Help needed changing a split tunnel into a non-split tunnel

Richard-Twickenham · ‎07-04-2017

I am trying to get a Cisco 867 working for a branch office scenario. It is just in a test environment at present, but I plan to use if for a real office once I get the configuration right. It is connected to an ADSL line which gives it an Internet connection, this part seems to be working fine. I want to create an IPsec tunnel over the Internet to our datacentre. The datacentre has a Watchguard XTM850 firewall which can terminate the other end of the tunnel. I have managed to get the tunnel to the datacentre working by following this guide:

http://www.watchguard.com/help/docs/fireware/11/en-US/Content/en-US/bovpn/manual/manual_bovpn_fireware-xtm_cisco-isr_c.html

This works fine, but it has given me a split tunnel. Any web browsing from the branch office would go out through the local ADSL internet connection. I don't want it to run this way because there is an iBoss security device at the datacentre which brings extra security if I pass the web traffic through it. I want the default route to pass traffic to the datacentre over the VPN connection. Once at the datacentre, I can pass the traffic out to the Internet from there if needed.

I have tried to adapt my working split tunnel configuration into a non-split tunnel configuration, but without luck. I have tried to adapt the instructions in this article to my setup:

http://www.cisco.com/c/en/us/td/docs/routers/access/1800/1801/software/configuration/guide/scg/vpngre.html

The setup now does not work at all. With the original split tunnel configuration I was able to ping both a device on the Internet and a device at the datacentre from a PC on the branch office subnet, but with the new non-split configuration I don't get a response from either.

I am out of my depth with this challenge and would be very grateful if someone would point me in the right direction. I have attached both the original working split tunnel configuration, and the non-working non-split tunnel configuration.

Thanks in advance,

Richard

(Croydon, South London, UK)

Georg Pauwen · ‎07-04-2017

Hello,

if you want all traffic t go through the VPN, use the configuration below. Basically, I have removed all NAT, and the access list in the crypto map matches everything coming from the local LAN:

!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco867
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>.
!
no aaa new-model
wan mode dsl
!
ip cef
no ipv6 cef
!
username <removed> privilege 15 secret 5 <removed>
!
controller VDSL 0
operating mode adsl2+
modem ukfeature
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key <password removed> address <external address of Watchguard firewall removed>
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map towatchguard 1 ipsec-isakmp
description tunnel_to_watchguard
set peer <external address of Watchguard firewall removed>
set transform-set vpn
match address 101
reverse-route
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source FastEthernet2
tunnel destination <external address of Watchguard firewall removed>
crypto map towatchguard
!
interface ATM0
description xDSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
load-interval 30
class-int class-default
atm vc-per-vp 64
no atm ilmi-keepalive
no snmp trap link-status
snmp ifindex persist
hold-queue 224 in
pvc DATA 0/38
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 10.0.64.1 255.255.255.0
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated previous
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip pim sparse-dense-mode
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp max-bad-auth 3
ppp lcp predictive
ppp lcp delay 1
ppp authentication chap callin
ppp chap hostname <login name removed>
ppp chap password 0 <password removed>
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp predictive
no cdp enable
crypto map towatchguard
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Tunnel1
!
ip access-list extended vpnstatic1
permit gre host 192.168.100.1 host <external address of Watchguard firewall removed>
!
access-list 101 permit ip 10.0.64.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 60 0
no modem enable
line aux 0
exec-timeout 60 0
line vty 0 4
exec-timeout 60 0
login local
transport input all
!
scheduler allocate 60000 1000
!
end

Richard-Twickenham · ‎07-11-2017

Thanks for your suggestions Georg. I've continued to work on this configuration whenever I had a chance over the last few days, but I have still not managed to get it working. I followed your suggestion to remove the NAT statements. I found that before the IPsec would come up, that I needed to add a static route to allow traffic to the other end to pass over the Dialler 1 interface.

With the current configuration which you can see below, the interfaces including the tunnel are showing as up. It shows as up and without error from the Watchguard as well.

If I ping from the office network, to something at the datacentre, I can see the packets arrive at the Watchguard, but I receive no responses. There is a counter on the Watchgurard interface which shows the number of packets received and I can see the number increasing when the pings are running.

If I ping from the Watchguard to the Cisco (10.0.64.1), then once again I can see packets seeming to go out through the Watchguard, but I don't get any response back.

I've spent many hours over the last few days trying to get this working but am running out of ideas. If you (or anyone) can spot where I am going wrong I would be very grateful.

Thanks

Richard

!
! Last configuration change at 10:41:43 UTC Tue Jul 11 2017 by <removed>
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco867
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <removed>
!
no aaa new-model
wan mode dsl
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
!
!
username <removed> privilege 15 secret 5 <removed>
!
!
controller VDSL 0
operating mode adsl2+
modem ukfeature
!
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key <password removed> address <external address of Watchguard firewall removed>
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map towatchguard 1 ipsec-isakmp
description tunnel_to_watchguard
set peer <external address of Watchguard firewall removed>
set transform-set vpn
match address 101
reverse-route
!
!
!
!
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source Vlan1
tunnel destination <external address of Watchguard firewall removed>
!
interface ATM0
description xDSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
load-interval 30
class-int class-default
atm vc-per-vp 64
no atm ilmi-keepalive
no snmp trap link-status
snmp ifindex persist
hold-queue 224 in
pvc DATA 0/38
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 10.0.64.1 255.255.255.0
!
interface Dialer1
ip address negotiated previous
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip pim sparse-dense-mode
encapsulation ppp
dialer pool 1
dialer-group 1
ppp max-bad-auth 3
ppp lcp predictive
ppp lcp delay 1
ppp authentication chap callin
ppp chap hostname <removed>
ppp chap password 0 <removed>
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp predictive
no cdp enable
crypto map towatchguard
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route <external address range of Watchguard firewall removed> Dialer1
!
!
access-list 101 permit ip 10.0.64.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 60 0
no modem enable
line aux 0
exec-timeout 60 0
line vty 0 4
exec-timeout 60 0
login local
transport input all
!
scheduler allocate 60000 1000
!
end

Georg Pauwen · ‎07-11-2017

Hello Richard,

I am not really sure what the purpose is of the tunnel interface, is that needed to terminate the VPN on the Watchguard ? Either way, try the config below:

!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco867
!
boot-start-marker
boot-end-marker
!
enable secret 5 <removed>
!
no aaa new-model
wan mode dsl
!
ip cef
no ipv6 cef
!
username <removed> privilege 15 secret 5 <removed>
!
controller VDSL 0
operating mode adsl2+
modem ukfeature
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key <password removed> address <external address of Watchguard firewall removed>
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map towatchguard 1 ipsec-isakmp
description tunnel_to_watchguard
set peer <external address of Watchguard firewall removed>
set transform-set vpn
match address 101
reverse-route
!
interface ATM0
description xDSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
load-interval 30
class-int class-default
atm vc-per-vp 64
no atm ilmi-keepalive
no snmp trap link-status
snmp ifindex persist
hold-queue 224 in
pvc DATA 0/38
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 10.0.64.1 255.255.255.0
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated previous
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip pim sparse-dense-mode
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp max-bad-auth 3
ppp lcp predictive
ppp lcp delay 1
ppp authentication chap callin
ppp chap hostname <login name removed>
ppp chap password 0 <password removed>
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp predictive
no cdp enable
crypto map towatchguard
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 101 permit ip 10.0.64.0 0.0.0.255 any
dialer-list 1 protocol ip permit

line con 0
exec-timeout 60 0
no modem enable
line aux 0
exec-timeout 60 0
line vty 0 4
exec-timeout 60 0
login local
transport input all
!
scheduler allocate 60000 1000
!
end

Richard-Twickenham · ‎07-14-2017

Thanks Georg. Your suggestions once again pointed me in the right direction. The reason I put in the tunnel interface was so that I could make the tunnel the default route. I realise now that this is not necissary.

I now understand that I just need to point all traffic to Dialer1 which is already linked to the IPsec tunnel, then use a combination of two access lists to determin which traffic is allowed to pass over the tunnel and which traffic is allowed to pass directly to the Internet without passing over the tunnel.

I think I have a working configuration now. We will be using VOIP telephones at the office and I prefer to pass this traffic directly to the Internet, so I have added some entries to allow this to happen. I needed to put back the NAT statements. The configuration passes traffic over the tunnel by defaut unless the two access lists force it to pass directly to the Internet.

I have included the final working configuration below in case it helps anyone, but if you can spot any problems with this setup please let me know.

Thank you very much for your help, I have been strugling with this device for some time.

Richard

!
! Last configuration change at 16:02:29 UTC Thu Jul 13 2017 by <removed>
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco867
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 <removed>
!
no aaa new-model
wan mode dsl
!
!
!
!
!
!
ip domain name <removed>
ip cef
no ipv6 cef
!
!
!
!
!
!
!
username <removed> privilege 15 secret 5 <removed>
!
!
controller VDSL 0
operating mode adsl2+
modem ukfeature
!
ip ssh version 2
!
!
!
!
!
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key <password removed> address <external address of Watchguard firewall removed>
!
!
crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map towatchguard 1 ipsec-isakmp
description tunnel_to_watchguard
set peer <external address of Watchguard firewall removed>
set transform-set vpn
match address 101
reverse-route
!
!
!
!
!
interface ATM0
description xDSL
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
load-interval 30
class-int class-default
atm vc-per-vp 64
no atm ilmi-keepalive
no snmp trap link-status
snmp ifindex persist
hold-queue 224 in
pvc DATA 0/38
tx-ring-limit 3
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
ip address 10.0.64.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated previous
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting precedence input
ip accounting precedence output
ip accounting access-violations
ip nbar protocol-discovery
ip flow ingress
ip pim sparse-dense-mode
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp max-bad-auth 3
ppp lcp predictive
ppp lcp delay 1
ppp authentication chap callin
ppp chap hostname <removed>
ppp chap password 0 <removed>
ppp ipcp dns request
ppp ipcp wins request
ppp ipcp predictive
no cdp enable
crypto map towatchguard
hold-queue 224 in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT_ACL interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended NAT_ACL
permit ip 10.0.64.0 0.0.0.255 host <removed>
permit ip 10.0.64.0 0.0.0.255 host <removed>
permit ip 10.0.64.0 0.0.0.255 host <removed>
permit ip 10.0.64.0 0.0.0.255 host <removed>
permit ip 10.0.64.0 0.0.0.255 <removed> 0.0.0.255
!
access-list 101 deny   ip 10.0.64.0 0.0.0.255 host <removed>
access-list 101 deny   ip 10.0.64.0 0.0.0.255 host <removed>
access-list 101 deny   ip 10.0.64.0 0.0.0.255 host <removed>
access-list 101 deny   ip 10.0.64.0 0.0.0.255 host <removed>
access-list 101 deny   ip 10.0.64.0 0.0.0.255 <removed> 0.0.0.255
access-list 101 permit ip 10.0.64.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 60 0
no modem enable
line aux 0
exec-timeout 60 0
line vty 0 4
access-class 102 in
exec-timeout 60 0
privilege level 15
login local
transport input ssh
!
scheduler allocate 60000 1000
!
end

Georg Pauwen · ‎07-14-2017

Richard,

is the Watchguard at the datacentre doing any NAT ? If that is the case, you would not need any NAT configuration on your branch router. As in the last configuration I posted, you just encrypt all traffic and send it down Dialer 1.