Solved: Re: Site to Site VPN assistance - Page 2

jxcclark · ‎11-03-2012

Hi All

I hope to get some clarification and assistance here on a configuration issue i cant get my head around.

I have a Cisco C837 router all functional with client access VPNs setup and working, its a inherited setup and not our own and i need to create a site to site VPN to another Cisco small business router preferably whilst keeping the current client access setup, from what ive read you can only have 1 crypto map per interface and i can just about get my head around creating a static VPN for site to site when the router doesn't have a existing crypto map and policy, i cant however figure out how to add the site to site on top of this setup and from what i have read it can be done using the existing crypto map but im only getting bit of the required setup information from here and there nothing concrete.

Can anyone one help and save my sanity ?

jxcclark · ‎11-05-2012

Current Conifg of device debug above which needs static vpn as well as client access vpn.

Just to clarify client access vpn works fine but when the static vpn changes are made client access vpn does not work from the lan range 192.168.22.0 which is the lan of the peer im trying to get a staic VPN to., but works from anywhere else on the internet.

Router#sh run
Building configuration...

Current configuration : 6249 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$YDPe$bFH3Xpt86tvRzPDUJkUTv0
!
username fred password 7 141F1D1C0D162E79747867
username ellen password 7 050F1F0C2E421C594951
username joe password 7 120B0C141A0A1E00787B747D

no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.103
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.130
ip dhcp excluded-address 192.168.1.101
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key 0 mysharedkey address 80.176.85.8
!
crypto isakmp client configuration group vpngroup
key 0 mysharedkey
dns 192.168.1.2
wins 192.168.1.2
domain domain.local
pool ippool
acl 101
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map rtp client authentication list userauthen
crypto map rtp isakmp authorization list groupauthor
crypto map rtp client configuration address respond
crypto map rtp 5 ipsec-isakmp
set peer 80.176.85.8
set transform-set myset
match address 125
crypto map rtp 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
ip access-group 115 in
ip access-group 115 out
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group InboundFW in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname @cablestream.broadband
ppp chap password 7 15300C14330127352F603D
ppp pap sent-username @cablestream.broadband password 7 0026141E3370071
7087244
ppp ipcp dns request
ppp ipcp wins request
crypto map rtp
hold-queue 224 in
!
ip local pool ippool 192.168.101.1 192.168.101.100
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.103 50001 interface Dialer1 50001
ip nat inside source static udp 192.168.1.100 5632 interface Dialer1 5632
ip nat inside source static udp 192.168.1.100 5631 interface Dialer1 5631
ip nat inside source static tcp 192.168.1.100 5632 interface Dialer1 5632
ip nat inside source static tcp 192.168.1.100 5631 interface Dialer1 5631
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static udp 192.168.1.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.130 55001 interface Dialer1 55001
ip nat inside source static tcp 192.168.1.101 50001 217.154.10.153 50001 extenda
ble
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended InboundFW
permit tcp 194.75.135.192 0.0.0.31 any eq 3389
permit tcp host 217.154.197.230 any eq 3389
permit tcp 89.206.230.192 0.0.0.31 any eq 3389
permit tcp 194.75.135.192 0.0.0.31 any eq telnet
permit tcp host 217.154.197.230 any eq telnet
permit tcp 89.206.239.32 0.0.0.31 any eq 3389
permit tcp 89.206.239.32 0.0.0.31 any eq telnet
permit tcp 89.206.239.32 0.0.0.31 any eq 22
permit tcp 207.126.144.0 0.0.15.255 any eq smtp
permit tcp host 81.138.0.31 any eq smtp
permit tcp host 81.138.0.26 any eq smtp
deny   tcp any any eq 3389
deny   tcp any any eq telnet
deny   tcp any any eq smtp
permit ip any any
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 115 permit ip any any
access-list 120 permit tcp any any range 50000 55100
access-list 125 permit ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

jonathan.macphee · ‎11-05-2012

I also noticed, that if your remote subnet is 192.168.22.0 0.0.0.255, then the order you have in your NAT access list needs to change.

You have the following:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255

The first line will Nat-exempt traffic going to the 192.168.101.0 0.0.0.255 subnet, but the second line permits any traffic going from 192.168.1.0 0.0.0.255 to any site to be NAT'ed. You should move the deny statement for 192.168.1.0 to 192.168.22.0 up a line before the permit any statement so it will be NAT exempt as well. For example:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

It should be int that order, because the ACL processes matches in a top-down fashion.

jxcclark · ‎11-05-2012

Great Spot

Thanks for that i didnt notice that.

Having trouble seeing the wood for the trees right now.

jonathan.macphee · ‎11-05-2012

Hello,

Did you add the no-xauth command on the 837 for the crypto isakmp key command?

IE: crypto isakmp key your_key_goes_here addresss x.x.x.x no-xauth? I'm seeing a lot of XAUTH information in that debug that I not accustomed to seeing. Xauth only comes into play with your remote VPN clients like the Cisco VPN client - it's what initiates the username/pass request after you authenticate the Group Name and Key successfully. It's not used in site-to-site IPSEC VPN configurations.

Edit: I see you just posted the config. Change it to:

crypto isakmp key 0 mysharedkey address 80.176.85.8 no-xauth

and see if that makes any difference.

Jennifer Halim · ‎11-05-2012

Yes, Jonathan is right.

Pls edit it as follows:

crypto isakmp key 0 mysharedkey address 80.176.85.8 no-xauth no-config

jxcclark · ‎11-05-2012

Hi Jonathan

I didn't add that as i wasn't sure where to add it but you have just pointed that out, VPN client access is still required as users will still need this, the static vpn is only needed for server to server trafic for DFS purposes, ideally users on that peer lan range will still use the client access vpn for now.

Its like trying to split the atom getting this to work, cant get the SDM on there as the flash is to small and sdm wont run from the server to router.

If you can see any other faults in the config please advise as im all ears

jonathan.macphee · ‎11-05-2012

Where that isakmp key is just for that specific IPSEC host, you should be fine to add the no-xauth at the end of the line -- it shouldn't affect your VPN users, which pull their config from the crypto isakmp client configuration group section.

jxcclark · ‎11-05-2012

You picked that question out of my mind as that was next on the list

I wont be able to test now until tomorrow but will update you both

Thanks

jxcclark · ‎11-06-2012

Hi All

This is now working thanks to you guys, there is however one small side effect, the boss requests this locked down to just the two servers for DFS replication which is fine however he also wants to be able to use his client VPN when in the remote office peer which has the 192.168.22.0 range for purposes of outlook as he does not like webmail, when you connect to the VPN client from the remote peer lan range it will fail with a 412 error.

If you try to connect from the remote peer location with a VPN client would the remote peer router try and push the traffic for 192.168.22.0 to 192.168.1.0 down the tunnel instead of using the client ?

From outside on the internet works fine while tunnel is up..

I will post config as it is currently

Once again a big thanks for you support

jxcclark · ‎11-06-2012

Router#sh run
Building configuration...

Current configuration : 6188 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5
!
username tom password 7 141F1D1C0D162E79747867
username pat password 7 050F1F0C2E421C594951
username bob password 7 120B0C141A0A1E00787B747D

no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.103
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.130
ip dhcp excluded-address 192.168.1.101
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
lifetime 28800
crypto isakmp key 0 mykey address 80.176.85.8 no-xauth
!
crypto isakmp client configuration group vpngroup
key 0 mykey
dns 192.168.1.2
wins 192.168.1.2
domain dycon.local
pool ippool
acl 101
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map rtp client authentication list userauthen
crypto map rtp isakmp authorization list groupauthor
crypto map rtp client configuration address respond
crypto map rtp 5 ipsec-isakmp
set peer 80.176.85.8
set transform-set myset
match address 125
crypto map rtp 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
ip access-group 115 in
ip access-group 115 out
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group InboundFW in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname @cablestream.broadband
ppp chap password 7 15300C14330127352F603D
ppp pap sent-username @cablestream.broadband password 7 0026141E33700717087244
ppp ipcp dns request
ppp ipcp wins request
crypto map rtp
hold-queue 224 in
!
ip local pool ippool 192.168.101.1 192.168.101.100
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.2 25 interface Dialer1 25
ip nat inside source static tcp 192.168.1.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.1.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.103 50001 interface Dialer1 50001
ip nat inside source static udp 192.168.1.100 5632 interface Dialer1 5632
ip nat inside source static udp 192.168.1.100 5631 interface Dialer1 5631
ip nat inside source static tcp 192.168.1.100 5632 interface Dialer1 5632
ip nat inside source static tcp 192.168.1.100 5631 interface Dialer1 5631
ip nat inside source static tcp 192.168.1.2 443 interface Dialer1 443
ip nat inside source static udp 192.168.1.2 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.130 55001 interface Dialer1 55001
ip nat inside source static tcp 192.168.1.101 50001 217.154.10.153 50001 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended InboundFW
permit tcp 194.75.135.192 0.0.0.31 any eq 3389
permit tcp host 217.154.197.230 any eq 3389
permit tcp 89.206.230.192 0.0.0.31 any eq 3389
permit tcp 194.75.135.192 0.0.0.31 any eq telnet
permit tcp host 217.154.197.230 any eq telnet
permit tcp 89.206.239.32 0.0.0.31 any eq 3389
permit tcp 89.206.239.32 0.0.0.31 any eq telnet
permit tcp 89.206.239.32 0.0.0.31 any eq 22
permit tcp 207.126.144.0 0.0.15.255 any eq smtp
permit tcp host 81.138.0.31 any eq smtp
permit tcp host 81.138.0.26 any eq smtp
deny   tcp any any eq 3389
deny   tcp any any eq telnet
deny   tcp any any eq smtp
permit ip any any
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.101.0 0.0.0.255
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.22.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 permit ip any any
access-list 125 permit ip host 192.168.1.2 host 192.168.22.3
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

Router#

jonathan.macphee · ‎11-06-2012

Good to hear everything is up and running now!

Using the VPN client at the remote location where there is an IPSEC tunnel already in place just seems like it would end up being more trouble than it's worth, especially where the SRP527W is probably limited in what NAT exemptions and Crypto ACL configs you can pull off.

You could probably also get your DHCP server to associate the MAC address of his PC with the same IP address every time when he's at that location, or a unique range of IPs and only allow that IP or range of IPs to travel across the tunnel to the exchange server/ any other resources he wants to reach.

Also, keep in mind you can apply an access-list to the Crypto Map just like you would to an interface. This way, once the traffic is decrypted, it will process the packets just like a regular firewall, so you could lock down access just to specific ports/hosts/source/destination, etc, just like normal:

crypto map rtp 5 ipsec-isakmp

set ip access-group (ACL NAME)