Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3001
Views
5
Helpful
9
Replies

VPN Client with peer on secondary ip address on router public interface

Go to solution
garrethmtt
Level 1
Level 1

‎03-09-2011 05:07 AM

Hi,

On our office LAN, we have a Linux Server than it hosting a VPN connection to a remote customer.

For this to work, we have to port map ISAKMP connections on our Cisco Router to the internal ip address of the Linux host.

However, we now want to allow our users to establish VPN connections to our LAN using the Cisco VPN Unity Client.

Obviously, this was going to present issues, given that the ISAKMP port on our router is mapped through to an internal host.

So, we tried to set up a secondary ip address on the router and have the VPN clients connect to that.

What we see in our logs is as follows:

Phase 1 is established fine, and the VPN Client prompts the user for a username and password.

Phase 2 authentication begins, but the router tells is that is isn't receiving a hash proposal from the client.

185    12:18:06.943  03/09/11  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from x.x.x.x

(in this case, x.x.x.x is the secondary ip address on the public interface)


After that, the Phase 1 SA is deleted and the connection fails.

My understanding is that Phase 2 negotiation takes place with the ip address allocated to the client in Phase 1, which suggests to me that the problem occurs because the client is communicating with the primary ip address on the interface rather than the secondary ip address.

When we remove the isakmp port mapping and have the VPN client connect to the primary ip address, everything works fine.

Question:

Is it possible to establish Client 2 Router VPN using a secondary ip address?

If not, is there any way I can set up the port mapping so that it only occurs is the connection is from a specific ip address?

Garreth

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
9 Replies 9

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-09-2011 05:53 AM

Hi,

''Is it possible to establish Client 2 Router VPN using a secondary ip address?''

Secondary addresses pretty much suck :-)

The problem is that a router will always source packets out from the primary address assigned to an interface (not a secondary address).

''If not, is there any way I can set up the port mapping so that it only occurs is the connection is from a specific ip address?''

If you add an ACL permitting ISAKMP from only a single IP address then should work.

This ACL applied inbound on the outside interface permitting the tunnel from a single IP allowed in the ACL.

Federico.

0 Helpful

Go to solution
garrethmtt
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-09-2011 05:59 AM

"If you add an ACL permitting ISAKMP from only a single IP address then should work.

This ACL applied inbound on the outside interface permitting the tunnel from a single IP allowed in the ACL."

But won't that also prevent my VPN Clients from connecting?

My hope was that there would be some way to tell the router to only establish the ISAKMP port mapping if the connection came from the peer on the other end of the customer VPN.

ie

If VPN Client connects, terminate ISAKMP on the router

If Customer VPN connects, forward ISAKMP to the Linux server

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to garrethmtt

‎03-09-2011 06:03 AM

You're right!

If you add the ACL that will apply to all ISAKMP tunnels (affecting the VPN clients).

One option could be (haven't tested) to use IPsec/TCP for the VPN clients or for the customer VPN.

In this way the router will listen for UDP 500 and UDP 4500 for the VPN clients but will listen on TCP 10000 for IPsec/TCP client connections

allowing a port-forward situation.

Federico.

0 Helpful

Go to solution
garrethmtt
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-09-2011 06:06 AM

Changing the customer VPN isn't an option. They're a big company and it takes months for them to do anything.

How do I get my VPN Clients to use a port other than UDP 500?

Can they use this option if they are behind a NAT device?

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to garrethmtt

‎03-09-2011 07:55 AM

Go ahead and test with a single VPN client.

Enable IPsec/TCP on the server and on the client and see if we can make this single client to work with port forwarding.


Federico.

0 Helpful

Go to solution
garrethmtt
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-09-2011 07:58 AM

Is IPSEC over TCP an option on an IOS Router?

I think this is only an option on the PIX, but I have a router.

I can't find anywhere to configure this in the IOS.

Thx for you help, BTW.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to garrethmtt

‎03-09-2011 08:00 AM

Should be supported on IOS.

The command is crypto ctcp port ...

Can check this link:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd8061e2b3.html

Federico.

0 Helpful

Go to solution
garrethmtt
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-09-2011 09:03 AM

It works!

I set up the ctcp encapsulation for TCP 10000 and modified my main ACL to allow TCP 10000 from anywhere and the client was able to connect.

Thanks for your help!

G

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to garrethmtt

‎03-09-2011 09:05 AM

Garreth,

Glad I could help :-)

Please consider rating the thread and mark it as answered if you find it helpful.

Cheers!

Federico.

Customers Also Viewed These Support Documents