Setting up VPN on an IOS router |
 |
Abstract
Three importants you must know when configuring a Cisco router to support VPN:
- Define an address pool with addresses that are used for this purpose only, ie. do not use network numbers that are already in use somewhere else on your network. In the sample below, the LAN behind the VPN router is 196.0.0.0/24, the remote LAN is 195.0.0.0/24, the network used to connect both routers is 193.0.0.0/24, and the address pool used to provide VPN clients with a temporary address when connecting through a VPN tunnel is 197.0.0.0/24
- Use an access-list to tell the VPN router which networks must be accessed through the tunnel (ie. VPN destination address must be turned into the VPN client's real IP addres, and data must be encrypted) and which networks expect data to be in clear text (ie. all other networks)
- Check that the VPN router has the required "ip route" lines so that remote VPN clients can be reached through both their permanent IP address (ie. the one used on the LAN where it's connected) AND their temporary address as leased from the VPN router.
Note: Interestingly enough, I noticed that when using a catch-all
"ip route 0.0.0.0 0.0.0.0 Serial0" instruction, routing works in both
directions only once the VPN client has connected and access resources in the
private network; Until then, private hosts cannot access resources located on
the VPN client.
I assume the former updates a routing table on the VPN router
so that it then knows how to reach the VPN client. I guess it's the way VPN
routers are set up for actual use over the Internet considering that VPN clients
can connect from any network over the Internet, ie. there's no way to know in
advance from which network a VPN client will connect.
Samples
VPN only
- 1720#sh run
- Building configuration...
- Current configuration : 1599 bytes
- !
- version 12.2
- service timestamps debug uptime
- service timestamps log uptime
- no service password-encryption
- !
- hostname 1720
- !
- aaa new-model
- aaa authentication login userauthen local
- aaa authorization network groupauthor local
- aaa session-id common
- !
- username cisco password 0 cisco
- memory-size iomem 15
- mmi polling-interval 60
- no mmi auto-configure
- no mmi pvc
- mmi snmp-timeout 180
- ip subnet-zero
- !
- !
- no ip domain-lookup
- !
- ip audit notify log
- ip audit po max-events 100
- !
- crypto isakmp policy 3
- hash md5
- authentication pre-share
- group 2
- !
- crypto isakmp client configuration group 3000client
- key cisco123
- pool ippool
- acl 108
- !
- crypto ipsec transform-set myset esp-des esp-md5-hmac
- !
- crypto dynamic-map dynmap 10
- set transform-set myset
- !
- crypto map clientmap client authentication list userauthen
- crypto map clientmap isakmp authorization list groupauthor
- crypto map clientmap client configuration address initiate
- crypto map clientmap client configuration address respond
- crypto map clientmap 10 ipsec-isakmp dynamic dynmap
- !
- interface FastEthernet0
- ip address 196.0.0.1 255.255.255.0
- speed auto
- !
- interface Serial0
- ip address 193.0.0.1 255.255.255.0
- encapsulation ppp
- no fair-queue
- clockrate 64000
- crypto map clientmap
- !
- ip local pool ippool 197.0.0.3 197.0.0.5
- ip classless
- ! Important: Router must know how to reach remote VPN client via both its permanent IP address AND temporary VPN address:
- ip route 0.0.0.0 0.0.0.0 Serial0
- no ip http server
- ip pim bidir-enable
- !
- !
- logging trap debugging
- ! Important: Needed to support split-tunneling, ie. data are sent encrypted or in clear text depending on destination address:
- access-list 108 permit ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- !
- !
- line con 0
- line aux 0
- line vty 0 4
- !
- no scheduler allocate
- end
- Building configuration...
VPN and NAT
- 1720#sh run
- Building configuration...
- Current configuration : 3044 bytes
- !
- version 12.2
- service timestamps debug uptime
- service timestamps log uptime
- no service password-encryption
- !
- hostname 1720
- !
- enable password cisco
- !
- username cisco password 0 cisco
- memory-size iomem 15
- mmi polling-interval 60
- no mmi auto-configure
- no mmi pvc
- mmi snmp-timeout 180
- ip subnet-zero
- !
- no ip domain-lookup
- !
- ip inspect name fw http
- ip inspect name fw ftp
- ip inspect name fw tcp
- ip inspect name fw udp
- ip audit notify log
- ip audit po max-events 100
- !
- crypto isakmp policy 3
- hash md5
- authentication pre-share
- group 2
- !
- crypto isakmp client configuration group 3000client
- key cisco123
- pool ippool
- acl 108
- !
- crypto ipsec transform-set myset esp-des esp-md5-hmac
- !
- crypto dynamic-map dynmap 10
- set transform-set myset
- !
- ! Those two lines are missing in an older sample on Cisco's site: VPN clients won't connect without those
- crypto map clientmap client authentication list userauthen
- crypto map clientmap isakmp authorization list groupauthor <dd>crypto map clientmap client configuration address initiate
- crypto map clientmap client configuration address respond
- crypto map clientmap 10 ipsec-isakmp dynamic dynmap
- !
- interface FastEthernet0
- ip address 196.0.0.1 255.255.255.0
- ip nat inside
- speed auto
- !
- interface Serial0
- ip address 193.0.0.1 255.255.255.0
- ip nat outside
- encapsulation ppp
- no ip route-cache
- no ip mroute-cache
- no fair-queue
- clockrate 64000
- crypto map clientmap
- !
- ip local pool ippool 197.0.0.3 197.0.0.5
- ip nat pool outsidepool 193.0.0.5 193.0.0.10 netmask 255.255.255.0
- ! Doesn't work: ip nat inside source route-map nonat interface Serial0 overload
- ip nat inside source list 1 interface Serial0 overload
- ip route 0.0.0.0 0.0.0.0 Serial0
- !
- access-list 1 permit 196.0.0.0 0.0.0.255
- access-list 101 permit tcp 196.0.0.0 0.0.0.255 any
- access-list 101 permit icmp 196.0.0.0 0.0.0.255 any
- access-list 101 permit udp 196.0.0.0 0.0.0.255 any
- access-list 102 permit udp host 193.0.0.1 eq isakmp host 193.0.0.1
- access-list 102 permit ahp host 193.0.0.1 host 193.0.0.1
- access-list 102 permit esp host 193.0.0.1 host 193.0.0.1
- access-list 102 permit udp any host 193.0.0.1 eq 62514
- access-list 102 permit udp any host 193.0.0.1 eq isakmp
- access-list 102 permit tcp any any
- access-list 102 permit icmp any any echo-reply
- access-list 108 permit ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- access-list 199 deny ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- access-list 199 permit ip 196.0.0.0 0.0.0.255 any
- !
- route-map nonat permit 10
- match ip address 199
- !
- line con 0
- line aux 0
- line vty 0 4
- login
- !
- no scheduler allocate
- end
- Building configuration...
VPN, NAT, CBAC, and RACLs
FYI, CBAC is the add-on to turn IOS into a stateful firewall. By itself, NAT does not protect the internal network from access by remote hosts. Reflexive ACLs are dynamic ACLs.
- 1720#sh run
- Building configuration...
- Current configuration : 2526 bytes
- !
- version 12.2
- service timestamps debug uptime
- service timestamps log uptime
- no service password-encryption
- !
- hostname 1720
- !
- enable password cisco
- !
- username cisco password 0 cisco
- memory-size iomem 15
- mmi polling-interval 60
- no mmi auto-configure
- no mmi pvc
- mmi snmp-timeout 180
- ip subnet-zero
- !
- no ip domain-lookup
- !
- ip inspect name fw http
- ip inspect name fw ftp
- ip inspect name fw tcp
- ip inspect name fw udp
- ip audit notify log
- ip audit po max-events 100
- !
- crypto isakmp policy 3
- hash md5
- authentication pre-share<;/b>
- group 2
- !
- crypto isakmp client configuration group 3000client
- key cisco123
- pool ippool
- acl 108
- !
- crypto ipsec transform-set myset esp-des esp-md5-hmac
- !
- crypto dynamic-map dynmap 10
- set transform-set myset
- !
- crypto map clientmap client authentication list userauthen
- crypto map clientmap isakmp authorization list groupauthor
- crypto map clientmap client configuration address initiate
- crypto map clientmap client configuration address respond
- crypto map clientmap 10 ipsec-isakmp dynamic dynmap
- !
- interface FastEthernet0
- ip address 196.0.0.1 255.255.255.0
- ip access-group outboundfilters out
- ip nat inside
- speed auto
- !
- interface Serial0
- ip address 193.0.0.1 255.255.255.0
- ip access-group inboundfilters in
- ip nat outside
- ip inspect fw in
- encapsulation ppp
- no ip route-cache
- no ip mroute-cache
- no fair-queue
- clockrate 64000
- crypto map clientmap
- !
- ip local pool ippool 197.0.0.3 197.0.0.5
- ip nat pool outsidepool 193.0.0.5 193.0.0.10 netmask 255.255.255.0
- ip nat inside source route-map nonat interface Serial0 overload
- ip classless
- ip route 0.0.0.0 0.0.0.0 Serial0
- no ip http server
- ip pim bidir-enable
- !
- !
- ip access-list extended inboundfilters
- evaluate tcptraffic
- permit tcp 197.0.0.0 0.0.0.255 any
- permit esp any host 193.0.0.1
- permit ahp any host 193.0.0.1
- permit icmp any any
- permit udp any host 193.0.0.1 eq 62514
- permit udp any host 193.0.0.1 eq isakmp
- permit udp 197.0.0.0 0.0.0.255 any
- deny ip any any
- ip access-list extended outboundfilters
- permit tcp any any reflect tcptraffic
- permit icmp any any reflect tcptraffic
- permit udp any any reflect tcptraffic
- !
- logging trap debugging
- access-list 108 permit ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- access-list 199 deny ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- access-list 199 permit ip 196.0.0.0 0.0.0.255 any
- !
- route-map nonat permit 10
- match ip address 199
- !
- !
- line con 0
- line aux 0
- line vty 0 4
- login
- !
- end
- Building configuration...
VPN tunnel between two routers (no ACLs, no NAT)
Here's the VPN part:
- crypto isakmp policy 1
- hash md5
- authentication pre-share
- crypto isakmp key cisco123 address <remote router>
- crypto isakmp transform-set rtpset esp-des esp-md5-hmac
- crypto map rtp 1 ipsec-isakmp
- set peer <remote router IP address here>
- set transform-set rtpset
- match address 115
- int s0
- crypto map rtp
- access-list 115 permit ip <local LAN network address with mask, eg. 10.0.0.0 0.0.0.255> <remote LAN network address with mask>
- access-list 115 deny ip <local LAN network address with mask> any
- hash md5
VPN tunnel between two routers (Reflexive ACLS, NAT)
The remote router uses 195.0.0.0/24 on its (internal) Ethernet interace and doesn't use NAT:
- ! CBAC for statefulness
- ip inspect name fw http
- ip inspect name fw ftp
- ip inspect name fw tcp
- ip inspect name fw udp
- ip audit notify log
- ip audit po max-events 100
- !
- ! VPN stuff here
- crypto isakmp policy 1
- hash md5
- authentication pre-share
- crypto isakmp key cisco123 address 193.0.0.2
- !
- !
- crypto ipsec transform-set myset esp-des esp-md5-hmac
- !
- crypto map clientmap 1 ipsec-isakmp
- set peer 193.0.0.2
- set transform-set myset
- match address 115
- !
- interface FastEthernet0
- ip address 196.0.0.1 255.255.255.0
- ip access-group outboundfilters out
- ip nat inside
- speed auto
- !
- interface Serial0
- ip address 193.0.0.1 255.255.255.0
- ip access-group inboundfilters in
- ip nat outside
- ip inspect fw out
- crypto map clientmap
- !
- ip nat inside source route-map nonat interface Serial0 overload
- ip route 0.0.0.0 0.0.0.0 Serial0
- !
- ! RACLs here
- ip access-list extended inboundfilters
- evaluate tcptraffic
- permit tcp 195.0.0.0 0.0.0.255 any
- permit udp 195.0.0.0 0.0.0.255 any
- permit esp 195.0.0.0 0.0.0.255 host 193.0.0.1
- permit ahp 195.0.0.0 0.0.0.255 host 193.0.0.1
- permit icmp any any
- deny ip any any
- ip access-list extended outboundfilters
- permit tcp any any reflect tcptraffic
- permit icmp any any reflect tcptraffic
- permit udp any any reflect tcptraffic
- !
- ! ACLs here: 115 used in VPN, 199 used in NAT
- access-list 115 permit ip 196.0.0.0 0.0.0.255 195.0.0.0 0.0.0.255
- access-list 115 deny ip 196.0.0.0 0.0.0.255 any
- access-list 199 deny ip 196.0.0.0 0.0.0.255 195.0.0.0 0.0.0.255
- access-list 199 permit ip 196.0.0.0 0.0.0.255 any
- !
- route-map nonat permit 10
- match ip address 199
- ip inspect name fw http
Vocabulary
- wild-card pre-shared keys: all VPN clients connect with the same password instead of using client-specific login/passwords
Issues
With this configuration, the VPN client with address 197.0.0.x can acces the HTTP server sitting on host 196.0.0.2 (with a 10s delay), but host 196.0.0.2 cannot PING or reach HTTP server on 197.0.0.x because the destination address is not translated by the VPN router from 197.0.0.x to 195.0.0.x :
- hostname 1720
- !
- username cisco password 0 cisco
- !
- crypto isakmp policy 3
- hash md5
- authentication pre-share
- group 2
- !
- crypto isakmp client configuration group 3000client
- key cisco123
- pool ippool
- acl 108
- !
- crypto ipsec transform-set myset esp-des esp-md5-hmac
- !
- crypto dynamic-map dynmap 10
- set transform-set myset
- !
- crypto map clientmap client authentication list userauthen
- crypto map clientmap isakmp authorization list groupauthor
- crypto map clientmap client configuration address initiate
- crypto map clientmap client configuration address respond
- crypto map clientmap 10 ipsec-isakmp dynamic dynmap
- !
- interface FastEthernet0
- ip address 196.0.0.1 255.255.255.0
- ip nat inside
- !
- interface Serial0
- ip address 193.0.0.1 255.255.255.0
- ip nat outside
- no ip route-cache
- no ip mroute-cache
- crypto map clientmap
- !
- ip local pool ippool 197.0.0.3 197.0.0.5
- ip nat pool outsidepool 193.0.0.5 193.0.0.10 netmask 255.255.255.0
- ip nat inside source route-map nonat interface Serial0 overload
- ip route 0.0.0.0 0.0.0.0 Serial0
- !
- access-list 199 deny ip 196.0.0.0 0.0.0.255 197.0.0.0 0.0.0.255
- access-list 199 permit ip 196.0.0.0 0.0.0.255 any
- !
- route-map nonat permit 10
- match ip address 199
- !
Is the AAA section required?
- aaa new-model
- aaa authentication login userauthen local
- aaa authorization network groupauthor local
- aaa session-id common
- aaa authentication login userauthen local
What is the number used in a "crypto isakmp policy" statement?
- crypto isakmp policy 3
- hash md5
- authentication pre-share
- group 2
- hash md5
Is group 2 required?
It's not used in configuration samples on Cisco's site when using 1.x VPN clients
How should I set up the client settings section?
Two different samples are shown:
- crypto isakmp client configuration group 3000client
- key cisco123
- pool ippool
- acl 108
- key cisco123
... and:
- crypto isakmp key mysecretkey address 0.0.0.0 0.0.0.0
Note: The 3.x VPN client prompts for a Group name
What is "no-mode config"?
Is it when a user keeps its own address instead of getting one from a pool?