Re: cisco 1841 EzVPN certain IP

george.mg · ‎11-20-2009

on cisco 1841

crypto isakmp profile NEWVPN
   match identity group NEWVPNGROUP
   match identity address x.x.x.x x.x.x.x
   client authentication list NEWVPNAUTH
   isakmp authorization list NEWVPNTHOR
   client configuration address respond

with comand match identity address x.x.x.x x.x.x.x i'm trying to rofce router to receive VPN sessions for group NEWVPNGROUP

only from IP address x.x.x.x but router doesn't pay attention to this comand

Please let me know what do i have to do in this case...

Thank You in advance

George

Federico Coto Fajardo · ‎12-18-2009

I think that you cannot restrict which IP address can initiate an Easy VPN client connection to the router, only on Site-to-Site VPN connections....

You can create restrictions for example on which clients with an specific version of the VPN client software can connect... but not on the IP of the client )because that will defeat the purpose of a remote VPN client connection) which the source IP cannot be determined front-hand

Why are you trying to restrict the Easy VPN client connection from an specific IP?

Federico.

george.mg · ‎12-19-2009

Thank You for reply, my goal is to restrict only one certain group not all of dynamic VPN groups.

What does command match identity address do if not identifying peer IP address?

I need to restrict not to single IP but for single IP range - match identity address command (under crypto isakmp profile) as I see gives opportunity to enter necessary IP range

Federico Coto Fajardo · ‎12-19-2009

The command match identity address x.x.x.x map the peers to an ISAKMP profile as you said.

But you're saying that even with that command, the router accepts VPN client connections from any source
to that specific Easy VPN group?

Make sure that no two ISAKMP profiles match the same identity defined in the ISAKMP
profile.

If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
So, if this is the case, make sure that this is the only ISAKMP profile matching that identity.

george.mg · ‎12-20-2009

by my understanding - match identity group - this comand gives router to know which group to connect. so peer, as i understand, can not be matched by several different rules.

for instance:

match identity group NEWGROUP

match identity address 192.168.0.0 255.255.255.0

maybe there is necessary something else additional to configure to force cisco router 1841 with sw version

Cisco IOS Software, 1841 Software (C1841-ADVSECURITYK9-M), Version 12.4(3h), RELEASE SOFTWARE (fc2)

in accordance to cisco doc-s i didn;t find any other aditional comand to reach my goal.

if this is my soft bug i'll know this and will stop investigating this problem.

Federico Coto Fajardo · ‎12-30-2009

Hi George,

In reality, the command ''match identity address'' in the ISAKMP profile is to indicate to whom the profile is applied. If the client won't hit that profile it continues with the next profile until finally matching the legacy (no profile) configuration if it does not find a match in any profile.

Since this is a router, and you want to restrict the range of IP addresses permitted, you can do it with an ACL inbound in the interface where the crypto map is applied. ACLs on the router apply for traffic to the interface (not only through the interface).

Let me know if it helps!

Federico.

george.mg · ‎01-01-2010

Thank You for reply, but here is one important note: I have many VPNs on that router and if I apply

ACL restricting IP range with pointing there corresponding port it will be spread on all incoming traffic matching this port – so this ACL as I understand will affect all other VPNs with its restriction as well.

My aim is to restrict incoming sessions to only one certain VPN.

I’m sure there must be some kind of command or tool to do this, unfortunately I can not find it in documentation….

BR
George

Federico Coto Fajardo · ‎01-03-2010

As far as I'm aware, the only way to tell the router to accept or not remote VPN connections based on the incoming IP, is using ACLs applied to the interface where the VPNs terminate (I understand that this will affect all VPNs)...

If you want to restrict an incoming VPN connection based on the IP that the remote connection is coming from, and at a VPN profile level, I'm not aware of a way to do this...

Maybe, if you describe the entire picture and the reason why you're trying to accomplish this in this way, I (or someone else), can help you out with an alternative way to do this.

Federico.

Federico Coto Fajardo · ‎01-04-2010

Hey, I believe your answer could be DVTI.

https://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_ipsec_virt_tunnl_ps6922_TSD_Products_Configuration_Guide_Chapter.html

You can use DVTI with a different virtual template for each group and then apply an ACL per virtual template so that you can restrict which IP addresses can connect to each virtual template interface

Let me know.

Federico.

george.mg · ‎01-04-2010

Hello J

Yes when I saw it I thought as You wrote BUT, when I created virtual interface and applied ACL unfortunately it was restricting ONLY access to networks which VPN must see.

I tried even to deny all UDP in the same ACL

“Access-group in” on virtual-template interface but router did not pay any attention to DENY UDP ANY ANY – as it seems it does pass incoming sessions via real interfae and not virtual one…

If You find any different config of this issue please let me know…

Thanks beforehand…

And by the way are on forum some cisco people?

Federico Coto Fajardo · ‎01-04-2010

I'm going to try it myself with DVTIs to test....

If it does not work, the only thing that I can think of is using an ACS to authenticate the VPN clients and use attributes to deny connections from the incoming IP.

Federico Coto Fajardo · ‎01-05-2010

Hi George,

I did a test on a Cisco router with a DVTI configuration for a VPN client profile and it connects fine. Then I apply an ACL restricting the VPN connection from my IP address and it does not work (as you said)...

If somebody else have other ideas on how to do this, if not, the only option I can think of is using an ACS as I mentioned to you before.

If you don't have an ACS, you can download an ACS licence (version 4.2 because 5.x and above are only supported on appliances) and give it a try.

Let me know.

Federico.

george.mg · ‎01-06-2010

Hi Frederico, the problem of solution with virtual templates is the following:

We must force router somehow to accept VPN sessions on virtual template interface. Router accepts sessions on real interface and then refers to virtual template interface – that is why ACL restricting real ip range is not working and ACL restricting VPN access to internal network is working.

And why match identity address command doesn’t do restricting job? In accordance to logic and documentation I saw command under crypto isakmp profile/match indetity… is to match peer identity to I mean to compare if the match indetity group matches for example, so if we configure match identity address it must look if IP addresses match as well… is not it logical?

And by the way is there any way to contact cisco people with this strange issue?

BR

George

Federico Coto Fajardo · ‎01-08-2010

Hi George,

I don't know if there are Cisco guys in the Forum, I certainly expect them to be.

As far as I can tell you, the only way to accomplish this, will be with an ACS as I posted above.

If anybody else has other suggestions....

Federico.

george.mg · ‎01-08-2010

HI Frederico

The solution for this problem is the following:

Under crypto isakmp profile command match identity address *IP range*

This will work but not with all SW versions unfortunately.

With virtual template it will not work.

But anyway if You find some other issues let me know J

By the way how cisco people can be found time to time I really have some peculiar questions.

How do You usually solve Your cisco problems which are not listed neither in docs nor somewhere else…?

BR

George