Re: Easy VPN

waple02 · ‎01-02-2011

Anyone can help me on my lab. What i want to achieve while i'm connected on a vpn client i can able to ping the

10.77.241.157 network.Already include three points on my configuration.

1. key sdmsdm
   pool SDM_POOL_1
   acl 100
   netmask 255.255.255.0

2. access-list 100 permit ip any 192.168.2.0 0.0.0.255

3. ip route 192.0.0.0 255.255.255.0 s2/0

Configuration Procedure

Complete these steps to configure the Cisco router as a remote VPN server using SDM.

Select Configure > VPN > Easy VPN Server from the Home window and click Launch Easy VPN Server Wizard.
AAA must be enabled on the router before the Easy VPN Server configuration starts. Click Yes to continue with the configuration.
The 'AAA has been successfully enabled on the router' message displays on the window. Click OK to start the Easy VPN Server configuration.
Click Next to start the Easy VPN Server Wizard.
Select the interface on which the client connections terminate and the authentication type.
Click Next to configure the Internet Key Exchange (IKE) policies and use the Add button to create the new policy.
Configurations on both sides of the tunnel must match exactly. However, the Cisco VPN Client automatically selects the proper configuration for itself. Therefore, no IKE configuration is necessary on the client PC.
Click Next to choose the default transform set or add the new transform set to specify the encryption and authentication algorithm. In this case, the default transform set is used.
Click Next to create a new Authentication, Authorization, and Accounting (AAA) authorization network method list for group policy lookup or to choose an existing network method list used for group authorization.
Configure user authentication on the Easy VPN Server.
You can store user authentication details on an external server such as a RADIUS server or a local database or on both. An AAA login authentication method list is used to decide the order in which user authentication details should be searched.
This window allows you to add, edit, clone, or delete user group policies on the local database.
Enter a name for the Tunnel Group Name. Supply the pre-shared key used for authentication information.
Create a new pool or select an existing pool used to allocate the IP addresses to the VPN Clients.
This window shows a summary of the actions that you have taken. Click Finish if you are satisfied with your configuration.
The SDM sends the configuration to the router to update the running configuration. Click OK to complete.

After completion, you can edit and modify the changes in the configuration, if needed.

Router Configuration (VPN Server)

Building configuration...

Current configuration : 3336 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
aaa new-model
!

!--- In order to set AAA authentication at login, use the aaa authentication login 
!--- command in global configuration mode
.
aaa authentication login default local

!--- Here, list name "sdm_vpn_xauth_ml_1" is specified for 
!--- the authentication of the clients.

aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
!
!
ip cef
!
!
!
!
!--- The RSA certificate generates after the 
!--- ip http secure-server command is enabled.

crypto pki trustpoint TP-self-signed-392370502
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-392370502
 revocation-check none
 rsakeypair TP-self-signed-392370502
!
!
crypto pki certificate chain TP-self-signed-392370502
 certificate self-signed 01
  3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393233 37303530 32301E17 0D303530 39323130 30323135 
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3339 32333730 
  35303230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  ED61BD43 0AD90559 2C7D7DB1 BB3147AA 784F3B46 9E63E63C 5CD61976 6BC46596 
  DB1AEB44 46644B18 8A890604 489B0447 B4B5C702 98272464 FFFD5511 A4BA79EC 
  239BCEA2 823F94EE 438B2E0A 5D90E9ED 8158BC8D 04F67C21 AEE1DB6F 046A0EF3 
  4C8798BE 0A171421 3FD5A690 7C735751 E7C58AA3 FB4CCE4F 5930212D 90EB4A33 
  02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D 
  11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014B278 183F02DF 
  5000A124 124FEF08 8B704656 15CD301D 0603551D 0E041604 14B27818 3F02DF50 
  00A12412 4FEF088B 70465615 CD300D06 092A8648 86F70D01 01040500 03818100 
  C12AB266 0E85DAF6 264AC86F 27761351 E31DF628 BE7792B2 991725ED AAB3BABE 
  B1F1C6CA 7E5C0D19 B9793439 E5AECC78 C5ECBE56 871EB4D3 39B60AD1 AB0B97FE 
  515B4CC6 81BEE802 DC02BD1B A0D10EE9 0FD79D72 B44C0143 6E39C06B D9178590 
  57D02A8F 750DA100 ABEEB1F1 B02A8B1F B746942B 892D1514 B2CC9D58 A28F08E2
  quit
!
!
!
!
!
!
!
!
!
!

!--- Creates a user account with all privileges.

username sdmsdm privilege 15 password 0 sdmsdm
!
! 

!--- Creates an isakmp policy 1 with parameters like 
!--- 3des encryption, pre-share key authentication, and DH group 2.

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2

crypto isakmp client configuration group vpn

!--- Defines the pre-shared key as sdmsdm.

key sdmsdm
 pool SDM_POOL_1
 acl 100
 netmask 255.255.255.0
!

!--- Defines transform set parameters.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
 reverse-route
!

!--- Specifies the crypto map parameters.

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface FastEthernet1/0
 ip address 10.77.241.157 255.255.255.192
 duplex auto
 speed auto
!
interface Serial2/0
 ip address 10.1.1.1 255.255.255.0
 no fair-queue

!--- Applies the crypto map SDM_CMAP1 to the interface.

crypto map SDM_CMAP_1
!
interface Serial2/1
 no ip address
 shutdown
!
interface Serial2/2
 no ip address
 shutdown
!
interface Serial2/3
 no ip address
 shutdown

!--- Creates a local pool named SDM_POOL_1 for issuing IP 
!--- addresses to clients.

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip route 192.0.0.0 255.255.255.0 s2/0
!--- Commands for enabling http and https required to launch SDM. 

ip http server
ip http secure-server
access-list 100 permit ip any 192.168.2.0 0.0.0.255
 
 
 
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
!
!
end

Verify

Attempt to connect to the Cisco router using the Cisco VPN Client in order to verify that the Cisco router is successfully configured.

Select Connection Entries > New.
Fill in the details of your new connection.
The Host field should contain the IP address or hostname of the tunnel end point of the Easy VPN Server (Cisco router). The Group Authentication information should correspond to that used in step 9. Click Save when you are finished.
Select the newly created connection and click Connect.
Enter a username and password for extended authentication (Xauth). This information is determined by the Xauth parameters in step 7.
Once the connection is successfully established select Statistics from the Status menu to verify the details of the tunnel.
This window shows traffic and crypto information:
This window shows split tunneling information if configured:
Select Log > Log Settings to enable the log levels in the Cisco VPN Client.
Select Log > Log Windows to view the log entries in the Cisco VPN Client.

Federico Coto Fajardo · ‎01-02-2011

Hi,

Four steps to solve the problem.

1. Check that phase 1 is established with the command ''sh cry isa sa''
2. Check that there's traffic passing thru the tunnel ''sh cry ips sa'' will
show packets encrypted/decrypted.
3. Try to PING 10.77.241.157 (F1/0) from the VPN client.
4. If succesful, then check that the 10.77.241.x network has a default gateway pointing
to the router, or at least a route back to the VPN pool.

Hope it helps.

Federico.

waple02 · ‎01-02-2011

Hi Federico,

Thanks for your help actually i'mlearning process of cisco. When i'm trying to ping the 10.77.241.157 network still i cannot ping. Did i configured right my

lab? did i forget to add something on my configuration.

aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
!
!
crypto pki trustpoint TP-self-signed-241257058
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-241257058
revocation-check none
rsakeypair TP-self-signed-241257058
!
!
crypto pki certificate chain TP-self-signed-241257058
certificate self-signed 01
3082023C 308201A5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343132 35373035 38301E17 0D303230 33303130 30303733
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3234 31323537
30353830 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AD92048D C55E2C3E 1E22EA00 DE5B0E04 C80FA18C 14C331F0 C3A16994 13164B11
A2E30365 DDC30662 5C99128F B8225640 7E12AC9E 0379C062 5EBB659C DBF995CD
7E6C0523 7EAC784B 426C6BC9 7C9843EF 82369EA6 3785A587 E1C3B5A9 2100E828
4CB9BBF1 5EF545DA 2B11474F 6031A7C9 1DB9307C F7F537A5 53F87FFA D461018B
02030100 01A36630 64300F06 03551D13 0101FF04 05300301 01FF3011 0603551D
11040A30 08820652 6F757465 72301F06 03551D23 04183016 8014A988 F09E31AE
31EB9A5E 129A4C07 127B94C8 9292301D 0603551D 0E041604 14A988F0 9E31AE31
EB9A5E12 9A4C0712 7B94C892 92300D06 092A8648 86F70D01 01040500 03818100
A39041C4 BF352A66 B6D10B34 7954FB11 DCF9DAD7 FE5640DD 39C3239F 0F150673
EA2C6E2E 1A5544E6 90CB49C5 0A39AED3 CD5CAA87 AF8212C3 B2F43F7B 36081299
45A5D5E6 5A6D6BB7 E3D59ADA F185F87B C99361FF 0A69575C 92059405 FAD61A7F
66E4FD07 C0487214 D82C439A 24933A3D BBC6C0DE BA6CEDD3 B35004F4 DF50A647
quit
!
!
!
!
!
!
!
!
!
!
!
username test privilege 15 password 0 test
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key sdmsdm
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.77.241.157 255.255.255.192
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip http server
ip http secure-server
ip route 192.0.0.0 255.255.255.0 FastEthernet0/0
!
!
!
access-list 100 permit ip any 192.168.2.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end
.

waple02 · ‎01-02-2011

here's my gns3 set up

waple02 · ‎01-02-2011

waple02 · ‎01-02-2011

image1

bobbycornetto · ‎01-03-2011

Walter,

The access-list is probably what's holding you up. It doesn't require an entry for your IP address pool address. You want to define "interesting traffic" between the remote client and the VPN endpoint. Delete the current "permit" for 192.168.2, add the following, and you should be able to ping. This assumes that 10.77.241.157 is a host on the other side of your VPN device. For the sake of the example, I'll assume that you want to access all devices in the 10.77.241.0/24 network.

ip access-list 100 permit ip any 10.77.241.0 0.0.0.255

The purpose of the acl argument in the isakmp client configuration group is to only tunnel traffic meant for the protected network and to allow all other traffic to route normally. For example, I want my remote clients to be able to browse the internet without the traffic passing FOUR TIMES across my VPN router (HTTP request IN, HTTP request out, HTTP reply in, HTTP reply out). It's called split-tunneling. So, when I open my web browser and type google.com, the IP address doesn't resolve to my permit statement(s) in the access-list, so my browser directly connects to google.com. Instead, if I type the address of an Intranet server at the company--10.77.241.100 let's say--that address IS in the access-list and so my request is encrypted and routed through the VPN tunnel to the server with that address.

Greg

waple02 · ‎01-04-2011

Hi Greg,

I already following command on my configuration still. I can't able to ping 10.77.241.0 network. Did forget to include on my coniguration?

1. key sdmsdm
   pool SDM_POOL_1
   acl 100
   netmask 255.255.255.0

2.ip access-list 100 permit ip any 10.77.241.0 0.0.0.255

3. ip route 10.77.241.0 255.255.255.192 s0/0

bobbycornetto · ‎01-04-2011

Hi Walter,

Do you have another router or device attached to fa0/1 in GNS3? If not, the interface might not be fully up. Do a "show ip int brief" and if fa0/1 is "up down," you might just need to add a device so the interface is fully up.

By the way, get rid of that "ip route 10.77.241.0 255.255.255.192 s0/0" command. Since that is a directly connected route, it isn't necessary, and the VPN definitely doesn't need it. It might confuse things too.

Also, sorry I didn't catch the actual address scheme for fa0/1. The access-list 100 statement should read "access-list 100 permit ip any 10.77.241.128 0.0.0.63" for most accurate performance. We don't want to send data through the tunnel that isn't necessary.

Last, when you're connected to the VPN, in the console window for the router, type "sh crypto ipsec sa active" and hit Enter. Back on your remote client, start pinging. Re-enter the command above on the router and see if the number of packets encrypted and decrypted increases. Even if the pings fail, you can at least see that data is or isn't going through the VPN tunnel.

Greg

waple02 · ‎01-05-2011

Hi Greg,

Thanks for your patience helping me to troubleshoot my lab. Here's my new configuration. Still i can't ping the 10.77.241.0 network. I also connected one virtual pc to fa0/1 interface. I also captured the sh ipsec sa commmand inside the router.

username sdmsdm privilege 15 password 0 sdmsdm
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key sdmsdm
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.77.241.157 255.255.255.192
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5
ip http server
ip http secure-server
!
!
access-list 100 permit ip any 10.77.241.128 0.0.0.63
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
!
end

waple02 · ‎01-05-2011

Continuation

waple02 · ‎01-05-2011

Continuation

bobbycornetto · ‎01-06-2011

It should be working. So one of two things is happening:

1. GNS3 or the IOS image you're using in GNS3 is screwing up. It happens.

2. I missed something. It also happens.

Assuming #2, take a couple of things out of your crypto isakmp client configuration group config: the netmask and the acl statement. See if that works. Also, see if you can ping the external and internal interfaces of the router from your VPN client while not connected to the VPN. You should be able to ping either one since you're not using NAT.

Assuming #1 is the issue, try a different IOS image and load the exact same config. I've had similar problems using GNS3 with some VPN and EIGRP labs that I've done, and switching images has worked.

waple02 · ‎01-17-2011

Hi Greg,

Sorry for giving you late feedback on your suggestion. I was busy for another task in the office. Any way tried you the two suggestion but still i cant ping the 10.77.241.0 network. i upgraded the GNS 3 to new version as well the IOS image of the router, i changed the model of the router from ( 3600 c3660-jk9o3s-mz.124-12 ) to ( 3700 3725- ADVENTERPRISEK9-M). I tried to ping the 10.77.241.0 network from the client i'm not connected to vpn client but i can't ping. But i can ping the 10.1.1.1 ip address. I have question? on you lab which software are you using for the virtual machine vmware or the virtual pc?

Can please help me UP my lab. If you have same lab running can you give me the configuration.

bobbycornetto · ‎01-17-2011

Sorry it didn't work, Walter.

I've been using Sun VirtualBox (now owned by Oracle). I use the current version. I doubt that's the problem though, since you are able to ping the 10.1.1.1 interface from your VM.

Here's a link on how to set up VirtualBox in GNS3 if you really want to try it. But, like I said, I don't think that's the problem.

DOH! LINK!

http://altbiz.wordpress.com/