Solved: Re: Implementing IPSec Remote Access VPN using ISR 2801

john.dejesus · ‎03-24-2011

Hi,

I was trying to setup an Remote Access VPN using ISR 2801. I was able to establish the vpn tunnel from my house using DSL Connection (behind NAT), the ISR give the IP address which is from the ip pool that I configured on the ISR. The problem that I have right now is that it fails reaching the corporate LAN network.

DIAGRAM:

PC(VPN CLIENT)------SOHO ROUTER-------DSL MODEM-------INTERNET--------ISR2801-------CORPORATE LAN------(10.10.0.27&192.168.0.9)

PC: 172.16.10.122

SOHO ROUTER LAN IP: 172.16.10.254

SOHO ROUTER WAN IP: Dynamically Assigned by ISP

ISR2801 WAN IP: x.x.x.5/224

ISR2801 LAN IP: 10.10.0.50/24

CORPORATE LAN SUBNET: 10.10.0.0/24 and 192.168.0.9/24

ISR 2801 CONFIGURATION:

aaa new-model

!

aaa authentication login NOCAUTHEN group radius local

aaa authorization network NOCAUTHOR local

!

ip domain name xxxxx.com

!

username root password 7 120B551806095F01386A

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 40 5

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group NOC-GROUP

key !@mR0oT!~qwerty$9876

dns 192.168.0.9

wins 192.168.0.9

domain xxxxx.com

pool NOC-POOL

include-local-lan

netmask 255.255.255.0

!

crypto ipsec transform-set NOC-SET esp-3des esp-sha-hmac

!

crypto dynamic-map NOC-DYNAMICMAP 10

set transform-set NOC-SET

!

crypto map NOC-MAP client authentication list NOCAUTHEN

crypto map NOC-MAP isakmp authorization list NOCAUTHOR

crypto map NOC-MAP client configuration address respond

crypto map NOC-MAP 10 ipsec-isakmp dynamic NOC-DYNAMICMAP

!

interface FastEthernet0/0

ip address x.x.x.5 255.255.255.224

speed 100

full-duplex

crypto map NOC-MAP

!

interface FastEthernet0/1

ip address 10.10.0.50 255.255.255.0

speed 100

full-duplex

!

ip local pool NOC-POOL 192.168.250.101 192.168.250.110

ip route 0.0.0.0 0.0.0.0 x.x.x.1

ip route 10.10.0.0 255.255.255.0 10.10.0.10

ip route 172.16.10.0 255.255.255.0 FastEthernet0/0

ip route 192.168.0.0 255.255.255.0 10.10.0.10

ip route 192.168.250.0 255.255.255.0 FastEthernet0/0

!

I have attached some screen shots. My goal here is to have an access to my corporate LAN Network (10.10.0.0/24 and 192.168.0.9/24). I am not sure what is missing here.

padatta · ‎03-24-2011

No, we don't need NAT. Wanted to confirm if NAT could be causing this problem.

The config looks good. Can you ping routers internal LAN interface ip from client after it connects?

Are the following routes correct, w.r.t reaching VPN pool from behind router?

If so, i'd like to take a look at the following outputs while a client is connected.

show crypto eli

show crypto isakmp sa

show crypto ipsec sa

Paps

View solution in original post

padatta · ‎03-24-2011

Hi,

The configuration doesn't seem complete. Is dynamic NAT/PAT configured on 2801?

Paps

john.dejesus · ‎03-24-2011

no. I have not configured the NAT. Why do I need to NAT? And what network/s should I include on the NAT?

padatta · ‎03-24-2011

No, we don't need NAT. Wanted to confirm if NAT could be causing this problem.

The config looks good. Can you ping routers internal LAN interface ip from client after it connects?

Are the following routes correct, w.r.t reaching VPN pool from behind router?

If so, i'd like to take a look at the following outputs while a client is connected.

show crypto eli

show crypto isakmp sa

show crypto ipsec sa

Paps

john.dejesus · ‎03-24-2011

1. Can you ping routers internal LAN interface ip from client after it connects?

- Yes, I can ping the Router's WAN IP and LAN IP.

2. Are the following routes correct, w.r.t reaching VPN pool from behind router?

- What is "w.r.t"? I can also ping the VPN Pool from the Router.

3. Have you check the attachment?

4. Here are the outputs as per your request.

ORIENT27F-VPN-ISR2801#show crypto eli

Hardware Encryption Layer : ACTIVE

Number of crypto engines = 1 .

CryptoEngine-0 (slot-0) details.

Capability-IPSec : IPPCP, 3DES, AES, NoRSA

IKE-Session : 0 active, 150 max, 0 failed

DH-Key : 0 active, 150 max, 0 failed

IPSec-Session : 2 active, 300 max, 0 failed

======================================================================

ORIENT27F-VPN-ISR2801#show crypto isakmp sa

dst src state conn-id slot status

x.x.x.5 112.201.162.115 QM_IDLE 1 0 ACTIVE

======================================================================

ORIENT27F-VPN-ISR2801#show crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: NOC-MAP, local addr x.x.x.5

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.250.105/255.255.255.255/0/0)

current_peer 112.201.162.115 port 28527

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.5, remote crypto endpt.: 112.201.162.115

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x8D8DA45B(2374870107)

inbound esp sas:

spi: 0x1E903D77(512769399)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3001, flow_id: FPGA:1, crypto map: NOC-MAP

sa timing: remaining key lifetime (k/sec): (4539078/3429)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x8D8DA45B(2374870107)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 3002, flow_id: FPGA:2, crypto map: NOC-MAP

sa timing: remaining key lifetime (k/sec): (4539117/3423)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

5. PING Results

ORIENT27F-VPN-ISR2801#ping 192.168.250.105 source x.x.x.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.250.105, timeout is 2 seconds:

Packet sent with a source address of x.x.x.5

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 336/356/388 ms

ORIENT27F-VPN-ISR2801#ping 192.168.250.105 source 10.10.0.50

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.250.105, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.50

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 340/360/372 ms

=================================================================

C:\>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 172.16.10.122

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

Ethernet adapter Cisco VPN:

Connection-specific DNS Suffix . : xxxxx.com

IP Address. . . . . . . . . . . . : 192.168.250.105

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.250.105

C:\>ping x.x.x.5

Pinging x.x.x.5 with 32 bytes of data:

Reply from x.x.x.5: bytes=32 time=343ms TTL=237

Reply from x.x.x.5: bytes=32 time=344ms TTL=237

Reply from x.x.x.5: bytes=32 time=346ms TTL=237

Reply from x.x.x.5: bytes=32 time=345ms TTL=237

Ping statistics for x.x.x.5:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 343ms, Maximum = 346ms, Average = 344ms

C:\>ping 10.10.0.50

Pinging 10.10.0.50 with 32 bytes of data:

Reply from 10.10.0.50: bytes=32 time=348ms TTL=255

Reply from 10.10.0.50: bytes=32 time=341ms TTL=255

Reply from 10.10.0.50: bytes=32 time=343ms TTL=255

Reply from 10.10.0.50: bytes=32 time=375ms TTL=255

Ping statistics for 10.10.0.50:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 341ms, Maximum = 375ms, Average = 351ms

padatta · ‎03-24-2011

It is strange we can ping client from internal LAN interface and vice versa. Router (2801) doesn't seem to encrypt traffic. There are decrypts though, which means client sends encrypted traffic.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 264, #pkts decrypt: 264, #pkts verify: 264

We can try matching an acl and see if it helps.

ip access-list to_pool extended

permit ip any 192.168.250.0 255.255.255.0

crypto map NOC-MAP 10 match address to_pool

Paps

john.dejesus · ‎03-29-2011

Hi,

It's now working. I forgot to add a route going to my VPN IP Pool. anyway, I have another question for you. Is it possible to create a VPN User's group? For example, I want to group certain clients/users from different departments/locations.

1. Can I assign a different IP Pool for each group?

2. Is there any policy that can limit the network access from different groups. Like group A cannot access the network of group B and vise versa.

3. If this is possible, how do you create a policy? what do you call it? can you give me a reading materials for this?

Thanks,

John De Jesus