cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3536
Views
20
Helpful
12
Replies

How to configure cisco router as IKEv2 client from VLAN which is NATted (overloaded)

rhbmcse
Level 1
Level 1

Hello again fellow Cisco community.

As per the title - I'm running a Cisco 1100 series ISR which currently has 2 vlans internally.

I need to connect to a commercial VPN supplier for one of the VLANS.  They support IKEv2 which seems like the best protocol I'm permitted to use for a VPN tunnel.

I have read several articles, I'm CCENT (studying for CCNA) but this is a config I've not come up against before.

The only details I have from the commercial VPN supplier is rather hit and miss as they like to supply the end user with a nice .exe file for your router / endpoint device which does it all for you.  Me being a CISCO guy would like to do this on the router  rather than using a client on the endpoint!

The provider supplies a root certificate which I can download and install to the router (not done)

They will also supply a hostname (resolvable via DNS which shouldn't be a problem) along with username and password.

Authentication is detailed as Use Extensible Authentication Protocol(EAP) and EAP-MSCHAPv2

and that's about it.

Router config is to follow.  I just need the IPTV vlan (20) or at least one IP within that subnet to be able to connect to the commercial VPN provider via the IKEv2 tunnel without interrupting the client vlan (10) for operating as normal with internet access and - with one external IP from the ISP...with PAT.

I suppose the first question is - Is it possible - I guess it must be.

The second question - what would the required steps be for implementing this in the most efficient manner.

All I'm trying to achieve here is to shift the onus from the client device to create the tunnel to the router which I believe will handle this far better (the end device is maxed out when trying to handle the VPN client too causing a slowdown of around 80% - so it's fairly important that I get this moved to the router!

 

In short, ikev2 tunnel from vlan20 (192.168.1.3 client IP) to VPN provider behind natted (PAT) IP from ISP.

 

Appreciate any help.  Config as promised attached.

 

Cheers.

 

Rob.

12 Replies 12

Hi,

I initially didn't think you could do this, you can certainly use EAP to authenticate to the router with a software VPN client (AnyConnect), but I was unsure if you could actually send a username and password from the router itself, it seems like you can (very little examples on the internet though).

 

The authentication methods are handled under the IKEv2 Profile, e.g.

 

crypto ikev2 profile IKEV2_PROFILE
 authentication remote rsa-sig
 authentication local eap mschapv2 username UN password PW

 

You'd obviously need the IKEv2 proposal, IPSec Transform Set, VTI and a static route to route the appropriate traffic via the tunnel interface.

 

HTH

Rob is back again!

Hi Rob and thanks for your reply.

As you probably gathered from my previous post that you helped with massively (understatement) - I have no experience of setting up VPN tunnels.  CCENT and CCNA training covered it very basically and certainly not doing things this way around!

 

From the multiple snippets I've read it seems to be 'do-able' (as you mentioned - not a lot of info out there) so I need to make it happen!

 

I'm not familiar with IKEv2 (or IKE, building tunnels etc) so some of what you replied is slightly beyond me 'at the minute'.  I could do with somebody holding my hand through this, working with and explaining kind of 'as we go' if you like.

 

No desperate hurry to get it resolved but for this one I really don't know where to start - i.e. why I need their root cert installing (if indeed I need to).  From their descriptions for other platforms they certainly seem to have this as the first step.

 

Could we perhaps work at this first and work from there so that I can understand what we're doing, and why ?

I appreciate it's quite a big ask and you may not have all the answers having never done it before yourself but clearly you have a much greater knowledge than I and as per my last thread - I love to learn and understand why!

 

Thanks as always - a very appreciative

Rob.

Hi Rob,

No problem.

 

There are a number of examples here and here, it doesn't quite match your requirement, but you can see the individual components that make up a FlexVPN/IKEv2 VPN. Review those, perhaps lab (sVTI is what you'll probably need to use going forward) and get comfortable with the IKEv2 VPN configruration. Then I think/hope to match you requirement you'd need to use the suggestion I made in the previous post.

 

HTH

Interesting stuff.

Unfortunately I have to do this 'live' as I don't have a further spare router which can connect to a xDSL service to play with in order to reach the VPN server.

Looking at the sVTI example.

 

Define the WAN interface, loopback and dynamic routing protocol

My WAN interface will be my eth0/2/0.101 I assume which is already configured, up and running ?

 

Loopback interface I assume is used in this example as one end of the tunnel (source).

Do I therefore need to create my tunnel source using an IP in the 192.168.1.x /24 range for vlan 20 ?

 

Finally they have this section:

router eigrp 1
no auto-summary
network 172.16.0.1

 

Now there's no EIGRP running in my environment so I assume this is not required.

 

That's the first section 'dealt with'...and at this stage there's nothing to do as the interfaces are already defined.  The only question from me at this stage is the IP address on the tunnel at my end.  Am I correct in assuming that it's an IP in the VLAN 20 as mentioned above?

 

Baby steps...

 

Many thanks.

 

Rob.

Hi Rob, I've re-read you original post. Is what you want to do on the router actually supported by your supplier?
You will probably need to speak to your supplier in order to configure your router, as you'll need to know the next hop to route your traffic to and the supplier would need to know where to send the return traffic. If they don't supply this, it may not be possible.

Rob

Hi Rob,

thanks for the reply.  That is indeed a very good question and one that I had assumed that the answer to the question was 'yes' as they claim to support a whole number of routers (cisco excepted as obviously it all depends upon you own config as to how you'd wish to implement).

They provide configs for all manner of what you might consider 'home' routers, including Linksys but these devices generally have a GUI with a nice 'create PPTP' option or similar in the interface.

I had assumed that when I initiate the tunnel request on port 'x' that they would reply back to the SOURCE IP rather than needing static routing as they do with every other client device (routers, blackberries, iphones, android devices, linux, mac, PC etc).

Like I said I don't fully understand how this works creating it using Cisco IOS but they must not need to add a static route back.  They do provide the IP of any number of destination VPN servers that they host across the globe.

Do you believe this is not possible with CISCO IOS?

 

Thanks as always for your help.

 

Rob.

I guess it depends, have they provided an example configuration that you can use a basis to build a configuration?
For example to establish a VPN you'll need to define IKEv2 Proposal and IPSec Transform Set, there are various algorithms that can be use, you'll also need PSK, Peer IP address, interesting traffic (crypto map acl) or static route (VTI) to be sent over tunnel. If you can provide an example they might give some clues whether it's possible or not.

Hi Rob,

sorry for the delay - work does get in the way of my other cisco activities rather!

 

So - it's no big secret and I hope I don't get in trouble for mentioning the name of the company being NORD vpn.

 

They have clients and scripts for just about everything (except CISCO for obvious reasons) but they do support the necessary protocols - several in fact.  L2TP, PPTP, IKEv2 although my preference is to go with IKEv2 as this will be supported going forwards whilst other methods may be deprecated.

 

It doesn't HAVE to be NORD - I was just able to get a modicum of sense and information out of them unlike most commercial suppliers who just want to sent you a client to install which of course - is not possible on a CISCO router!

 

Taking a quick look  HERE gives a list of OSs and clients along with protocols.  Not trying to get you do do the work for me here but I don't know which particular scripts may be of best assistance to you - although you do seem like a very knowledgeable guy!

 

The Blackberry config looked like this, but if you select any IKEv2 from that page hopefully it will help.  Also they have a whole army of servers globally for which they publically provide the details of the protocols supported and the relevant IP address to connect to with the UK ones being HERE

 

 

Profile Name: anything, this field does not matter
Server Address: A server name from our server list, at https://nordvpn.com/servers/ (for example, us333.nordvpn.com)
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: Email Address
Authentication ID: NordVPN Username
MSCHAPv2 EAP Identity: NordVPN Username
MSCHAPv2 Username: NordVPN Username
MSCHAPv2 Password: NordVPN Password
Gateway Auth Type: PKI
Gateway Auth ID Type: Fully Qualified Domain Name
Gateway Auth ID: The same as Server Address
Gateway CA Certificate *: All CA Certificates
Perfect Forward Secrecy: Yes (checked)

 

Obviously if it's not possible then - it's not possible!  I'd obviously be disappointed at having an expensive router that I've purchased for my own use and studies (along with multiple other CISCO routers and switches) if it can't when 'off the shelf' / pcworld type routers have the functionality in built but hey-ho!

 

I have another question regarding setting up a full DMZ using just one Public IP address but let's address that in a separate thread - one job at a time!

 

Thanks as always - I only hope this is interesting for you and I'm not killing you softly with my lack of experience!

 

Rob.

 

Hi Rob,

sorry for the delay - work does get in the way of my other cisco activities rather!

 

They have clients and scripts for just about everything (except CISCO for obvious reasons) but they do support the necessary protocols - several in fact.  L2TP, PPTP, IKEv2 although my preference is to go with IKEv2 as this will be supported going forwards whilst other methods may be deprecated.

 

It doesn't HAVE to be this particular supplier - I was just able to get a modicum of sense and information out of them unlike most commercial suppliers who just want to sent you a client to install which of course - is not possible on a CISCO router!

 

Taking a quick look  HERE gives a list of OSs and clients along with protocols.  Not trying to get you do do the work for me here but I don't know which particular scripts may be of best assistance to you - although you do seem like a very knowledgeable guy!

 

The Blackberry config looked like this, but if you select any IKEv2 from that page hopefully it will help.  Also they have a whole army of servers globally for which they publically provide the details of the protocols supported and the relevant IP address to connect to with the UK ones being HERE

 

 

Profile Name: anything, this field does not matter
Server Address: A server name from our server list, at x (for example, us333.xvpn.com)
Gateway Type: Generic IKEv2 VPN Server
Authentication Type: EAP-MSCHAPv2
Authentication ID Type: Email Address
Authentication ID: VPN Username
MSCHAPv2 EAP Identity: VPN Username
MSCHAPv2 Username: VPN Username
MSCHAPv2 Password: VPN Password
Gateway Auth Type: PKI
Gateway Auth ID Type: Fully Qualified Domain Name
Gateway Auth ID: The same as Server Address
Gateway CA Certificate *: All CA Certificates
Perfect Forward Secrecy: Yes (checked)

 

Obviously if it's not possible then - it's not possible!  I'd obviously be disappointed at having an expensive router that I've purchased for my own use and studies (along with multiple other CISCO routers and switches) if it can't when 'off the shelf' / pcworld type routers have the functionality in built but hey-ho!

 

I have another question regarding setting up a full DMZ using just one Public IP address but let's address that in a separate thread - one job at a time!

 

Thanks as always - I only hope this is interesting for you and I'm not killing you softly with my lack of experience!

 

Rob.

 

It seems as though the guides for different devices are supplied by customers, it may well work just no one has write the guide yet. I think it's going to be a bit a lot of trial and error to get this working.

This FAQ indicates what algorithms should be used

 

I would imagine they'll provide a DHCP address, therefore you'd need to create tunnel interface with "ip address negotiated" rather than specifying an IP address, this will assign the tunnel the IP address supplied.

 

You need to route all traffic through the tunnel, so you can create a static route pointing to the tunnel interface. As you cannot have 2 default routes, you'd probably need to define a VRF and place the outside/wan interface the VRF and the tunnel and inside interfaces would remain in the global routing table and be routed via the VPN tunnel.

 

You'd need to nat all traffic behind the tunnel interfaces' dhcp address, as the provider would not know about your local networks.

 

HTH

Good Morning Rob,
I have a little time to do some more work on this.
I get the concept of what you're saying - that I need a VRF otherwise any traffic on the new VLAN will route through the default gateway rather than via the tunnel.
VRFs again - I've not covered under any training - my knowledge is what I've just read up on.
Similarly in CCENT training the only tunnel that you create is a GRE tunnel between two routers that you have control of. This is quite different. I'd love to crack it all the same. In my estimation hands-on is far better that classroom labs.
In order to get on with stage '1' would that be to create a VRF or pop up a new VLAN. My thinking being that if I create a new VLAN I should hopefully be able to work on the router without interrupting the other services I've got going across my existing 3 VLANS.
I know it's going to be a slow process but bear with me - I'm learning all new stuff here!

**

Spent some time considering this and I'm more confused than ever now.  Every way I think about it I get more confused.  If possible I could really do with the steps needed and a reason why we need to do these in the particular order and I appreciate that's a big ask but between VRFs, Tunnels, Authentication methods etc. I'm really, really at a loss as to what needs to be done first or in what order.  Sure wish I could sit down with somebody and work through it so that I understand.  It's a lot of topics all rolled into one in order to achieve this.

I cracked ZBFW with your assistance and have a basic but sound understanding of that now.  I'd love to understand this too.

Thanks as always - hungry for knowledge (and frustrated)

Rob.

Hi everyone, has anyone got their VPN working on a Cisco?

I'm attempting something similar on a C860VAE-ADVSECURITYK9-M. 

 

I don't have this line in my ikev2 profile:

 authentication local eap mschapv2 username UN password PW

 

I only have the eap option for remote, for local I can only do: 

 

RTR41Z03(config-ikev2-profile)#authentication local ?
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig Rivest-Shamir-Adleman Signature

 

Is there a workaround?