Solved: Re: Cisco IR809G: Adding another gateway to VPN tunnel

K-Grev · ‎08-18-2020

Hey guys,

Not sure if this is the correct place to post this.

Need help with something. Hopefully I can explain this correctly.

We have a Cisco IR809G that transmits traffic over vpn to a Cisco firewall.

In the past this cellular router was only used as a status check so it had no gateways besides its loopback. The VPN terminates with the loopback ip.

Here is the config on the loopback:

Interface Loopback0

ip address 10.2.9.34 255.255.255.254

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

crypto ipsec client ezvpn NAME inside

The cellular router has now been repurposed and needed a second interface configured for a device. To get that gateway to also get into the vpn I ended up configuring it much like the loopback.

Interface GigabitEthernet0

description NAME

ip address 10.2.244.1 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

crypto ipsec client ezvpn NAME inside

This appears to be working. But i'm not completely sure this is the approved method.

When I look at the device in asdm it shows this new ip instead of the loopback usually and sometimes works intermittently.

Does anyone suggest a proper way of adding a gateway to this device and it being included in the normal vpn traffic?

Thanks in advance for any help

Richard Burts · ‎08-19-2020

Glad to know that the configuration does work for you. I appreciate your questions/concerns. What would happen if you remove this line from the G0 interface configuration

crypto ipsec client ezvpn RMCSPROBE inside

That would leave the loopback interface as the identified interface. It is my understanding of network extension mode that it should allow multiple addresses in your network to be carried over the vpn tunnel. But with the way that you have obscured the IP addresses, it is difficult to know what is included and what is not.

HTH

Rick

View solution in original post

Richard Burts · ‎08-18-2020

I have several comments about this:

- it may just be confusion about terminology, but I am not clear what you mean when you say you want to add a gateway. Typically when we talk about a gateway it is a next hop used for forwarding IP packets toward their destination. Looking at your post it looks like you want to add another interface for the router. Is that correct?

- the addressing that you mention is not correct

ip address 10.2.244.0 255.255.255.252

with the 255.255.255.252 mask the 10.2.244.0 address is the network address and that can not be an interface address. The host addresses for that mask would be either 10.2.244.1 or 10.2.244.2.

- it is not clear from the limited information in the post whether this vpn is site to site or is Remote Access. Can you provide more information about the vpn and how it is configured?

HTH

Rick

K-Grev · ‎08-18-2020

Yes I really messed that up when typing.

I do want to add an interface to the device and I want it to be 10.2.244.1 255.255.255.252.

That ip is the configured ip currently.

This is a site to site vpn I believe. I'll post the config for the device soon when I get it.

K-Grev · ‎08-18-2020

version 15.8
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
service sequence-numbers
!
hostname CS11A-PRB1-EXT
!
boot-start-marker
boot system flash:ir800-universalk9-mz.SPA.158-3.M0a
boot-end-marker
!
!
security passwords min-length 10
logging buffered 4096 informational
logging monitor informational
!
aaa new-model
!
!
aaa group server radius XXX-RADIUS
server name I-NPS-01
server name I-NPS-02
ip radius source-interface Loopback0
!
aaa authentication login XXX-AUTH group XXX-RADIUS local
aaa authentication enable default enable
aaa authorization exec XXX-AUTHO group XXX-RADIUS local
!
!
!
!
!
aaa session-id common
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
no ip bootp server
ip domain lookup source-interface Loopback0
ip domain name NAME.local
ip name-server X.X.2.70
ip name-server X.X.2.71
ip inspect WAAS flush-timeout 10
ip cef
login block-for 60 attempts 5 within 60
login on-failure log
login on-success log
virtual-profile virtual-template 1
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
password encryption aes
!
!
license udi pid IR809G-LTE-NA-K9 sn FCW22100042
!
!
archive
log config
record rc
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
object-group network IA-ADMIN-ADDRESS
description IP addresses of IA admin boxes
host X.X.2.231
host X.X.2.232
host X.X.2.235
host X.X.2.96
!
object-group service IPSLA-SERVICES
description Ports used for IPSLA testing
udp eq 1967
udp eq 17000
!
object-group network MANAGEMENT-ADDRESSES
description IP ranges of management devices
X.X.2.0 255.255.255.0
X.X.242.0 255.255.255.0
X.X.243.0 255.255.255.0
X.X.6.0 255.255.255.0
host X.X.0.114
host X.X.2.90
host X.X00.252.101

object-group service MANAGEMENT-SERVICES
description Ports used for network management
udp eq snmp
tcp eq 22
icmp
udp eq syslog
!
object-group network NTP-SERVERS
description IP Addresses of NTP servers
host X.X.2.5
host X.X.2.6
!
object-group network RADIUS-SERVERS
description IP Address of radius servers
host X.X.2.76
host X.X.2.77
!
object-group service RADIUS-SERVICES
description Ports used for radius servers
udp eq 1645
udp eq 1646
!
object-group service VPN-SERVICES
description VPN traffic
udp eq isakmp
esp
!
vtp mode transparent
username rmcsprobe-sec password 7 XXXXXX
username LOCAL_LOGIN privilege 5 secret 8 XXXXX
!
redundancy
notification-timer 120000

!
!
!
!
!
controller Cellular 0
lte failovertimer 5
lte modem link-recovery disable
no cdp run
!
ip tcp synwait-time 10
!
class-map match-all CoPP_UNDESIRABLE
match access-group name CoPP_UNDESIRABLE
class-map match-any CoPP_IMPORTANT
match access-group name CoPP_IMPORTANT
match protocol arp
class-map match-all CoPP_DEFAULT
match access-group name CoPP_DEFAULT
class-map match-all CoPP_NORMAL
match access-group name CoPP_NORMAL
class-map match-all CoPP_CRITICAL
match access-group name CoPP_CRITICAL
!
policy-map CONTROL_PLANE_POLICY
class CoPP_CRITICAL
police 512000 8000 conform-action transmit exceed-action transmit
class CoPP_IMPORTANT
police 512000 4000 conform-action transmit exceed-action drop
class CoPP_NORMAL
police 128000 2000 conform-action transmit exceed-action drop
class CoPP_UNDESIRABLE
police 8000 1000 conform-action drop exceed-action drop
--More-- class CoPP_DEFAULT
police 64000 1000 conform-action transmit exceed-action drop
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
!
!
!
!
!
crypto ipsec client ezvpn RMCSPROBE
connect auto
group RMCS_BitProbe key cisco
mode network-extension
peer X.X.0.114
virtual-interface 2
username rmcsprobe-sec password XXXXX
xauth userid mode local

!
!
!
!
!
interface Loopback0
ip address X.X.9.34 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
crypto ipsec client ezvpn RMCSPROBE inside
!
interface GigabitEthernet0
description MILTOPE_TACLANE
ip address X.X.244.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn RMCSPROBE inside
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet2
no ip address
shutdown
duplex auto
speed auto
!
interface Cellular0
ip address negotiated
ip access-group CELLULAR-PORT-IN in
ip access-group CELLULAR-PORT-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
dialer-group 1
async mode interactive
crypto ipsec client ezvpn RMCSPROBE
!
interface Cellular1
no ip address
encapsulation slip
!
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip http client source-interface Loopback0
ip flow-export source Loopback0
ip flow-export version 5
ip flow-export destination X.X.2.90 2055
!
ip ftp source-interface Loopback0
ip tftp source-interface Loopback0
ip route X.X.0.114 255.255.255.255 Cellular0
ip ssh time-out 60
ip ssh source-interface Loopback0
ip ssh version 2
ip ssh server algorithm mac hmac-sha1
!
ip access-list standard Mgmt_Access
permit X.X.2.90 log
permit X.X.2.96 log
permit X.X.6.0 0.0.0.255 log
permit X.X.2.0 0.0.0.255 log
permit X.X.242.0 0.0.0.255 log
permit X.X.243.0 0.0.0.255 log
deny any log
ip access-list standard NTP-SERVERS
permit X.X.2.6
permit X.X.2.5
deny any log
ip access-list standard SNMP-NMS
permit X.X.2.90 log
permit X.X.242.0 0.0.0.255 log
permit X.X.243.0 0.0.0.255 log
deny any log
ip access-list standard TFTP-SERVERS
deny any log
!
ip access-list extended ACL-INFRASTRUCTURE-IN
permit ip object-group IA-ADMIN-ADDRESS X.X.9.0 0.0.0.255
permit tcp host X.X.2.78 eq www X.X.9.0 0.0.0.255
remark Allow pings from Network Management
permit icmp object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
remark Allow Network Management
remark Allow NTP from time servers
permit udp object-group NTP-SERVERS X.X.9.0 0.0.0.255 eq ntp
permit object-group IPSLA-SERVICES host X.X.5.202 X.X.9.0 0.0.0.255
remark Block all other traffic to loopback interface
permit object-group MANAGEMENT-SERVICES object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
permit object-group RADIUS-SERVICES object-group RADIUS-SERVERS X.X.9.0 0.0.0.255
permit ip 11.11.254.12 0.0.0.3 X.X.244.4 0.0.0.3
deny ip any any log
ip access-list extended ACL-INFRASTRUCTURE-OUT
remark Allow outbound traffic
permit ip X.X.9.0 0.0.0.255 any
permit ip X.X.244.4 0.0.0.3 11.11.254.12 0.0.0.3
deny ip any any log
ip access-list extended CELLULAR-PORT
permit udp host X.X.0.114 X.X55.0.0 0.0.255.255 eq isakmp
permit esp host X.X.0.114 X.X55.0.0 0.0.255.255
deny ip any any log
ip access-list extended CELLULAR-PORT-IN
permit object-group VPN-SERVICES host X.X.0.114 X.X55.0.0 0.0.255.255
permit icmp object-group MANAGEMENT-ADDRESSES X.X55.0.0 0.0.255.255 log
permit icmp object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255 log
deny ip any any log
ip access-list extended CELLULAR-PORT-OUT
permit object-group VPN-SERVICES X.X55.0.0 0.0.255.255 host X.X.0.114
permit ip X.X.244.4 0.0.0.3 11.11.254.12 0.0.0.3
deny ip any any log
ip access-list extended CoPP_CRITICAL
remark our control plane adjacencies are critical
permit udp host X.X.0.114 X.X55.0.0 0.0.255.255 eq isakmp
deny ip any any log
ip access-list extended CoPP_DEFAULT
permit ip any any log
ip access-list extended CoPP_IMPORTANT
remark Allow RADIUS from NPS Servers
permit object-group RADIUS-SERVICES object-group RADIUS-SERVERS X.X.9.0 0.0.0.255
remark Allow Network Management
permit object-group MANAGEMENT-SERVICES object-group MANAGEMENT-ADDRESSES X.X.9.0 0.0.0.255
remark Allow NTP from time servers
permit udp object-group NTP-SERVERS X.X.9.0 0.0.0.255 eq ntp
remark Allow IP SLA traffic
permit object-group IPSLA-SERVICES host X.X.5.202 X.X.9.0 0.0.0.255
deny ip any any log
ip access-list extended CoPP_NORMAL
remark we will want to rate limit ICMP traffic
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any log
ip access-list extended CoPP_UNDESIRABLE
remark other management plane traffic that should not be received
permit object-group MANAGEMENT-SERVICES any any
permit object-group RADIUS-SERVICES any any
permit udp any any eq ntp
permit udp any any eq isakmp
permit igmp any 224.0.0.0 15.255.255.255
deny ip any any log
!
ip radius source-interface Loopback0
ip sla responder
ip sla 10
icmp-echo X.X.2.90 source-interface Loopback0
threshold 2000
frequency 30
ip sla schedule 10 life forever start-time after 00:15:00
ip sla enable reaction-alerts
logging facility local2
logging source-interface Loopback0
logging host X.X00.252.101
logging host X.X.2.90
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
!
snmp-server engineID remote X.X.2.78 100020020708
snmp-server engineID remote X.X.2.90 100020020900
snmp-server group XXXsnmr v3 priv
snmp-server group XXXisSNMPRead v3 priv
snmp-server group XXXisSNMPwrite v3 priv write XXXisSNMPview access SNMP-NMS
snmp-server view XXXisSNMPview iso included
snmp-server view XXXisSNMPview iso.* included
snmp-server view XXXisSNMPview internet included
snmp-server view XXXisSNMPview mib-2 included
snmp-server view XXXisSNMPview system included
snmp-server view XXXisSNMPview ciscoMgmt.252 included
snmp-server trap-source Loopback0
snmp-server source-interface informs Loopback0
snmp-server tftp-server-list TFTP-SERVERS
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps pfr
snmp-server enable traps flowmon
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps vlpwa
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal low-space
snmp-server enable traps cisco-sys heartbeat
snmp-server enable traps auth-framework sec-violation auth-fail
snmp-server enable traps adslline
snmp-server enable traps c3g
snmp-server enable traps LTE
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps energywise
snmp-server enable traps wpan
snmp-server enable traps envmon
snmp-server enable traps bgp cbgp2
snmp-server enable traps isis
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity-ext
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps mempool
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pki
snmp-server enable traps bstun
snmp-server enable traps dlsw
snmp-server enable traps ipsla
snmp-server enable traps stun
snmp-server enable traps mpls traffic-eng
snmp-server enable traps mpls fast-reroute protected
snmp-server enable traps mpls rfc ldp
snmp-server enable traps mpls ldp
snmp-server enable traps pw vc
snmp-server enable traps lisp
snmp-server enable traps ipmobile
snmp-server enable traps snasw alert isr topology cp-cp port link dlus
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-role-change
snmp-server enable traps gdoi ks-gm-deleted
snmp-server enable traps gdoi ks-peer-reachable
snmp-server enable traps ike tunnel stop
snmp-server file-transfer access-group TFTP-SERVERS protocol tftp
!
radius server I-NPS-02
address ipv4 X.X.2.77 auth-port 1645 acct-port 1646
key 7 XXXXX
!
radius server I-NPS-01
address ipv4 X.X.2.76 auth-port 1645 acct-port 1646
key 7 XXXXX
!
!
!
control-plane
!
!
vstack
!
line con 0
exec-timeout 0 0
stopbits 1
line 1 2
stopbits 1
line 3
script dialer lte
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 8
no exec
transport preferred lat pad telnet rlogin lapb-ta mop udptn v120 ssh
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
rxspeed 100000000
txspeed 50000000
line 1/3 1/6
transport preferred none
transport output none
stopbits 1
line vty 0 4
access-class Mgmt_Access in
exec-timeout 5 0
authorization exec XXX-AUTHO
logging synchronous
login authentication XXX-AUTH
transport preferred ssh
transport input ssh
transport output ssh
!
no scheduler max-task-time
no iox hdm-enable
iox client enable interface GigabitEthernet2
no iox recovery-enable
!
!
!
!
!
!
!
end

Richard Burts · ‎08-18-2020

Thanks for posting the config. I do see that it configures ezvpn in network extension mode. There is a tunnel configured to use ipsec encryption and the ezvpn is configured to use that tunnel. I do not have much experience with ezvpn but it looks to me like this config should work.

HTH

Rick

K-Grev · ‎08-18-2020

Sir, thanks for your replies. This configuration does seem to be working for us however I'm not for certain if this i how it should be done as i'm pretty new to vpn's in general.

Maybe you can help me with some concerns:

-is there a way to keep the loopback as the ezvpn client ip but still allow the other interface traffic to go through?

(I only ask because in the Firewall it terminates to, it will always show the G0 ip instead of the loopback as the ip)

-if the physical interface goes down, the ip will become unavailable and the vpn will go down.

Thanks for your time.

Richard Burts · ‎08-19-2020

Glad to know that the configuration does work for you. I appreciate your questions/concerns. What would happen if you remove this line from the G0 interface configuration

crypto ipsec client ezvpn RMCSPROBE inside

That would leave the loopback interface as the identified interface. It is my understanding of network extension mode that it should allow multiple addresses in your network to be carried over the vpn tunnel. But with the way that you have obscured the IP addresses, it is difficult to know what is included and what is not.

HTH

Rick

Richard Burts · ‎09-04-2020

I am glad that my suggestions have been helpful. This is an area where I do not have a lot of experience so it has been a bit of a learning experience for me as well. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick