ios-to-ios vpn

kristine.meganck · ‎07-18-2003

Hi,

I have a Cisco 837 at HQ. A Cisco 827H at the branch office. The Cisco 837 was set up for the easy vpn client so that remote users could connect.

With the Cisco 837 i want to set up a site-to-site VPN.

I succeed in it throught the Ezvpn hardware client.

However there are some disadvantages.

1. because of the configuration at HQ for the easy vpn clients with Xauth - the site-to-site vpn has also to authenticate. Is there a way that this is not needed.

2. i let the user setup the vpn connection by CRWS (so he need to login to the router ! with an level 15 account).

Every time the VPN connection is setup the CRWS removes NAT so he cannot access internet

3. The VPN connection shuts down after 60 min of inactivity. Is there a way to extend this ?

This is the setup at branch office 827H :

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxxxxxx

!

logging queue-limit 100

logging buffered 4096 informational

enable secret secretpass

!

username xxxxxx xxxxx

ip subnet-zero

ip name-server 10.1.1.10

ip name-server 195.238.2.21

ip name-server 195.238.2.22

ip dhcp excluded-address 10.1.3.254

!

ip dhcp pool CLIENT

import all

network 10.1.3.0 255.255.255.0

default-router 10.1.3.254

lease 0 2

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

crypto ipsec client ezvpn crws-client

connect auto

group xxxxxxx key xxxxxxxxxx

mode network-extension

peer x.x.x.x

!

partition flash 2 6 2

!

interface Ethernet0

description CRWS Generated text. Please do not delete

this:10.1.3.254-255.255.255.0

ip address 10.1.3.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1348

crypto ipsec client ezvpn crws-client inside

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 8/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1348

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname xxxxxxx

ppp chap password 7 xxxxxxxxx

ppp pap sent-username xxxxx password 7 xxxxxxxx

ppp ipcp dns request

ppp ipcp wins request

crypto ipsec client ezvpn crws-client

!

ip nat inside source list 102 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

access-list 23 permit 10.1.3.0 0.0.0.255

access-list 102 deny ip 10.1.3.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 102 permit ip 10.1.3.0 0.0.0.255 any

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any log

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

This is the setup at HQ 837 :

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname xxxxxx

!

logging buffered 4096 informational

enable secret xxxxxxxxxx

!

username xxxxxx xxxxx

aaa new-model

!

aaa authentication login vws group radius local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip domain lookup

ip domain name xxxxxx

ip name-server 10.1.1.10

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip urlfilter alert

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxxxxxx (easy vpn clients)

key xxxxxxxx

dns 10.1.1.10

domain xxxxxxxxx

pool ippool

acl 101

!

crypto isakmp client configuration group xxxxxxx (site-to-site vpn)

key xxxxxxxx

dns 10.1.1.10

domain xxxxxxx

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list vws

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

ip address 10.1.1.254 255.255.255.0

ip nat inside

no ip mroute-cache

load-interval 30

no keepalive

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

dsl power-cutback 0

!

interface ATM0.1 point-to-point

ip address x.x.x.x x.x.x.x

ip access-group 111 in

ip nat outside

ip inspect myfw out

pvc 8/35

encapsulation aal5snap

!

crypto map clientmap

!

ip local pool ippool 10.1.2.1 10.1.2.5

ip nat inside source list 102 interface ATM0.1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 ATM0.1

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip pim bidir-enable

!

ip access-list extended dns-servers

ip access-list extended key-exchange

ip access-list extended save-password

ip access-list extended service

!

logging 10.1.1.10

access-list 1 permit 10.1.1.10

access-list 23 permit 10.1.0.0 0.0.255.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 102 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 102 deny ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

access-list 102 permit ip 10.1.3.0 0.0.0.255 any

access-list 111 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit ip 10.1.3.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any log

no cdp run

snmp-server community vwssnmp RO

snmp-server enable traps tty

radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key 7

11041C29371C5B5

C093A2121

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

length 0

transport input ssh

!

scheduler max-task-time 5000

end

rlcarr · ‎07-22-2003

You've listed 3 disadvantages.

Numbers 1 & 2 can be eliminated if you change your connection from the Client setup to a true Site-to-Site setup. Your hub will allow for both types to exist. However, if you plan on adding more Site-to-Site connectivity you should seriously consider upgrading your Hub end router, a 827 doesn't have much VPN horsepower. Here is a link that will help. http://www.cisco.com/warp/public/707/ios_hub_spoke2.html

Number 3 can be addressed by keeping some recurring traffic on the link like SNMP polling or a routing protocol. Here is an example of how to setup a routing protocol. http://www.cisco.com/warp/customer/707/gre_ipsec_ospf.html

Using a routing protocol also has nice benefits when you decide to add options like ISDN backup and want to make true routing decisions.

Hope this helps.

~ron

kristine.meganck · ‎07-23-2003

Hi Ron,

Thx for the information. I only have a problem by setting up a real site-to-site VPN. Because the router in the branch office is receiving an dynamic ip-address i have to add on the HQ router something like

crypto isakmp key **** address 0.0.0.0

when i do this the remote users with the easy vpn clients cannot connect anymore. I suppose because of the 0.0.0.0 (which means everybody including remote users)