IPSec/VPN: How can different users use different IP on the VPN router?

Konstantin Dunaev · ‎08-08-2011

Hello,

we have a cisco 2821 and need to build a VPN access gateway. There following requirements:

1. user L2TP protocol in oder to use the native window IPSec client ( I tested it and it works perfect for a single user)

2. every user should use different IP address (a single VPN router for different customers and every customer is terminated in its own VRF.)

3. every user should user different PSK key

the first requirement is quite easy - use L2TP tunnel with authentication over RADIUS, it works without big problems.

But I can't apply 2 and 3 requirements. I tried the foillowing:

1. create an interface SubIF1 with a IP for Customer1 and SubIF2 for Customer2

2. cretated 2 ipsec profiles, where I defined local-address of those interfces and connect them to appropriate key-rings

In order this work I should place a static route which points to a source IP of a connected customer over the appropriate subinterface, if I do it - it works. But the problem is that the customers are "road-warriors", which mean they use everytime a new source IP address.

I tried it with a "local route-map", the result was that the VPN connection was established, and I could reach the remote VPN IP, but the traffic was stuck in VPN gateway - I can't reach from remote VPN anything else. It looks like (according to debug) that transit traffic didn't match my "local route-map" and tried the reach the source IP via default gateway and not wia correct subif with a crypto policy.

I tried as well a light-VRF, where I put the public SubIF in its own local VRF and then I define the default static in this VRF, but it didn't work at all, the traffic caouldn't match the correct profile and coudn't find the correct PSK key.

My question - Is there any possibility to build a VPN topology where all my 3 requirements are applied?

Collin Clark · ‎08-08-2011

This is a bad design and will not scale.

1. user L2TP protocol in oder to use the native window IPSec client ( I tested it and it works perfect for a single user)

You've got this squared away

2. every user should use different IP address (a single VPN router for different customers and every customer is terminated in its own VRF.)

Why? What security are you trying to accomplish?

3. every user should user different PSK key

Why? Why not use PKI?

Konstantin Dunaev · ‎08-08-2011

Hello Collin,

the main idea is following:

we have some customers which use MPLS VPN service, and those customers have some road-warriors. Road-warriors should connect to our VPN gateway and get the access to the correct MPLS/VPN network.

Every Customer gets for all its road-warriors a single public IP and a PSK on our VPN gateway.

2. it is a "policy" which states that every MPLS customer should get it own IP address for the IPSec-VPN termination. The idea with a separate phisycal VPN gateway we didn't consider as a valuable.

3. As the road-warriors normally use a PC with Windows and customers are not always good in a "networking stuff" it seemed to be a good solution: IPSec/L2TP client with PSK - minimum needed configuration. Is PKI infrustructure more flexable if we need different Keys for different users?

Konstantin Dunaev · ‎08-09-2011

Hallo again,

is there any better VPN access gateway design which fulfills our requirements?

I spent allready some days in testing of different approaches but unfortunatly didn't come to any "good" solution.

May be community can give me some advices.

Thank you!