1841 as VPN concentrator in DMZ. Dynamic to static L2L or Remote

amaury.dailliez · ‎01-05-2011

Hi there,

I've spent the day trying some configurations for a 1841 router as VPN concentrator (not Easy VPN) in DMZ. Without any success

It could be easier to have an integrated DSL modem to 1841 but it's a project that costs me much money and i cannot purchase any HWIC card for now...

The project network topology follows :

The 1841 is situated in a DMZ through an existing 3rd party DSL router with static WAN IP@.

I have 3 remote sites i would like to connect via VPN to my office network for administrative purpose. Each one gets a dynamic WAN IP@.

The 3G Routers in remote sites support IPsec VPN (see atteched screenshot for those routers'VPN settings GUI). They have NAT, Bridging and DMZ capability too.

At this time i don't know what is better according to this topology : L2L access or Remote access ?

[running-config sample]

[...]

!

no aaa new-model

!

[...]

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key testpresharedkey address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set TS esp-des esp-md5-hmac

!

crypto dynamic-map DYN-TS 10

! Incomplete

set transform-set TS

!

crypto map IPSEC 10 ipsec-isakmp dynamic DYN-TS

!

interface FastEthernet0/0

ip address 192.168.1.254 255.255.255.0

speed auto

half-duplex

no mop enabled

crypto map IPSEC

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip default-gateway 192.168.1.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

[...]

[running-config sample ends]

Thank you very much to KIND SOULS who will help a poor outdated IT technician.

Regards

Ivan Martinon · ‎01-05-2011

Hi Amaury,

Several things to check here, first on your 3G modem that hosts the VPN concentrator, are we sure we are forwarding all the needed ports and protocols to the router? Make sure ESP (portless protocol) is supported to be forwarded, UDP 500 and UDP 4500, second your remote end 3G modems, have the following enabled, IPSEC PFS and your router does not have this enabled, so make sure you add that to your dynamic map settup. As well these modems have the identity definition as the address defined, if you can disable this it would be better and also try using main mode rather than aggressive mode on these routers, see if that changes anything.

When all of these has been changed, go ahead and try to connect your tunnel and see on your VPN

amaury.dailliez · ‎01-05-2011

Thanks for your answer Ivan,

I have corrected parameters in 3G router VPN GUI, you were right.

I cannot find any information about this DSL router but i think it doesn't support ESP, i cannot log any activity in debug crypto mode

Things are little bit more clear for me now even if still doesn't work. I will probably need to buy a HWIC-1ADSL card.

Thank you so much for your help and for the time you offered to me

Cheers,

Amaury

Crypto profiles are the followings :

R1841#show crypto isakmp policy

Global IKE policy

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

Default protection suite

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Secure Hash Standard

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #1 (768 bit)

lifetime: 86400 seconds, no volume limit

R1841#show crypto ipsec transform-set

Transform set DYN-TS: { esp-des esp-md5-hmac }

will negotiate = { Tunnel, },

Here is my new complete configuration file with new screenshot of 3G router VPN GUI

R1841#sh run

Building configuration...

Current configuration : 3011 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1841

!

boot-start-marker

boot-end-marker

!

logging buffered 32000 errors

logging monitor errors

enable secret 5 $1$d8YT$vP2hExKOtRkAtsejGXA2Z.

!

aaa new-model

!

aaa session-id common

ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

ip domain lookup source-interface FastEthernet0/0

ip name-server 192.168.1.1

!

crypto pki trustpoint TP-self-signed-766713186

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-766713186

revocation-check none

rsakeypair TP-self-signed-766713186

!

crypto pki certificate chain TP-self-signed-766713186

certificate self-signed 01

3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

[...]

EC54DF24 ABB34524 4132723C 992DBECF 3186A3A9 862178EF 57B40349 2C8E35E3

quit

username test password 0 test

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key testpresharedkey address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set DYN-TS esp-des esp-md5-hmac

!

crypto dynamic-map DYN 10

set transform-set DYN-TS

!

crypto map IPSEC 10 ipsec-isakmp dynamic DYN

!

interface FastEthernet0/0

ip address 192.168.1.254 255.255.255.0

speed auto

half-duplex

no mop enabled

crypto map IPSEC

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

ip default-gateway 192.168.1.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

no ip http server

no ip http secure-server

!

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

line aux 0

line vty 0 4

session-timeout 60

privilege level 0

transport input ssh

!

scheduler allocate 20000 1000

end

Unfortunatly it's impossible to disable "identifier" options on the 3G router side.

Ivan Martinon · ‎01-05-2011

About the modem's identifier type I thought that could be removed but if it can't leave it as address rather than fqdn, for the phase 2 settings if you can't disable pfs then go ahead and add this line to your router on the dynamic crypto map:

crypto dynamic-map DYN 10

set pfs group1

As far as the debugs, whry can't you debug any crypto stuff on this router? once these settings are done, can you try to pass traffic through the tunnel and get the following output?:

show crypto ipsec sa

show crypto isakmp sa

amaury.dailliez · ‎01-05-2011

When i turn debug crypto (engine, isakmp, ipsec, mib, routing) on, no activity is logged while 3G router is supposed to initiate VPN connection. That suggests to me that DSL router doesn't support ESP forward, and so that tunnel connection is not properly initiated.

show crypto ipsec sa and show crypto isakmp sa give me nothing

Ivan Martinon · ‎01-05-2011

You need to try to pass any kind of traffic over this tunnel to get debugs, if you are not getting any debugs then probably UDP 500 is not reaching the router, UDP 500 is what is used to create the tunnel, ESP comes when passing traffic and will not be used unless the tunnel is negotiated. My advise go ahead and check the modem infront of the router, see if you can find any kind of logging that might show why traffic is not reaching the router.

amaury.dailliez · ‎01-06-2011

Hi Ivan !

I have explication now !

I tried a portscan from outside, and UDP 500 and 4500 appear to be closed !!

I have created allowing rules in FW of DSL router, both for IPsec, TCP 22, UDP 500 and 4500.

I'm able to open port 22 and connect ssh to router from outside but not 500 and 4500 while sockets appear to be open on router.

R1841#show ip sockets

Proto Remote Port Local Port In Out Stat TTY OutputIF

17 0.0.0.0 0 192.168.1.254 67 0 0 2211 0

17 --listen-- 192.168.1.254 500 0 0 11 0

17 --listen-- 192.168.1.254 4500 0 0 11 0

Finally i have confirmation that this DSL router supports VPN connections through port mapping or DMZ. Many people did it with 3rd party VPN servers with IPsec over TCP 10000 and it's working btw my 3G routers don't allow IPsec over TCP 10000

Unfortunately there is not any debugging information available on this DSL router I'm scared that there is no issue to this problem as long as i will have this DSL router.

Kind Regards,

Amaury