Solved: Re: Router Management via IPSec

Steven Bourque · ‎09-06-2005

Hello,

I am setting up multiple terminal Servers (2600 - running Advance Security IOS) for reverse telnet sessions to our equipment in the physical location of each 2600.

What would be the most secure way to access the 2600? I may not know what IP the user is coming from. I have SSH only, but would like the user to perhaps VPN/PPTP or something to the 2600 prior being able to access a VTY.

I can't seem to get IPSEC to work in transport mode with the client (does the cisco VPN client even support this?)

my thoughts were, some sort of ipsec to the public IP of the 2600, then you get handed a private IP (loopback interface of 2600 is member of this private IP segment) then from your ipsec private IP, you are allowed to ssh to the loopback IP. The global (fa0/0) interface is locked down to only allow ipsec traffic.

Any thoughts on this setup or any advise of what others have done? is IPSec transport mode the best way? how can I get this to work? Different client software? Any docs on how to configure this?

I can get it to work with PPTP properly although it is extremely slow, and I do not like PPTP :)

Thanks

jackko · ‎09-06-2005

you may configure remote vpn access. the user needs to connect the ipsec vpn then will be able to telnet to the inside interface of the router via ipsec.

username cisco password 7 xxxxxx

aaa new-model

aaa authentication login myauthen local

aaa authorization network myauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group mygroup

key AaBbCcDd

pool vpnpool

acl 130

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map mymap client authentication list myauthen

crypto map mymap isakmp authorization list myauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 192.168.8.1 255.255.255.0

interface Dialer0

ip nat outside

crypto map mymap

ip local pool vpnpool 10.12.12.1 10.12.12.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

access-list 130 permit ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255

route-map nonat permit 10

match ip address 101

above is a sample code. once the remote vpn established, the remote user will get a private address from the pool (10.12.12.0). then the user can telnet to the router inside interface (192.168.8.1) via the ipsec tunnel.

feel free to post your config and we will assist you further to modify the existing code

View solution in original post

jackko · ‎09-06-2005

you may configure remote vpn access. the user needs to connect the ipsec vpn then will be able to telnet to the inside interface of the router via ipsec.

username cisco password 7 xxxxxx

aaa new-model

aaa authentication login myauthen local

aaa authorization network myauthor local

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group mygroup

key AaBbCcDd

pool vpnpool

acl 130

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

crypto map mymap client authentication list myauthen

crypto map mymap isakmp authorization list myauthor

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

interface Ethernet0

ip address 192.168.8.1 255.255.255.0

interface Dialer0

ip nat outside

crypto map mymap

ip local pool vpnpool 10.12.12.1 10.12.12.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255

access-list 101 permit ip 192.168.8.0 0.0.0.255 any

access-list 130 permit ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255

route-map nonat permit 10

match ip address 101

above is a sample code. once the remote vpn established, the remote user will get a private address from the pool (10.12.12.0). then the user can telnet to the router inside interface (192.168.8.1) via the ipsec tunnel.

feel free to post your config and we will assist you further to modify the existing code

Richard Burts · ‎09-07-2005

Part of the original question asked about using transport mode. It is my impression that transport mode is more for gateway to gateway IPSec. For use with a client implementation I think you would be better to use tunnel mode.

HTH

Rick

HTH

Rick

Steven Bourque · ‎09-07-2005

Thanks for the reply,

I am trying your setup, it was similar to what I have previously tried (I didn't have the nat statements) but I will try them anyway. my 2600 only has one interface, so I am using loopbacks for the "private" network.

I can get the VPN to work, but am not able to SSH to the private address.

I can't seem to ping the 172.17.60.1 address.

My VPN client shows the route, the encrypted counter increases, but no return traffic. I do have a default route pointing the the next hop of the fa0/0 interface, so it should be hitting my crypto map.

Based on what you posted and the next post, it seems it is recommended to use tunnel mode as your example and not transport? Even though the router is the end destination? Strange I never had a problem configuring VPN's before.. never had to access the router from it though :)

Thanks for all the help

here's my config:

aaa new-model

aaa authentication login VPN local-case

aaa authorization network VPN local

password encryption aes

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group VPN

key 6

pool VPN

acl 130

crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac

crypto dynamic-map VPN 10

set transform-set VPNSET

crypto map VPN client authentication list VPN

crypto map VPN isakmp authorization list VPN

crypto map VPN client configuration address respond

crypto map VPN 10 ipsec-isakmp dynamic VPN

interface Loopback0

ip address 172.17.60.1 255.255.255.255

ip nat inside (tried it with this removed too)

ip virtual-reassembly

interface FastEthernet0/0

ip address

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip ips AUDIT in

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

crypto map VPN

ip local pool VPN 192.168.1.1 192.168.1.7

ip nat inside source route-map NONAT interface FastEthernet0/0 overload

access-list 101 deny ip host 172.17.60.1 192.168.1.0 0.0.0.7

access-list 101 permit ip host 172.17.60.1 any

access-list 130 permit ip host 172.17.60.1 192.168.1.0 0.0.0.7

route-map NONAT permit 10

match ip address 101

access-list 10 permit 192.168.1.0 0.0.0.7

line vty 0 4

access-class 10 in

exec-timeout 15 0

logging synchronous

login authentication VTY

transport input telnet ssh

line vty 5 15

access-class 10 in

exec-timeout 15 0

logging synchronous

login authentication VTY

transport input telnet ssh

Steven Bourque · ‎09-07-2005

Thanks,

I got it working with your config sample..

I had 2 additional problems (dumb user)--

1: I was testing it going through my PIX, the esp fixup was not enabled due to the pix itself having isakmp enabled so I bypassed the pix....

2: I had null routes for private addresses, so I added reverse-route in the crypto map to add a specific host route when logged in via VPN.

Thanks again. Last time I had this config I kept getting disconnected. For some reason it seems solid now.. not sure the difference this time.

Thanks again for your help.

rating_is_vital · ‎09-07-2005

Hi,

It's good to know that the issue has been resolved. Perhaps to rate the particular post that resolves the issue.

Steven Bourque · ‎09-07-2005

I would, however, I accidentaly put it to a 4, and it won't let me change it, or mark is as resolved.. so I guess it will have to stay at a 4...