Configure alternate VPN WAN port on a Cisco 1921 ISR

gretnapd · ‎01-28-2014

Does anyone know if it's possible to configure a 1911 Router with two ISP lines to run simultaneous client VPN connections (not failover, but using the 2nd ISP line as an alternative link)? And if so, what would a sample config look like?

Thanks

Marcin Latosiewicz · ‎01-29-2014

You can run something like that with VRF-lite (should be the easiest).

The concepts apply from here:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/prod_white_paper0900aecd8034be03_ps6658_Products_White_Paper.html

(tunnel VRF etc)

M.

gretnapd · ‎02-21-2014

sounds good... not exactly clear though how i would implement that in relation to my current config. any help would be greatly appreciated:

Current configuration : 10911 bytes

!

version 15.1

no service pad

service tcp-keepalives-in

service timestamps debug datetime

service timestamps log datetime localtime

service password-encryption

service compress-config

no service dhcp

!

hostname ******

!

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.151-4.M.bin

boot-end-marker

!

security authentication failure rate 3 log

logging count

logging userinfo

logging buffered 32768

enable secret ******

!

aaa new-model

!

aaa authentication login default local

aaa authentication login userauthen local

aaa authentication login local_authen local

aaa authentication login AUTHEN_EZVPN local

aaa authorization exec default local

aaa authorization network groupauthor local

aaa authorization network AUTHOR_EZVPN local

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

ip domain name dasnms.net

ip host c2 10.0.1.1

ip name-server 8.8.8.8

login block-for 15 attempts 3 within 5

login quiet-mode access-class ACL_VTY_QUIET_MODE

login on-failure log

login on-success log

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

license udi pid CISCO1921/K9 sn ********

!

**********

!

redundancy inter-device

!

redundancy

!

ip tftp source-interface GigabitEthernet0/1

ip ssh source-interface GigabitEthernet0/1

!

crypto logging ezvpn

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group GROUP_MSB

key ************

domain ********

pool POOL_MSB

acl ACL_VPNC_MSB

crypto isakmp client configuration group GROUP_ADMIN

key *************!

domain *************

pool POOL_ADMIN

acl ACL_VPNC_ADMIN

banner ^CNOTICE TO USERS

crypto isakmp client configuration group GROUP_C2

key ************

domain *************

pool POOL_C2

acl ACL_VPNC_ADMIN

!

crypto isakmp client configuration group GROUP_C2_ADMIN

key ************

domain ****************

pool POOL_C2

acl ACL_VPNC_ADMIN

!

crypto isakmp client configuration group **********

key ************

domain****************

pool POOL_VZW

acl ACL_VPNC_VZW

crypto isakmp client configuration group **********

key ************

domain **************

pool POOL_MAINT

acl ACL_VPNC_MAINT

crypto isakmp profile ISAKMP_PROFILE_EZVPN

match identity group GROUP_MSB

match identity group GROUP_ADMIN

match identity group GROUP_C2

match identity group *************

client authentication list AUTH_EZVPN

isakmp authorization list AUTHOR_EZVPN

client configuration address respond

client configuration group GROUP_EZVPN

virtual-template 1

!

crypto ipsec security-association idle-time 600

!

crypto ipsec transform-set TS_3DES_SHA esp-aes 256 esp-sha-hmac

!

crypto ipsec profile IPSEC_PROFILE_EZVPN

set transform-set TS_3DES_SHA

set isakmp-profile ISAKMP_PROFILE_EZVPN

!

crypto identity msb_amin

!

interface Loopback0

description VPN Clients VI

ip address 10.4.0.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ISP

ip address x.x.x.x 255.255.255.0

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

duplex auto

speed auto

!

interface GigabitEthernet0/1

description ******

ip address 10.0.0.1 255.255.0.0 secondary

ip address 10.3.0.1 255.255.255.192

no ip redirects

ip accounting access-violations

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1/0

description Backup ISP

ip address x.x.x.x 255.255.255.0

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

duplex auto

speed auto

!

interface FastEthernet0/1/1

no ip address

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

shutdown

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

no ip unreachables

ip accounting access-violations

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

!

ip local pool POOL_ADMIN 10.4.0.9 10.4.0.10

ip local pool POOL_MSB 10.4.0.2 10.4.0.6

ip local pool POOL_MAINT 10.4.0.15 10.4.0.16

ip local pool POOL_VZW 10.4.0.17 10.4.0.18

ip local pool POOL_C2 10.4.0.11 10.4.0.14

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list ACL_NAT interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

ip access-list extended ACL_INSIDE_IN

************************

permit ip 10.3.0.0 0.0.0.63 10.4.0.0 0.0.255.255

permit ip 10.0.0.0 0.0.255.255 10.4.0.0 0.0.255.255

permit ip host 10.3.0.126 any

permit ip host 10.0.1.1 any

ip access-list extended ACL_ISP_IN

remark Permit only incoming VPN Clients & SSH from Internet

permit esp any any

permit udp any eq isakmp any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit tcp any any eq 22

permit tcp any eq 22 any

permit tcp any eq 22017 any

permit udp any eq domain any

permit tcp any eq smtp any

permit udp any eq ntp any

permit tcp any eq www any

ip access-list extended ACL_NAT

permit tcp host 10.0.1.1 any eq smtp

permit udp host 10.0.1.1 any eq domain

permit tcp host 10.0.1.1 any eq 22

permit icmp host 10.0.1.1 any

permit tcp host 10.0.1.1 any eq 22017

permit tcp host 10.0.1.1 any eq www

ip access-list extended ACL_VPNC_ADMIN

remark Allow NetAdmin VPNCs acess to all LANs

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.0.63 any

ip access-list extended ACL_VPNC_C2

remark Allow CSquared VPNCs (.13 - .14) access to C2 Server

permit ip host 10.0.1.1 10.4.0.12 0.0.0.3

permit ip host 10.0.1.1 10.4.0.8 0.0.0.3

ip access-list extended ACL_VPNC_MAINT

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.0.63 any

ip access-list extended ACL_VPNC_MSB

remark Allow MSB VPNCs (.2 - .16) access to C2 Server

permit ip host 10.0.1.1 10.4.0.0 0.0.0.7

ip access-list extended ACL_VPNC_VZW

remark Allow VZW VPNCs (.19 - .20) access to C2 Server

permit ip host 10.0.1.1 host 10.4.0.19

permit ip host 10.0.1.1 host 10.4.0.20

ip access-list extended ACL_VTY

permit ip 10.4.0.8 0.0.0.3 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 98.175.139.179 any

permit ip host 74.165.233.90 any

permit ip host 10.3.0.126 any

ip access-list extended ACL_VTY_QUIET_MODE

remark Allow certain hosts VTY access during VTY lockouts

permit ip host 10.0.1.1 any

permit ip host 10.3.0.126 any

permit ip 10.4.0.8 0.0.0.3 any

!

logging source-interface GigabitEthernet0/1

access-list 1 permit 10.0.0.0 0.0.255.255

!

no cdp run

!

control-plane

!

no alias exec p

no alias exec s

alias exec sv copy run tftp://192.168.1.61

banner login ^CNOTICE TO USERS

*************************************

scheduler allocate 20000 1000

ntp source GigabitEthernet0/0

ntp master

ntp server north-america.pool.ntp.org

end

gretnapd · ‎02-25-2014

looks like i may have stumped just about everyone with this one (a CCIE and CCNP included). Is there no one out there who has there equipment setup with 2 ISP links (WAN ports) in the same router and the ability to VPN into either one at will? Is the solution mentioned above (VRF-lite) a viable one for this issue or is their an easier/better route? (I'm CCNA but i'm completely stumped with this one.) Thanks

Marcin Latosiewicz · ‎02-26-2014

Eric,

Where are you stuck at the moment, what information are you missing?

M.

gretnapd · ‎02-26-2014

I've made the changes to the best of my ability but still nothing. When I do a 'show ip routes', I don't even see my backup ISP address space in the routing table.

Here's is my config currently:

!

version 15.1

no service pad

service tcp-keepalives-in

service timestamps debug datetime

service timestamps log datetime localtime

service password-encryption

service compress-config

no service dhcp

!

hostname ****

!

boot-start-marker

boot system flash c1900-universalk9-mz.SPA.151-4.M.bin

boot-end-marker

!

security authentication failure rate 3 log

logging count

logging userinfo

logging buffered 32768

enable secret 5 **************

!

aaa new-model

!

aaa authentication login default local

aaa authentication login userauthen local

aaa authentication login local_authen local

aaa authentication login AUTHEN_EZVPN local

aaa authorization exec default local

aaa authorization network groupauthor local

aaa authorization network AUTHOR_EZVPN local

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

no ipv6 cef

no ip source-route

ip cef

!

ip vrf vpn2-out

rd 100:1

!

no ip bootp server

ip domain name dasnms.net

ip host c2 10.0.1.1

ip name-server 8.8.8.8

login block-for 15 attempts 3 within 5

login quiet-mode access-class ACL_VTY_QUIET_MODE

login on-failure log

login on-success log

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-3720048574

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3720048574

revocation-check none

rsakeypair TP-self-signed-3720048574

!

crypto pki certificate chain TP-self-signed-3720048574

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33373230 30343835 3734301E 170D3134 30313232 32333037

31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323030

34383537 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100FAEB C2DF54C2 64D62BE9 5BA33AE4 ADE9470A 9C68D724 079A9B7D 23B92BA8

942A87AC ABE085A0 4C9839B8 E02DE649 32230438 91EC0ABC F0AAE664 646471F9

quit

license udi pid CISCO1921/K9 sn ****************

!

username msb privilege 0 password 7 071C244D5A0616

username c2_systems privilege 0 password 7 03175E0E121871

username mikeh privilege 15 secret 5 $1$FhdX$MhivPLmPOn2radl.a9R36/

username vzw privilege 0 password 7 13011105343A340414042B606631

username maint privilege 0 password 7 13041916190913

username msb_amin privilege 15 secret 5 $1$Weq6$SYLeycNJVNGRImsOdrpwr1

username msb_admin privilege 15 secret 5 $1$59j6$RBnQnPBuTWm1FaU1hPC8t0

!

redundancy inter-device

!

redundancy

!

ip tftp source-interface GigabitEthernet0/1

ip ssh source-interface GigabitEthernet0/1

!

crypto keyring vpn2 vrf vpn2-out

pre-shared-key address 0.0.0.0 0.0.0.0 key cisco

crypto logging ezvpn

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp keepalive 60

!

crypto isakmp client configuration group GROUP_MSB

key ****

domain nasnms.net

pool POOL_MSB

acl ACL_VPNC_MSB

banner ^CNOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal penalties.

By continuing to use this system you indicate your awareness of and

consent to these terms and conditions of use. LOG OFF IMMEDIATELY

if you do not agree to the conditions stated in this warning.

^C

!

crypto isakmp client configuration group GROUP_ADMIN

key ***********

domain nasnms.net

pool POOL_ADMIN

acl ACL_VPNC_ADMIN

banner ^CNOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal penalties.

By continuing to use this system you indicate your awareness of and

consent to these terms and conditions of use. LOG OFF IMMEDIATELY

if you do not agree to the conditions stated in this warning.

^C

!

crypto isakmp client configuration group GROUP_C2

key ******

domain nasnms.net

pool POOL_C2

acl ACL_VPNC_ADMIN

banner ^CNOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal penalties.

By continuing to use this system you indicate your awareness of and

consent to these terms and conditions of use. LOG OFF IMMEDIATELY

if you do not agree to the conditions stated in this warning.

^C

!

crypto isakmp client configuration group GROUP_C2_ADMIN

key ****

domain nasnms.net

pool POOL_C2

acl ACL_VPNC_ADMIN

!

crypto isakmp client configuration group DFW_VZW

key Druq8c8zaPrU66elea0

domain nasnms.net

pool POOL_VZW

acl ACL_VPNC_VZW

banner ^CCNOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal penalties.

By continuing to use this system you indicate your awareness of and

consent to these terms and conditions of use. LOG OFF IMMEDIATELY

if you do not agree to the conditions stated in this warning.

^C

!

crypto isakmp client configuration group DFW_MAINT

key ****

domain nasnms.net

pool POOL_MAINT

acl ACL_VPNC_MAINT

crypto isakmp profile ISAKMP_PROFILE_EZVPN

match identity group GROUP_MSB

match identity group GROUP_ADMIN

match identity group GROUP_C2

match identity group DFW_MAINT

client authentication list AUTH_EZVPN

isakmp authorization list AUTHOR_EZVPN

client configuration address respond

client configuration group GROUP_EZVPN

virtual-template 1

crypto isakmp profile ISAKMP_PROFILE_EZVPN2

match identity group GROUP_MSB

match identity group GROUP_ADMIN

match identity group GROUP_C2

match identity group DFW_MAINT

client authentication list AUTH_EZVPN

isakmp authorization list AUTHOR_EZVPN

client configuration address respond

client configuration group GROUP_EZVPN

virtual-template 2

!

crypto ipsec security-association idle-time 600

!

crypto ipsec transform-set TS_3DES_SHA esp-aes 256 esp-sha-hmac

crypto ipsec transform-set gre_set esp-3des esp-sha-hmac

mode transport

!

crypto ipsec profile IPSEC_PROFILE_EZVPN

set transform-set TS_3DES_SHA

set isakmp-profile ISAKMP_PROFILE_EZVPN

!

crypto ipsec profile IPSEC_PROFILE_EZVPN2

set transform-set TS_3DES_SHA

set isakmp-profile ISAKMP_PROFILE_EZVPN2

!

crypto ipsec profile gre_prof

set transform-set gre_set

set isakmp-profile ISAKMP_PROFILE_EZVPN

!

crypto identity msb_amin

!

interface Loopback0

description VPN Clients VI

ip address 10.4.0.1 255.255.255.0

!

interface Tunnel1

no ip address

shutdown

tunnel source FastEthernet0/1/0

tunnel mode ipsec ipv4

tunnel vrf vpn2-out

tunnel protection ipsec profile gre_prof

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description ISP

ip address x.x.229.28 255.255.255.0

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

duplex auto

speed auto

!

interface GigabitEthernet0/1

description NOC_0

ip address 10.0.0.1 255.255.0.0 secondary

ip address 10.3.0.1 255.255.255.192

no ip redirects

ip accounting access-violations

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1/0

description Backup ISP

ip vrf forwarding vpn2-out

ip address y.y.15.237 255.255.255.0

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

duplex auto

speed auto

!

interface FastEthernet0/1/1

ip address 192.168.14.90 255.255.255.0

ip access-group ACL_ISP_IN in

no ip redirects

no ip unreachables

ip accounting access-violations

ip nat outside

ip virtual-reassembly in

ip tcp adjust-mss 1400

shutdown

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

no ip unreachables

ip accounting access-violations

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PROFILE_EZVPN

!

interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

no ip unreachables

ip accounting access-violations

tunnel vrf vpn2-out

tunnel protection ipsec profile IPSEC_PROFILE_EZVPN2

!

router ospf 254 vrf vpn2-out

network y.y.15.0 0.0.0.255 area 0

!

ip local pool POOL_ADMIN 10.4.0.9 10.4.0.10

ip local pool POOL_MSB 10.4.0.2 10.4.0.6

ip local pool POOL_MAINT 10.4.0.15 10.4.0.16

ip local pool POOL_VZW 10.4.0.17 10.4.0.18

ip local pool POOL_C2 10.4.0.11 10.4.0.14

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list ACL_NAT interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 x.x.229.1

!

ip access-list extended ACL_INSIDE_IN

remark Allow only DFW & NOC LANs to talk to VPN Clients

permit ip 10.3.0.0 0.0.0.63 10.4.0.0 0.0.255.255

permit ip 10.0.0.0 0.0.255.255 10.4.0.0 0.0.255.255

permit ip host 10.3.0.126 any

permit ip host 10.0.1.1 any

ip access-list extended ACL_ISP_IN

remark Permit only incoming VPN Clients & SSH from Internet

permit esp any any

permit udp any eq isakmp any

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit tcp any any eq 22

permit tcp any eq 22 any

permit tcp any eq 22017 any

permit udp any eq domain any

permit tcp any eq smtp any

permit udp any eq ntp any

permit tcp any eq www any

ip access-list extended ACL_NAT

permit tcp host 10.0.1.1 any eq smtp

permit udp host 10.0.1.1 any eq domain

permit tcp host 10.0.1.1 any eq 22

permit icmp host 10.0.1.1 any

permit tcp host 10.0.1.1 any eq 22017

permit tcp host 10.0.1.1 any eq www

ip access-list extended ACL_VPNC_ADMIN

remark Allow NetAdmin VPNCs acess to all LANs

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.0.63 any

ip access-list extended ACL_VPNC_C2

remark Allow CSquared VPNCs (.13 - .14) access to C2 Server

permit ip host 10.0.1.1 10.4.0.12 0.0.0.3

permit ip host 10.0.1.1 10.4.0.8 0.0.0.3

ip access-list extended ACL_VPNC_MAINT

permit ip 10.0.0.0 0.0.255.255 any

permit ip 10.3.0.0 0.0.0.63 any

ip access-list extended ACL_VPNC_MSB

remark Allow MSB VPNCs (.2 - .16) access to C2 Server

permit ip host 10.0.1.1 10.4.0.0 0.0.0.7

ip access-list extended ACL_VPNC_VZW

remark Allow VZW VPNCs (.19 - .20) access to C2 Server

permit ip host 10.0.1.1 host 10.4.0.19

permit ip host 10.0.1.1 host 10.4.0.20

ip access-list extended ACL_VTY

permit ip 10.4.0.8 0.0.0.3 any

permit ip 192.168.1.0 0.0.0.255 any

permit ip host 10.3.0.126 any

ip access-list extended ACL_VTY_QUIET_MODE

remark Allow certain hosts VTY access during VTY lockouts

permit ip host 10.0.1.1 any

permit ip host 10.3.0.126 any

permit ip 10.4.0.8 0.0.0.3 any

!

logging source-interface GigabitEthernet0/1

access-list 1 permit 10.0.0.0 0.0.255.255

!

no cdp run

!

control-plane

!

no alias exec p

no alias exec s

alias exec sv copy run tftp://192.168.1.61

banner login ^CNOTICE TO USERS

THIS IS A PRIVATE COMPUTER SYSTEM. It is for authorized use only. Users (authorized or unauthorized) have no explicit or implicit expectation of privacy.

Unauthorized or improper use of this system may result in

administrative disciplinary action and civil and criminal penalties.

By continuing to use this system you indicate your awareness of and

consent to these terms and conditions of use. LOG OFF IMMEDIATELY

if you do not agree to the conditions stated in this warning.

^C

!

line con 0

exec-timeout 15 0

transport output all

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class ACL_VTY in

password 7 0831

transport input ssh

transport output ssh

line vty 5 15

access-class ACL_VTY in

password 7 095C

transport input ssh

transport output ssh

!

scheduler allocate 20000 1000

ntp source GigabitEthernet0/0

ntp master

ntp server north-america.pool.ntp.org

end

!

NOTE: I've tried different version of this config and still nothing. If there is another route to take (or way to fix what I've done), please let me know. Thanks

Marcin Latosiewicz · ‎02-26-2014

Well remember that VRF is basically separation of l2/l3 tables.

vpn2-out is your secondary VRF.

show ip route vrf vpn2-out

would be the way to check routing in that VRF.

conf t

ip route vrf vpn2-out ....

would be the way to add routing inside that VRF.

Edit:

For IPsec profile, make sure you bind IKEv1 and IPsec profiles together for specific VRF.