE runs EIGRP and brings DC n/w to BO's.
Now run routing protocl directly b/w the BO on the FTT link, with low metrics.
This if BO's ISP-A link goes down, it loses DMVPN and GRE connectivity to HO and DC. But then it has the lowe cost routes directly from BO so sends traffcic to BO2. BO@ then sends it on DMVPN to HO or GRE to DC.
Please correct me if I misunderstood and did not provide you the right answer.
>>Yuu have DMVPN b/w BO and HO currently.
No, currently we dont have DMVPN setup, it was only my design plan.
Currently we have site-site IPSec b/w HO and BO`s, DC and BO`s.
>>Need Site-Site IPSec b/w BO and DC
Needed IPSec VTI with dynamic routing protocol VPN b/w HO and BO`s and needed Site-Site IPSec b/w BO`s and DC.
Each BO has only 1 ISP, not 2 ISP links per BO. << CORRECT
If ISP link goes down, want to send traffic from BO1 to BO2 thru direct link. << CORRECT
>>This is the failover you're asking for. Not failover b/w the DMVPN n/w and the IPSec n/w?
It is failover b/w BO`s and want to send the VPN traffic to other BO tunnel, which is UP.
There is no link b/w the DC and HO. << CORRECT
>>Now run routing protocl directly b/w the BO on the FTT link, with low metrics.
Currently between BO`s we are using static routing, manually change the route to other BO LAN gateway.
I think IPSec VTI can be used insted of DMVPN. So we plan to use IPSec VTI.
I want to setup the VPN failover for both BO`s from/to HO and DC.
Can you please suggest how this can be done.
Attached is the new design plan with IPSec VTI and site-site IPSec VPN and current network diagram with site-site IPSec VPN.