05-04-2021 11:18 AM
I am trying to create a simple VPN server for my home lab using cisco router 1941 or 3945( I have access to both)
When you design a Dyanmic VTI hub-and-spoke configuration. Does the spoke has to be a cisco router? can it be any VPN client such as windows native vpn or does have to be anyconnect.
I want to be able to tunnel in from multiple vpn clients(spoke) such as windows/ios client etc to the homelab router(hub)?
or is something like Ezy VPN dyanmic VTI more applicable to my need?
any help would be much appreciated.
many thanks.
Solved! Go to Solution.
05-04-2021 11:30 AM - edited 05-04-2021 11:58 AM
You will want to configure FlexVPN, the spoke does not need to be a router. FlexVPN does support using a Windows native VPN client instead of AnyConnect, here is the guide.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
05-06-2021 05:21 AM
Ok then, so I assume your 1941 or 3945 routers do not have the security license.
Create a new post once you receive your new hardware and have actual issues when configuring. Mark this post as solved/helpful.
05-04-2021 11:30 AM - edited 05-04-2021 11:58 AM
You will want to configure FlexVPN, the spoke does not need to be a router. FlexVPN does support using a Windows native VPN client instead of AnyConnect, here is the guide.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
05-05-2021 07:15 AM - edited 05-05-2021 07:17 AM
Hi,
Thank you so much for this!
1.Is ikev2 supported on the latest IOS for 1941 or 3945?
2.The source of my tunnel is a ISP based AP/router which will be connected to the cisco router and used as a WAN interface on one of the gigabit interfaces?
I am planning to use this configuration for the flex VPN(hub) server later,. will it work?
Loopback 192.168.10.1/24(emulate LAN)----HUB(1941or3945)---->gig0/0<----ISP router
hostname FLEX-SERVER
!
aaa new-model
aaa authorization network IKE_LIST local
!
crypto ikev2 authorization policy default
route set access-list PROTECTED_ACL
!
crypto ikev2 keyring ANY
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco
!
crypto ikev2 profile FLEX_SERVER_PROF
match identity remote address 0.0.0.0
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local ANY
aaa authorization group psk list IKE_LIST default
virtual-template 1
!
crypto ipsec profile default
set ikev2-profile FLEX_SERVER_PROF
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEtherenet0/0
ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEtherenet0/0
tunnel source GigabitEtherenet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip access-list standard PROTECTED_ACL
permit 192.168.10.0 0.0.0.255
!
many thanks again!
05-05-2021 07:26 AM
Yes, IKEv2 will be supported on those ISR G2 routers.
You may wish to specify the IKEv2 Proposal and IPSec Transform Sets manually on each routers, the defaults may change depending on the different vesion each router is running.
Normally I'd specify a loopback interface for the ip unnumbered interface, rather than the outside/external physical interface.
05-05-2021 07:49 AM
05-05-2021 07:58 AM
Yes.
Use EIGRP or BGP, instead of OSPF. If you use a dynamic routing protocol, you no longer need IKEv2 authorisation to push out the IKEv2 routes (as defined in your ACL PROTECTED_ACL) to the remote peer.
05-05-2021 10:11 AM
Again Many thanks for this Rob!
I am about to test this practically in a hour or so. I will give a feedback on this ASAP!
1.
Only confusion I am having is since I will be using my ISP vDSL router/AP as a WAN interface for the ISR router so therefore, the ISP router local address is 192.168.0.1/24, the physical interface on router that it’s connected to will be configured as gig0/0 192.168.0.254/24 same subnet of course.
Now the public IP address is provided by the ISP to their vDSL router/AP.
What I am trying to say is when setting up native windows VPN client in order to connect to the above hub configuration for example, will I use the public ip address as the VPN server address?
2. The other issue is the isp public address might be a dynamic address(seems static for last two weeks lol)
Does this mean I will probably need to configure DNS server like no-ip which can be integrated into IOS I believe.
3. Do I need a license in order to use IKEv2? On the 1941 or 3945
05-05-2021 10:18 AM
You will need NAT setup on the ISP router, which translates the public IP address to the gig0/0 interface IP address of the cisco router. The client will connect to the public IP address, yes you'd need some kind of IP/DNS setup.
You'll need the security license on the router
Going back to dynamic routing protocol, you won't be able to set this up to a Windows client, you'll need to continue to use IKEv2 routing. Dynamic routing will only work if both devices are routers.
05-08-2021 03:16 AM - edited 05-08-2021 03:17 AM
@Rob Ingram @Just curious, on your recommendation to use EIGRP or BGP instead of OSPF?
Is there any specific reason as to why you made that recommendation in this particular scenario?
I am just working on gaining my CCNA, and the new syllabus only covers one dynamic routing protocol—> OSPF?
but I noticed a lot of people having issues with OSPF and tunnels generally.
05-08-2021 04:39 AM
Cisco recommend using BGP or EIGRP
OSPF (link-state protocol) requires every router running OSPF to have an identical and up to date OSPF database, any routing changes is replicated to all routers. Even if no routing changes, routes updates are sent at regular intervals to all OSPF router.
EIGRP doesn't need to know about all the routers and has a unique topology table, any changes are not replicated amongst the other routers running EIGRP. EIGRP does not sent periodic updates. EIGRP is less chatty, which can be useful in large VPN designs.
05-09-2021 08:08 AM - edited 05-09-2021 08:15 AM
05-05-2021 10:38 AM - edited 05-05-2021 10:41 AM
Ok
how do I set up NAT on the isp router it’s cheap plastic you know these consumer based ISP routers/AP they barely have any functionality.
I know how to set NAT on Cisco router inside/outside is that what you mean?
05-05-2021 10:57 AM
You will need NAT setup on the ISP router, translate the public IP address to the outside interface of the route, you need to forward UDP/500 and UDP/4500. You'll have to figure out how to do that yourself, I don't know configure whatever cheap plastic consumer ISP router you have.
05-06-2021 12:04 AM - edited 05-06-2021 12:05 AM
Hi there again,
Nat(overload)is already on these ISP based router as default. There isn’t any configuration for NAT just DMZ and other stuff like uPnP.
I am certain PAT is already there otherwise only one of my devices would have been online.
so from the Cisco router gig0/0(192.168.0.254) I can ping the router (192.168.0.1). I can also ping the outside 8.8.8.8 from the router(going/and received via gig0/0 which is the isp router)
Subsequently, the Cisco router has got connectivity to the internet. Does this sound good to go?
in regards to the license my 1941 has K9/v05 does the k9 represent the security license?
I am very grateful for this. Many thanks
05-06-2021 12:34 AM
No PAT will be used for outbound NAT, providing you with internet access. You need a static NAT inbound, to map your public IP address on the ISP router to the private IP address of the cisco router, using the ports I previously provided.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide