Several years ago, while being new to security team in Brussels TAC, a case appeared in our queue that would change my view on IPSec VPN (and not only!).
The problem description was quite clear - unable to go out through IPSec VPN to the internet when connected with Cisco VPN Client to a 1841 series router in full tunnel mode.
Seems quite easy, right?
Little did I know, that it would require me to grasp a new, and alien at that time, technology very fast.
Briefly about the technical problem.
What happens when your VPN client, with private IPv4 address assigned wanted to communicate to the outside world?
Typical edge device for a small business will have one IPv4 address assigned to interface of router.
Users on LAN segment also with private IPv4 address, will want to use this WAN IP to connect to the Internet by virtue of PAT/NAT overload.
Very often this method has to be used by VPN users.
Problem with typical (legacy) ezvpn configuration is that (unlike LAN) VPN users do not have their own interface to use certain features, like "ip nat inside" in this particular case. Thus router isn't aware that it is supposed to have VPN traffic NAT'ted.
Previous solutions to this particular problem involved sending VPN traffic (after decapsulation) to a loopback interface by using PBR (the interface would have "ip nat inside" enabled).
This was a neat trick but we can forget about it since we have Dynamic Virtual Tunnel Interface (DVTI).
In this case I configured DVTI, added "ip nat inside" command on it and it worked straight out of the box!
About VTI - high level about Virtual Tunnel interfaces.
While my case was solved, I barely started to see the surface of how useful VTI was.
A few things you should know when starting.
VTI comes in two flavors, SVTI (tunnel interface) and DVTI (virtual-template interface).
SVTI are used to have static "on-all-the-time" IPSec tunnels, while DVTI is used to provide "on-demand" connectivity.
SVTI typically should be thought of as a lan to lan tunnel, while DVTI would be used in case of ezvpn (both server and client!) and recently webvpn.
Let's have a look at some advantages of VTI.
1. Dynamic routing and multicast through VTI!
Remember one nasty limitation of IPSec - no multicast through unless you used GRE?
Getting devices to talk to each other via OSPF or EIGRP required some tweaks.
Now it's available by default!
That being said GRE is not out of the picture, it's still broadly used and more flexible is more-than-one-better.
2. No GRE overhead.
Have a ping with df-bit set over your tunnel interface when it's VTI and GRE over IPSec...
ping TUNNEL_IP_ON_THE_OTHER_SIDE source tunnel X df-bit size 1436
Hi all, I need to setup any connect SSL VPN on Cisco 2951 router. The Cisco 2951 is running version 15.4(3)M1 with securityk9 feature enabled. If running latest anyconnect VPN version 4.9, is cisco router 2951 compatible with anyconnect version ...
I am trying to get EAP-TLS working on an Ubuntu Linux machine. The system is controlled by Centrify and Centrify has pushed out a certificate, private key and chain file to the machine. I am attempting to use the wpa_supplicant wit...
Hello, I am integrating Cisco ISE with Microsoft AD and I am having a problem adding the Domain Controllers (DCs) on PassiveID. I have already performed the 'Join' between ISE and AD successfully. Both ISE nodes are operational and I can see bot...
I'm pretty sure the answer to this is no, but I'd like to check just in case there's a workaround. Is it possible for the management interface to be shared with the SFR module, so I can manage the ASA via SSH / ASDM via an IP on the management interf...
Is there a way to extend logging for radius logs on ISE 2.6? I have tried going to admin -> logging -> log settings and changing the default to 30 days but my live logs for radius do not appear to be using that setting. I also tried pointing ISE to ...