IPsec VPN tunnel using cisco routers.

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
Me and a buddy setup a VPN tunnel using the linksys routers that we had on our network edge, worked fine and everything. Well we decided to try and see if we couldn't put our 2611xm routers on the edge with an AIM-VPN/BPII module in each, we know the modules work as well cause they show up in our routers show version. We have followed a guys from a cisco book as well for setting up a site-to-site VPN but we cannot get it to come up.

can you tell us if this will even be possible at this poin since we both have dynamic addresses even though we had it working before. Also is there a certain IOS we need to be running? If you need i can post up our running configs to help you guys out.
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
Both having dynamic addresses will be a problem. If at least one had a static you could use a DMVPN or EZ VPN server, but I'm not sure how to approach it with 2 dynamics.

We are having the same problem with L2L GRE/IPSec tunnels with our PeerIX project for our guys with dynamic IP's.

Edit:

Just to clarify, you will be able to get your tunnels up, but every time your IP's change your tunnels will go down until you reconfigure your keys, tunnel interfaces and acl's. That's the hassle we're running into with our project...

Cheers

-James
 
Last edited:

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
well like i said, when we had the linksys (CSB WRVS4400N) routers on the edge we had an IPsec VPN tunnel going just fine. i was able to pull files from his SAN and we even had CME running on our own routers so we were able to call each other. But now with an actual cisco one on the edge we just cant get it. nothing for the ipsec shows even if we have debugs on. Gonna be pretty disappointed if we can't get it working, probably move the linksys back to the edge if thats the case.
 

crazyfinx

Gawd
Joined
Nov 14, 2006
Messages
572
you'll need IOS 12.3(14)T for that router to enable DDNS support and you can setup the VPN tunnels with DDNS, setup accounts on dyndns.org and your all set -
 

xphil3

[H]ard|Gawd
Joined
Nov 11, 2005
Messages
1,212
Both having dynamic addresses will be a problem. If at least one had a static you could use a DMVPN or EZ VPN server, but I'm not sure how to approach it with 2 dynamics.

We are having the same problem with L2L GRE/IPSec tunnels with our PeerIX project for our guys with dynamic IP's
James, come on man.... are you serious with this answer? DMVPN and EZVPN dont require static IP addresses at all, though it is the point of the technology.

What problems are we having with dynamic IP addresses and peerIX? 90% of the people have dynamic IP's and we have 20 peers up. The problem arises when their dynamic IP changes(not often) and the need to rewrite all crypto and GRE interfaces for both hosts.

you'll need IOS 12.3(14)T for that router to enable DDNS support and you can setup the VPN tunnels with DDNS, setup accounts on dyndns.org and your all set -
Have you actually tried this? It wont work, hostnames are translated to their relative IP's when you setup your crypto properties at initial config.

Moose,

I thought that you were joining peerIX? Check out the wiki page for the base configuration that I wrote. It covers L2L tunnels totally. Also, your crypto card dosen't mean anything... it just ensures that your encrypt/decrypts are done on that particular hardware AIM. Make sure that you have an IOS that supports crypto.

http://wiki.peerixproject.com/index.php/Main_Page

Just noticed that Vito fucked up the links, he needs to put the guide back up.
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
James, come on man.... are you serious with this answer? DMVPN and EZVPN dont require static IP addresses at all, though it is the point of the technology.

Guess I wasn't clear enough in my original post, check the edit. +1 to everything else you said though haha
 
Joined
Feb 19, 2004
Messages
3,861
post your configs and we can help. there are quite a few of us that havethis working for the PeerIX project.
Posted via [H] Mobile Device
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
i would gladly post our running configs, i had my buddy email me his last night just in case

here is my config
Code:
Current configuration : 3895 bytes
!
! Last configuration change at 21:12:31 EDT Tue Sep 29 2009 by moose517
! NVRAM config last updated at 21:46:50 EDT Mon Sep 28 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EDGE_ROUTER
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$0Mbl$Q4E/u.QrQsuZQDjb4opvG/
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.136.50 10.10.136.255
!
ip dhcp pool COMPUTERS
   network 10.10.136.0 255.255.255.0
   default-router 10.10.136.68
   dns-server 68.238.0.12 68.238.112.12
!
!
no ip bootp server
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
no voice call carrier capacity active
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto ikakmp key cisco123 address (bob public IP) no-xauth
!
!
crypto ipsec transform-set RTRA esp-aes esp-md5-hmac
 mode transport
!
crypto map mymap 10 ipsec-isakmp
 set peer (bob public IP)
 set transform-set RTRA
 match address RTRA
!
!
!
crypto pki trustpoint TP-self-signed-4037111410
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4037111410
 revocation-check none
 rsakeypair TP-self-signed-4037111410
!
!
crypto pki certificate chain TP-self-signed-4037111410
 certificate self-signed 01
  30820243 308201AC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34303337 31313134 3130301E 170D3039 30393239 30313030
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30333731
  31313431 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AAEF 1B37F803 08FAABC5 EBF2606D D11D9769 F89C7D0A 7018E77F 265C7E7D
  83210FF7 3D1B268A C28C1EB6 1B1B1C78 B09B82BF 54B6E89E AD515759 EB2332C4
  2CEF1D4C ED80F70E 90035606 3E64FC2C 07B0D39C 2A118D98 3C019995 937FD7C6
  6F6A69A6 B2F97E88 7795962C BEE5046F 2197E2D3 460C978F 411CBD81 A43460A1
  6ECD0203 010001A3 6B306930 0F060355 1D130101 FF040530 030101FF 30160603
  551D1104 0F300D82 0B454447 455F524F 55544552 301F0603 551D2304 18301680
  14DFC7BA AA73B24B 85114681 3A81CE9E 9AFCB564 D3301D06 03551D0E 04160414
  DFC7BAAA 73B24B85 1146813A 81CE9E9A FCB564D3 300D0609 2A864886 F70D0101
  04050003 81810060 6D589BCE 9A2A87B8 86823ADD AFAB4DAC 9D3C3483 BFE77035
  A186B374 6FC5544F 21D6D18F C9BC78E2 2F43995A CC646204 135FD2F2 011FAABB
  F0BF7D01 180CE8B8 2CA8C934 23385D05 6A3434DF AA85C18C 25FA2C27 BC1CA390
  91DFAD6D 647FA4E2 9C4EC389 96F35EA9 A444D022 F5452261 FF8FAFC5 F9E7DD06
  3099E4F0 D81F1E
  quit
username moose517 privilege 15 secret 5 $1$Fc33$K1rP/7qL//xuG.65VSBJo/
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map mymap
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address 10.10.136.68 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 speed 100
 full-duplex
 no cdp enable
!
router rip
 version 2
 network 10.0.0.0
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.0.0 (bob public IP)
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended RTRA
 permit ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
ip access-list extended perimeter
 permit udp host (bob public IP) host (tom public IP) eq isakmp
 permit esp host (bob public IP) host (tom public IP)
 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
 deny ip any any
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C
*****************************

      ---EDGE ROUTER---

DO NOT ACCESS THIS ROUTER
VIOLATORS WILL BE PROSECUTED

*****************************
^C
!
line con 0
 exec-timeout 0 0
 password 7 123E0A05160402567E
 logging synchronous
 login
line aux 0
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 password 7 0806435C0D160B4546
 logging synchronous
 login local
 transport input telnet ssh
!
ntp clock-period 17207669
ntp server 129.6.15.29
ntp server 129.6.15.28 source FastEthernet0/0 prefer
!
end

and here is his config, i think looking over his config though see some things wrong with it XD
Code:
Current configuration : 2336 bytes
!
! Last configuration change at 08:25:52 EDT Tue Sep 29 2009
! NVRAM config last updated at 08:25:59 EDT Tue Sep 29 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 2611XM
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ur7p$bLBfyok9SAIwRX0oXgHd8/
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address (tom public IP) no-xauth
!
!
crypto ipsec transform-set RTRB esp-aes esp-md5-hmac
 mode transport
!
crypto map mymap 10 ipsec-isakmp
 set peer (tom public IP)
 set transform-set RTRB
 match address RTRB
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
 crypto map mymap
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet1/0
 ip address 192.168.24.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 full-duplex
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.0.0 192.168.24.4
!
!
no ip http server
no ip http secure-server
ip nat inside source list perimeter interface FastEthernet0/0 overload
!
ip access-list extended RTRB
 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255
ip access-list extended perimeter
 permit ip 192.168.0.0 0.0.255.255 any
 permit udp host (tom public IP) host (bob public IP) eq isakmp
 permit esp host (tom public IP) host (bob public IP)
 permit ip 10.10.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 deny   ip any any
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C                              Cisco 2611XM Router ^C
!
line con 0
 password local1
 login
line aux 0
line vty 0 4
 password local1
 login
!
ntp source FastEthernet0/0
ntp server 129.6.15.29
ntp server 129.6.15.28 prefer
!
end
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
well the only thing that stands out to me is that you are using NAT, which depending on the order of events, isn't matching your ACL. If your router NATs before it does the ACL lookup to determine what to send through the IPSEC, it won't match because your NAT will be an external address, not your private address.

So, my first thought is to just create yourself a GRE tunnel between the 2 of you, and dont' enable NAT on the interface. Then set your GRE to use tunnel protection.

if you don't want to do a GRE, you could try to set up some kind of ACL to *not* NAT traffic between the 2 private subnets. I'm not too familiar with Cisco NAT, but i'm sure someone here could help you out with that.
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
The most obvious problem with the configs is the lack of tunnel interfaces on both routers, and your crypto acl's are wrong, those should use publics instead of private addy's
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
i had wondered about the tunnel interface. from the googling i had done it seemed that we needed one, but i didn't have the book to look at to actually see how its done. I now have the book and i'm reading it for myself and see that my buddy was doing things wrong in quite a few places. I'm hoping to get this link up here pretty soon so we will see what happens.

EDIT: also, if you guys could i would love to see the tunnel and CME guides, but you mentioned they were MIA so i guess i'll just have to wait.
 

Electrofreak

[H]ard|Gawd
Joined
Aug 5, 2008
Messages
1,080
i had wondered about the tunnel interface. from the googling i had done it seemed that we needed one, but i didn't have the book to look at to actually see how its done. I now have the book and i'm reading it for myself and see that my buddy was doing things wrong in quite a few places. I'm hoping to get this link up here pretty soon so we will see what happens.

EDIT: also, if you guys could i would love to see the tunnel and CME guides, but you mentioned they were MIA so i guess i'll just have to wait.

Here you go: :)

GRE/IPSec Tutorial

SIP Trunk with CME

It's basically just the links that are screwed up; I think Vito redid his blog webpage.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
everything makes sense in the IPsec part except one part of the tunnel:

interface Tunnel100
ip address 192.168.50.1 255.255.255.252
ip mtu 1400
tunnel source int FastEthernet0/0
tunnel destination 5.5.5.5

do i assign one of the routers like 192.168.50.1 and the other 192.168.50.2? and then that creates our tunnel needed to link our routers?
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
ok so we just want to summarize our network though, everything on the 10.0.0.0 is my end and 192.0.0.0 is his end, so we should just use something in 172.0.0.0 right?
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
Yeah that will do, but dont summarize 192.0.0.0/8, that will exclude you from valid public IP addresses on the web. If youre going to set up a static route, just make sure the mask is correct for the class of network.

The best option is to use a routing protocol between the two :)
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
LOL ok, thats fine then, he actually uses 192.168.0.0 for his end cause he has multiple subnets and i use 10.10.0.0 for my end. Thanks for your help, i'll be back if we can't get it running
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
yeah, think of your tunnel interface as a directly connected cable between yours and your friend's routers. you can use any network that is not already in use, whatever makes sense to you.

I also suggest you get the newer code that allows for the command:

int tun1234
tunnel protection ipsec profile <vpn-profile>


then you just create a profile like such:

crypto ipsec profile <vpn-profile>
set transform-set <transform-set>

that way you don't have to create a route-map with match criteria applied to the external interface to determine what gets encrypted. with this, ANYTHING that is destined for the GRE interface will automagically get encrypted.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
well, we got the VPN tunnel up and going... but are having a slight problem, not sure what the problem is actually. On my router i put a rip statement for my internal network as well as 172.16.0.0 which is our tunnel network. on his end he put a RIP statement for the 172.16.0.0 as well, but his edge router is then connected to a cat 5500 with redundant sups and has HSRP enabled so he has static routing from the edge to the cat 5500.

I can access anything on his side of the network.... but he can only get to the internal interface of my edge router, nothing on that subnet past that, IE, my internal port address is 10.10.136.68 and he can ping that, but if he tries 10.10.136.6, which is my laptop, it times out. Where would that problem be at, his end or mine?
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
It's more likely the problem is on your side, but have him check his routing table, make sure he is receiving the proper advertisement
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
on my router i had rip advertising network 10.0.0.0 which is my LAN, and 172.16.1.0 which is the tunnel. on his end he turned rip on and had it just point to 172.16.1.0 because he does all static routing at his place. We are pretty sure it was showing up with my rip on his router. and on my end to reach him i had to set a static route that was 192.168.0.0 which is his LAN.
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
you shouldn't have to add a static route. that's the point of running a routing protocol. he can still do static routing on his end but he still needs to advertise the 192.168 network to you. that's the whole point, right?
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,384
here is my config
Code:
interface FastEthernet0/1
 ip address 10.10.136.68 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
[B] no ip route-cache cef
 no ip route-cache[/B]
 speed 100
 full-duplex
 no cdp enable
!

Is there a reason you want to turn off fast/CEF switching on that interface?
 

Lightworker

Limp Gawd
Joined
Jan 12, 2009
Messages
457
on my router i had rip advertising network 10.0.0.0 which is my LAN, and 172.16.1.0 which is the tunnel. on his end he turned rip on and had it just point to 172.16.1.0 because he does all static routing at his place. We are pretty sure it was showing up with my rip on his router. and on my end to reach him i had to set a static route that was 192.168.0.0 which is his LAN.

You don't need to advertise the tunnel because it's considered a directly connected route. If you check your routing table you will notice that the RIP route for the tunnel is not entered, because the connected route has a lower administrative distance (0 versus 120 for rip).

You should be advertising the internal LAN network, because that's the whole point of the routing protocol is to avoid static routes. And like Valnar said, turn on CEF :)
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
we turned on CEF on our internal facing networks. Also on his end for RIP we had tried network 192.168.0.0 but it was casuing his network to not get out to the ineternet then. he took his redundant sup out last night and just ran RIP on all his stuff and now we can get from one end of the network to the other.
 

moose517

Gawd
Joined
Feb 28, 2009
Messages
640
i'm back again with one last problem. Now that we have our VPN connection up we want to lock down our networks more. My buddy tried running the auto secure but when he told it to apply it kills his internet access as well as our VPN. Is there a specific way we need to be running the auto secure to not kill our connection? If you need i can post up his newest running config.
 

berky

2[H]4U
Joined
Aug 28, 2001
Messages
2,233
why not just switch to a deny-by-default ACL? only allow what your servers are running.
 
Top