Wake on Lan via IPSec VPN on Cisco 886VA

Petro-Berg · ‎09-16-2016

Hi there,

I'tried to get WOL packets forwarded from VPN to local workstations, unfortunatelly it won't work and I don't get it why not.

Please find a diagram how the network looks like:

The workstations should be waked up by WOL, inside the LAN this works great but sometimes I need to wake up the workstations via VPN connection from off side. I'm aware I could configure a server within the LAN which runs 24/7 and run the task from the server but I would prefer to do it without an additional server.

I've configured IPsec VPN on the router which works very well and I'm aware that WOL packets are send via broadcast which aren't forwarded by the router by default.Therefor I've tried to use ip helper-address command on the router and added it to the fe0 interface. Unfortunatelly the workstation don't wake up.For testing purpose I've used two different applications to send the magic packets. I'm able to configure the port where the packets should be send and tried 7, 9, 37 , 49, 53, 67, 68, 137, 138.

Please find the proper sections of running config below:

#Cisco IOS Version 15.4.3-M5

!
ip inspect WAAS flush-timeout 10
ip inspect name FWOUT sip
ip inspect name FWOUT rtsp
ip inspect name FWOUT ftp
ip inspect name FWOUT smtp
ip inspect name FWOUT ftps
ip inspect name FWOUT imap
ip inspect name FWOUT imaps
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT dns
ip cef
no ipv6 cef
!
username xyz privilege 15 secret 4 ###secret###
!
crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp client configuration group VPN-Group
key ###secret###
dns xxx.xxx.xxx.xxx
pool vpnpool
save-password
max-users 5
crypto isakmp profile VPN-Profile
   match identity group VPN-Group
   client authentication list clientauth
   isakmp authorization list groupauth
   client configuration address respond
   virtual-template 2
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-Profile
set transform-set VPN
!
interface Ethernet0
description $ETH-LAN$
no ip address
!
interface Ethernet0.7
description VDSL - VLAN 7 tagged
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport trunk allowed vlan 1,10
switchport mode trunk
no ip address
no cdp enable
!
interface Virtual-Template2 type tunnel
description VPN Interface
ip unnumbered Vlan1
ip helper-address 172.20.20.255
ip helper-address 172.20.20.101
ip helper-address 172.20.20.102
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-Profile-1
!
interface Vlan1
description local network
ip address 172.20.20.1 255.255.255.0
ip helper-address 172.20.20.255
ip helper-address 172.20.20.101
ip helper-address 172.20.20.102
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description VDSL
ip address negotiated
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ###secret###
ppp chap password ###secret###
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable
!
ip local pool vpnpool 172.20.20.10 172.20.20.19 recycle delay 60
ip forward-protocol nd
ip forward-protocol udp echo
ip forward-protocol udp discard
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
!
dialer-list 1 protocol ip list 101
!
access-list 101 permit ip 172.20.20.0 0.0.0.255 any
access-list 111 permit udp any any eq echo
access-list 111 permit udp any any eq discard
access-list 111 remark VPN
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit udp any any eq isakmp
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 remark ICMP
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
access-list 111 permit tcp any eq domain any
access-list 111 remark Deny-All-Other
access-list 111 deny   ip any any
!

I've added to the vlan interface and on another test to the virtual-template (italic part). When I triy to add it to the FastEthernet0 interface I got an error "unrecognized command". Unfortunatelly I'm not a professional, thats why I don't know how to proceed.

Could someone point me in the right direction?

Best regards,

Petro

Richard Burts · ‎09-16-2016

The reason why you get the error message when attempting to add the helper command to FastEth0 is that this interface is a layer 2 interface but helper address is a layer 3 function. You can not configure a layer 3 function on a layer 2 interface.

It seems to me that part of the problem is that helper address is intended to forward broadcast packets to addresses that are remote from the interface where helper address is configured. But your VPN pool addresses are in the same subnet as your vlan 1 interface. So helper address is not kicking in because it regards these addresses as locally connected in the same subnet. But IOS does not forward broadcasts over IPsec encrypted sessions. What would happen if you change your config and make the VPN pool in a different subnet?

HTH

Rick

HTH

Rick

Petro-Berg · ‎09-19-2016

Dear Rick,

Thank you for your answer.

I've tried to use an other VPN pool and added an additional VLAN, unfortunatelly without success. Please find the new config below.

!
ip inspect WAAS flush-timeout 10
ip inspect name FWOUT sip
ip inspect name FWOUT rtsp
ip inspect name FWOUT ftp
ip inspect name FWOUT smtp
ip inspect name FWOUT ftps
ip inspect name FWOUT imap
ip inspect name FWOUT imaps
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT dns
ip cef
no ipv6 cef
!
username xyz privilege 15 secret 4 ###secret###
!
crypto isakmp policy 100
encr aes 256
hash sha256
authentication pre-share
group 14
!
crypto isakmp client configuration group VPN-Group
key ###secret###
dns xxx.xxx.xxx.xxx
pool vpnpool
save-password
max-users 5
crypto isakmp profile VPN-Profile
   match identity group VPN-Group
   client authentication list clientauth
   isakmp authorization list groupauth
   client configuration address respond
   virtual-template 2
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-Profile
set transform-set VPN
!
interface Ethernet0
description $ETH-LAN$
no ip address
!
interface Ethernet0.7
description VDSL - VLAN 7 tagged
encapsulation dot1Q 7
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
switchport trunk allowed vlan 1,10
switchport mode trunk
no ip address
no cdp enable
!
interface Virtual-Template2 type tunnel
description VPN Interface
ip unnumbered Vlan10                                              // Changed to new VLAN
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-Profile-1
!
interface Vlan1
description local network
ip address 172.20.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan10                                                       //New VLAN
description vpn letwork
ip address 10.10.10.1 255.255.255.0
ip helper-address 172.20.20.255
ip helper-address 172.20.20.101
ip helper-address 172.20.20.102
ip directed-broadcast
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description VDSL2
ip address negotiated
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect FWOUT out
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
no keepalive
ppp authentication chap callin
ppp chap hostname ###secret###
ppp chap password ###secret###
ppp ipcp dns request
ppp ipcp mask request
ppp ipcp route default
no cdp enable
!
ip local pool vpnpool 10.10.10.10 10.10.10.19 recycle delay 60           //Changed to new VLAN
ip forward-protocol nd
ip forward-protocol udp echo
ip forward-protocol udp discard
!
ip dns server
ip nat inside source list 101 interface Dialer1 overload
!
dialer-list 1 protocol ip list 101
!
access-list 101 permit ip 172.20.20.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any                       //Added ACL
access-list 111 permit udp any any eq echo
access-list 111 permit udp any any eq discard
access-list 111 remark VPN
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit udp any any eq isakmp
access-list 111 permit esp any any
access-list 111 permit ahp any any
access-list 111 remark ICMP
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq domain any
access-list 111 permit tcp any eq domain any
access-list 111 remark Deny-All-Other
access-list 111 deny   ip any any

Richard Burts · ‎09-19-2016

I see two issues. Your helper addresses still use the old address. Should they use new addresses? The helper addresses are on vlan 10 where the VPN client are. They should be on the interface where the WOL packets are received.

HTH

Rick

HTH

Rick