Solucionado: Re: VPN on ISR 1802 - Página 2

ANTONIO DEUS · ‎01-23-2012

Olá,

Será possível configurar o router ISR 1802 com VPN, em que este equipamento possa autenticar e autorizar os utilizador sem necessitar de um elemento como por exemplo Cisco VPN 3000?

Será possível usar AD (Windows Autthentication) ou RADIUS para autenticar os utilizadores por VPN em vez do Cisco VPN 3000? E neste caso como configurar o router?

Obrigado,

António

rizwanr74 · ‎01-24-2012

"I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?"

Read my 4th posting from the top, they are defined in the very first and second line.

Port is 1812, not 1813.

radius-server host 192.168.30.1 auth-port 1812 acct-port 1812 key your-password-goes-here

Thanks

Rizwan Rafeek

rizwanr74 · ‎01-25-2012

at last please rate any help post on this thread.

ANTONIO DEUS · ‎01-25-2012

Hi,

I didn’t have the time to apply the solution that you gave me.

However, I thank you to the availability and all enlightenment.

António

ANTONIO DEUS · ‎01-31-2012

Hi,

With the scenario in the image, the PC with 172.16.50.1 is windows 7, with windows VPN set up, and the above configuration (by Rizwan Rafeek)

When I try to connect to the router through VPN the follow message appears.

On the router the message is

001002: *Jan 31 18:31:57.609: %CRYPTO-4-IKMP_NO_SA: IKE message from 172.16.50.1 has no SA and is not an initialization offer

I have a w2k8 with NPS configuration to accept connect to VPN. And with the user used no logging appears on security logs.

Can I use the windows configuration to connect via VPN?

If so, what is missing to complete the connection?

If not, what can I do?

Thanks,

António

rizwanr74 · ‎01-31-2012

Please use, Cisco VPN client.

ANTONIO DEUS · ‎02-01-2012

Hi,

I download the version 5.0.07.0290 Cisco System VPN Client 64bit, and install without firewall.

I configure the F0 of router ISR 1802 with IP address 172.16.50.1/24.

I configure the local interface of my laptop with 172.16.50.200/24 and no gateway (and later more with gateway 172.16.50.1).

The configurations of VPN client are

I suppose that the Group Authentication is the user and password in RADIUS in my w2k8.

And after a one minute the results is this message:

What is missing?

Thank you,

António

rizwanr74 · ‎02-01-2012

Well, use login name without FQDN, i.e. just a username without @srv-teste.local

that doesn't help, copy your config on the forum.

ANTONIO DEUS · ‎02-01-2012

Hi,

The result it is the same.

The configuration of router is attached.

Thanks,

António

rizwanr74 · ‎02-01-2012

Please remove highlighted line:

no ip nat inside source list ACL_de_Rede_Interna interface FastEthernet0 overload

Please fix this ACL, the PAT_ACL only for pat overload but nothing else it does. So, you will have network 30, 31, 33, 34 will be pat overloaded to interface Fa/0

ip access-list extended PAT_ACL
deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.30.0 0.0.0.255 any
permit ip 192.168.31.0 0.0.0.255 any
permit ip 192.168.33.0 0.0.0.255 any
permit ip 192.168.34.0 0.0.0.255 any

Be sure to have a static route on your inside network to push "192.168.0.0 255.255.255.0" to router's inside ip address.

Thanks

Rizwan Rafeek

ANTONIO DEUS · ‎02-08-2012

Hi,

I try to configure the router with all the change that is indicated, but there was no success to configure the router to be a VPN Server with RADIUS.

Then I tried a different thing, i.e., configure the router with VPN server with authentication an authorization local.

Inside everything is operational, but when I try to connect to my VPN server there is no answer (with the same configuration of VPN client, outside gateway 172.16.50.1).

What is missing?

Thanks,

António

The configuration is :

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname MyLab-router

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

!

username admin privilege 15 password 7

username x1x secret 5

clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

aaa authentication login default local

aaa authentication login VPNclient local

aaa authorization exec default local

aaa authorization network LOCALgroups local

aaa session-id common

ip subnet-zero

!

ip cef

ip dhcp excluded-address 192.168.30.254

ip dhcp excluded-address 192.168.30.1

ip dhcp excluded-address 192.168.30.220 192.168.30.229

!

ip dhcp pool DHCP-vlan1

network 192.168.30.0 255.255.255.0

domain-name dados-MyLab.pt

dns-server 192.168.30.254

default-router 192.168.30.254

lease 1 0 1

!

ip domain name MyLab.pt

ip ips po max-events 100

login block-for 60 attempts 3 within 15

login on-failure

login on-success

no ftp-server write-enable

!

spanning-tree portfast bpduguard

archive

log config

logging enable

logging size 1000

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3

!

crypto isakmp client configuration group engineering

key engine123

pool MyPool

!

crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac

!

crypto dynamic-map dyn_map 10

set transform-set ClientTransform

reverse-route

!

crypto map MyMap client authentication list VPNclient

crypto map MyMap isakmp authorization list LOCALgroups

crypto map MyMap client configuration address respond

crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

description Internet Connection

ip address 172.16.50.1 255.255.255.0

no ip unreachables

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map MyMap

!

interface FastEthernet1

description Dados+Wifi

switchport access vlan 1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description Trunk-Rede Interna

switchport mode trunk

no ip address

!

interface Vlan1

description Local LAN

ip address 192.168.30.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool MyPool 192.168.30.200 192.168.30.219

ip classless

!

ip dns server

!

ip http server

no ip http secure-server

ip nat inside source list SPLITEremote interface FastEthernet0 overload

!

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.255 any

!

control-plane

!

banner motd ^C

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

| * \

* MyLab / Portugal | *

| ---------------------------------------------- * |

* Router | *

| Cisco 1802 * |

* ---------------------------------------------- | *

| --- UNAUTHORIZED ACCESS DENIED! --- * |

* --- Entradas nao autorizadas sao punidas por lei --- | *

| * |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *

\ \ |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-^C

!

line con 0

line aux 0

line vty 0 4

exec-timeout 5 0

password 7

line vty 5 15

exec-timeout 5 0

password 7

!

no scheduler allocate

end

rizwanr74 · ‎02-08-2012

Well, there are number of things you did not pay attention. Things I mentioned on my 4^th and 5^th post.

If I were you, I would put Remote VPN users' IP range into a separate subnet rather than making VPN users’ subnet same as internal network segment.

Just make it simple, so put your Remote VPN users’ subnet into a separate subnet different from your internal network, I break it into subnets.

ip access-list extended PAT_ACL

deny ip 192.168.30.128 0.0.0.31 any

permit ip 192.168.30.0 0.0.0.127 any

ip nat inside source list PAT_ACL interface FastEthernet0 overload

ip radius source-interface FastEthernet0/1

interface Vlan1

ip address 192.168.30.1 255.255.255.128

ip local pool MyPool 192.168.30.129 192.168.30.158

ip dhcp pool DHCP-vlan1

network 192.168.30.0 255.255.255.128

domain-name dados-MyLab.pt

dns-server 192.168.30.126

default-router 192.168.30.1

lease 1 0 1

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

ip dhcp excluded-address 192.168.30.1

no ip dhcp excluded-address 192.168.30.254

no ip dhcp excluded-address 192.168.30.220 192.168.30.229

Ask questions and please understand syntax.

thanks

Rizwan Rafeek

ANTONIO DEUS · ‎02-09-2012

Hi Rizwan Rafeek,

First all, thank you for your response.

OK, I will put the VPN user’s in different IP rang (another IP address).

But with the syntax (see below)

ip access-list extended SPLITEremote

deny ip 192.168.30.128 0.0.0.31 any ! here deny all traffic from 192.168.30.129 to 254 to anywhere, because this is the VPN user’s poll address

permit ip 192.168.30.0 0.0.0.127 any ! here permit all traffic from 192.168.30.1 to 126 to anywhere, because this is the inside user’s poll address

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31 ! here permit the traffic between then 192.168.30.1 to 126 to 192.168.30.129 to 254, but this line this is implicit in line above, correct?

However, with all of this configuration I have no RADIUS to authentication and authorization, this will be locally.

So what is wrong? Because I cannot have connection when I’m outside.

Thanks,

António

rizwanr74 · ‎02-09-2012

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

The ACL "SPLITEremote" is only used for spliting the tunnel, otherwise all traffic internal network traffic (and including internet web-browsing) from vpn client will fall into vpn tunnel. By spliting the tunnel, only internal network traffic will fall into vpn tunnel.

Now PAT_ACL.

ip access-list extended PAT_ACL

deny ip 192.168.30.128 0.0.0.31 any

permit ip 192.168.30.0 0.0.0.127 any

This PAT_ACL used only for PAT overload, it is forcing VPN tunnel bound traffic to go via the crypto engine instead of being PAT overloaded for accessing internet.

So, please stick with this ACL one below.

ip access-list extended PAT_ACL

deny ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

permit ip 192.168.30.0 0.0.0.127 any

thanks

Rizwan Rafeek

ANTONIO DEUS · ‎02-09-2012

Hi,

The follow picture illustrates the scenario.

And with this configuration

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname MyLab-router

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

!

username admin privilege 15 password 7

username x1x secret 5

clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

aaa authentication login default local

aaa authentication login VPNclient local

aaa authorization exec default local

aaa authorization network LOCALgroups local

aaa session-id common

ip subnet-zero

!

ip cef

ip dhcp excluded-address 192.168.30.1

!

ip dhcp pool DHCP-vlan1

network 192.168.30.0 255.255.255.128

domain-name dados-MyLab.pt

dns-server 192.168.30.126

default-router 192.168.30.1

lease 1 0 1

!

ip domain name MyLab.pt

ip ips po max-events 100

login block-for 60 attempts 3 within 15

login on-failure

login on-success

no ftp-server write-enable

!

spanning-tree portfast bpduguard

archive

log config

logging enable

logging size 1000

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3

!

crypto isakmp client configuration group engineering

key engine123

pool MyPool

!

crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac

!

crypto dynamic-map dyn_map 10

set transform-set ClientTransform

reverse-route

!

crypto map MyMap client authentication list VPNclient

crypto map MyMap isakmp authorization list LOCALgroups

crypto map MyMap client configuration address respond

crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

description Internet Connection

ip address 172.16.50.1 255.255.255.0

no ip unreachables

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map MyMap

!

interface FastEthernet1

description Dados+Wifi

switchport access vlan 1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description Trunk-Rede Interna

switchport mode trunk

no ip address

!

interface Vlan1

description Local LAN

ip address 192.168.30.1 255.255.255.128

ip nat inside

ip virtual-reassembly

!

ip local pool MyPool 192.168.30.129 192.168.30.158

ip classless

!

ip dns server

!

ip http server

no ip http secure-server

ip nat inside source list PAT_ACL interface FastEthernet0 overload

!

ip access-list extended PAT_ACL

deny ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

permit ip 192.168.30.0 0.0.0.127 any

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

!

control-plane

!

banner motd ^C

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

| * \

* MyLab / Portugal | *

| ---------------------------------------------- * |

* Router | *

| Cisco 1802 * |

* ---------------------------------------------- | *

| --- UNAUTHORIZED ACCESS DENIED! --- * |

* --- Entradas nao autorizadas sao punidas por lei --- | *

| * |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *

\ \ |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

^C

!

line con 0

line aux 0

line vty 0 4

exec-timeout 5 0

password 7

line vty 5 15

exec-timeout 5 0

password 7

!

no scheduler allocate

end

The results it’s the same, as before. Outside of router (through the fastEthernet 0) I cannot connect the VPN, with the configuration of Feb 1, 2012 post (but with different user and subnet mask of course).

What’s missing? Can you help me solve this?

Thnaks,

António

rizwanr74 · ‎02-09-2012

"What’s missing?" one below is...

ip radius source-interface FastEthernet0/1

Are you able to access the internet from inside the network, you answer is "yes" ?

then add the above line (ip radius source-interface FastEthernet0/1) and try it.

If you cannot access the internet from inside, then there is a NAT is missing in the "Dados+Wifi" cloud.

Or you can try this instead.

try this, connect your router interface to a switch "interface FastEthernet0" and connect a PC with a VPN client to same switch and give the PC an IP address from same range 172.16.50.100 /24 and then try VPN in from outside while connected the same switch.

Let me know.

thanks

VPN on ISR 1802

Quick links