cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2146
Views
0
Helpful
10
Replies

Router as a vpn client

Would it be possible to have a Cisco router running ios act as a vpn client?

I'd like it to connect to a remote vpn server, receive an ip address using pptp,

setup some kind of nat and do selective routing, say only addresses in the

subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel, leaving the

rest of outbound traffic going directly through the wan connection.

1 Accepted Solution

Accepted Solutions

Hello Holbrook,

Alright, the configuration should be modified as follows (all commands are performed exactly against the configuration you have posted):

route-map Di0 permit 10

match ip address 1

match interface Dialer0

!

route-map Fa0/0 permit 10

match ip address 1

match interface FastEthernet0/0

!

! Pasting the following lines will cause the router to prompt you

! if you want to delete the NAT entries - permit it

!

no ip nat inside source list 1 interface FastEthernet0/0 overload

no ip nat inside source list 3 interface Dialer0 overload

!

ip nat inside source route-map Di0 interface Dialer0 overload

ip nat inside source route-map Fa0/0 interface Fa0/0 overload

!

interface Dialer0

ip tcp adjust-mss 1420

This configuration should be paste-able directly to your global config mode. However, the no ip nat ... commands need to be entered manually and individually, as the router will expect a response from you (yes/no).

This configuration should make sure that packets routed via Di0 will be NATted using the Di0 interface address, packets routed via Fa0/0 interface will be NATted using the Fa0/0 interface address, and TCP sessions carried through the PPTP will have their MSS decreased to prevent unnecessary IP packet fragmentation.

You may delete the ACL 3 - it is not used anymore.

Best regards,

Peter

View solution in original post

10 Replies 10

Peter Paluch
Cisco Employee
Cisco Employee

Hi Holbrook,

This should be possible. The rough configuration would be as follows:

service internal

!

vpdn enable

vpdn-group PPTP

request-dialin

  protocol pptp

  pool-member 1

initiate-to X.X.X.X

!

interface Dialer0

encapsulation ppp

ppp chap hostname YourLogin

ppp chap password YourPassword

ppp encrypt mppe auto

ppp mtu adaptive

dialer pool 1

dialer string 123

dialer vpdn

dialer persistent

ip mtu 1460

ip address negotiated

The service internal command is necessary to make the protocol pptp command available in the VPDN group. Otherwise, it is hidden. I am not sure why is it hidden - probably to discourage people from using IOS routers as PPTP clients (L2TP is better suited for that). Note that the service internal command is hidden itself and must be typed in its entirety, otherwise it will not be accepted.

The VPDN group PPTP is what basically encapsulates your elementary PPTP configuration. The only configuration to modify there is the X.X.X.X - replace that with the IP address of your remote VPN server.

On the Dialer0 interface, be sure to replace YourLogin and YourPassword with your VPN username/password. The dialer string 123 is a command that originally specified phone numbers to dial out - here, its value is largely irrelevant but it still needs to be present in order for the Dialer interface to consider its configuration complete.

After entering this configuration, the interface Dialer0 should come up after a few seconds and be assigned the IP address by the remote VPN server. No further routing via this Dialer0 interface will happen yet, so testing this configuration should be fairly safe.

setup some kind of nat and do selective routing, say only addresses in the

subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel

Are these addresses source addresses in your internal network, or are they destination addresses that should be reachable via the PPTP?

What kind of NAT do you need? What are the internal addresses used inside your network?

Best regards,

Peter

Peter Paluch wrote:

setup some kind of nat and do selective routing, say only addresses in the

subnet 24.0.0.0/8 and 25.0.0.0/8 get sent through the vpn tunnel

Are these addresses source addresses in your internal network, or are they destination addresses that should be reachable via the PPTP?

What kind of NAT do you need? What are the internal addresses used inside your network?

Best regards,

Peter

Hi Peter,

They are destination addresses. Currently I have nat setup, outside on fastethernet0/0 and inside on fastethernet0/1, using overload. The internal addresses on my network are 10.0.0.0/24.

Basically with the dialer interface you gave me, I want all internal traffic (as seen from fa0/1) with the destination of say 24.0.0.0/8 or say 24.1.2.3 to go through the vpn connection. Everyone on ther internal network will share the one ip address given via the pptp. Anything else meant for the outside world, let it traverse thru the wan interface as if there were no vpn connection.

Thanks!

Holbrook

Hello Holbrook,

Can you please post your configuration (removing sensitive information of course)? I would like to adapt my suggested modifications to your existing configuration so that there are no conflicts.

The easiest way to configure this, by the way, will be simply to define the routes towards 24.0.0.0/8 via the Dialer interface. While this will make all packets (from anyone) to be routed via the Dialer through the PPTP connection, I also assume that you do not have several internal networks, from which only selected networks are to be using the PPTP connection. Otherwise, we would have to set up Policy Based Routing which is not complicated per se but it does add to the complexity of the solution.

Have you tried adding the Dialer interface configuration? Did it connect successfully?

Best regards,

Peter

Hi Peter,

I added the dialer interface and while I was awaiting a reply tried adding the:

ip route 123.123.123.0 255.255.255.0 Dialer0

line. I was able to talk to that subnet thru the dialer interface, but not from any hosts on the internal

side. I tried adding (as you can see) ip nat outside on the dialer interface and adding an access-list, nat inside to see

if that might work. I've found if I remove the nat inside source for fastethernet0/0 it will route traffic bound for the above subnet but nothing else (makes sense). But when I have both of them in there at the same time (as is the case in the config below) all traffic except for traffic bound for 123.123.123.0/24 traverses.

!

! Last configuration change at 09:56:41 PST Fri Jan 20 2012

! NVRAM config last updated at 09:56:43 PST Fri Jan 20 2012

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service internal

!

hostname border

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 XXXXXXXXXXXXXXXXXXX

enable password 7 XXXXXXXXXXXXXXXXX

!

no aaa new-model

memory-size iomem 25

clock timezone PST -8

clock summer-time PDT recurring

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.100

ip dhcp excluded-address 10.0.0.200 10.0.0.254

!

ip dhcp pool main

   network 10.0.0.0 255.255.255.0

   dns-server 10.0.0.10 8.8.8.8 8.8.4.4

   domain-name home.local

   option 4 ip 10.0.0.10

   option 150 ip 10.0.0.5

   default-router 10.0.0.1

!

ip dhcp pool ape

   host 10.0.0.4 255.255.255.0

   client-identifier 0100.1ff3.040f.06

   default-router 10.0.0.1

   dns-server 10.0.0.10

   domain-name home.local

   option 4 ip 10.0.0.10

!

ip dhcp pool printer1

   host 10.0.0.20 255.255.255.0

   client-identifier 0100.1e0b.f50e.8f

   dns-server 10.0.0.10

   domain-name home.local

   default-router 10.0.0.1

   option 4 ip 10.0.0.10

!

!

ip domain name home.local

ip name-server 10.0.0.10

vpdn enable

!

vpdn-group PPTP

request-dialin

  protocol pptp

  pool-member 1

initiate-to ip ...

!

!

ipv6 unicast-routing

ipv6 cef

ipv6 dhcp pool ipv6

dns-server 2620:0:CCC::2

dns-server 2620:0:CCD::2

!

!

interface Tunnel0

description HE IPV6 Tunnel

no ip address

ipv6 address :::::/64

ipv6 enable

ipv6 virtual-reassembly

tunnel source FastEthernet0/0

tunnel destination ...

tunnel mode ipv6ip

!

interface FastEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

!

interface FastEthernet0/1

ip address 10.0.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ipv6 address :::::/64

ipv6 enable

ipv6 nd other-config-flag

ipv6 dhcp server ipv6

!

interface Dialer0

ip address negotiated

ip mtu 1460

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer string 123

dialer persistent

dialer vpdn

no cdp enable

ppp encrypt mppe auto

ppp chap hostname xxxxxxx

ppp chap password 7 xxxxxx

!

!

ip route 123.123.123.0 255.255.255.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source list 3 interface Dialer0 overload

ip nat inside source static tcp 10.0.0.10 22 interface FastEthernet0/0 9774

ip nat inside source static tcp 10.0.0.10 9999 interface FastEthernet0/0 9999

ip nat inside source static tcp 10.0.0.10 8765 interface FastEthernet0/0 8765

ip nat inside source static udp 10.0.0.10 5060 interface FastEthernet0/0 5060

!

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 2 permit any

access-list 3 permit 10.0.0.0 0.0.0.255

access-list 23 permit 10.0.0.0 0.0.0.255

access-list 23 deny   any

snmp-server community xxxxx RO

snmp-server enable traps tty

no cdp run

ipv6 route ::/0 Tunnel0

!

!

ipv6 access-list telnet

permit ipv6 :::::/64 any

deny ipv6 any any

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

password 7 0356491F022311

ipv6 access-class telnet in

login

!

!

end

Thanks again,

Holbrook

Hello Holbrook,

Alright, the configuration should be modified as follows (all commands are performed exactly against the configuration you have posted):

route-map Di0 permit 10

match ip address 1

match interface Dialer0

!

route-map Fa0/0 permit 10

match ip address 1

match interface FastEthernet0/0

!

! Pasting the following lines will cause the router to prompt you

! if you want to delete the NAT entries - permit it

!

no ip nat inside source list 1 interface FastEthernet0/0 overload

no ip nat inside source list 3 interface Dialer0 overload

!

ip nat inside source route-map Di0 interface Dialer0 overload

ip nat inside source route-map Fa0/0 interface Fa0/0 overload

!

interface Dialer0

ip tcp adjust-mss 1420

This configuration should be paste-able directly to your global config mode. However, the no ip nat ... commands need to be entered manually and individually, as the router will expect a response from you (yes/no).

This configuration should make sure that packets routed via Di0 will be NATted using the Di0 interface address, packets routed via Fa0/0 interface will be NATted using the Fa0/0 interface address, and TCP sessions carried through the PPTP will have their MSS decreased to prevent unnecessary IP packet fragmentation.

You may delete the ACL 3 - it is not used anymore.

Best regards,

Peter

I'm getting the same results with the new config. Dunno if this will help any, but I'll send you the route map and nat stats

Gateway of last resort is 70.187.168.1 to network 0.0.0.0

S    123.123.123.0/24 is directly connected, Dialer0

     70.0.0.0/21 is subnetted, 1 subnets

C       70.187.168.0 is directly connected, FastEthernet0/0

     172.19.0.0/32 is subnetted, 1 subnets

S       172.19.89.19 [254/0] via 70.187.168.1, FastEthernet0/0

     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C       10.0.0.0/24 is directly connected, FastEthernet0/1

C       10.41.0.1/32 is directly connected, Dialer0

C       10.41.0.8/32 is directly connected, Dialer0

S*   0.0.0.0/0 [254/0] via 70.187.168.1

Total active translations: 90 (0 static, 90 dynamic; 90 extended)

Outside interfaces:

  FastEthernet0/0, Virtual-Access1, Dialer0

Inside interfaces:

  FastEthernet0/1

Hits: 26058450  Misses: 112759

CEF Translated packets: 25687651, CEF Punted packets: 937723

Expired translations: 301284

Dynamic mappings:

-- Inside Source

[Id: 4] route-map di0 interface Dialer0 refcount 0

[Id: 5] route-map fa0/0 interface FastEthernet0/0 refcount 82

Queued Packets: 0

longest chain in local hash: 0, average length 0, chains 0/2048

Interface                  IP-Address      OK? Method Status                Protocol

FastEthernet0/0            70.187.175.168  YES DHCP   up                    up     

FastEthernet0/1            10.0.0.1        YES NVRAM  up                    up     

NVI0                       unassigned      NO  unset  up                    up     

Virtual-Access1            unassigned      YES unset  up                    up     

Virtual-Access2            unassigned      YES unset  down                  down   

Dialer0                    10.41.0.8       YES IPCP   up                    up     

Tunnel0                    unassigned      YES NVRAM  up                    up 

I've found the problem, I had:

ip nat inside source route-map di0 interface Dialer0 overload

instead of

ip nat inside source route-map Di0 interace Dialer0 overload

Thanks again for your help!

Holbrook,

Is everything now working according to your requirements? I was glad to help.

Best regards,

Peter

Hi Peter,

Yes, everything is working how I was wanting it setup to do. Thanks again for your help!

Holbrook

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco