Saturday, October 17, 2009

Dynamic Virtual Tunnel Interface Easy VPN Server and Client

See below two scenarios:
1) SW1 ezVPN client connected to router R1 ezVPN server
2) SW1 ezVPN client connected to firewall ASA ezVPN server
SW1 Client
R1 Server
hostname SW1 – CLIENT

int f1/1
switchport access vlan 10

interface loopback 0
ip address 2.2.2.2 255.255.255.0
interface vlan 10
ip address 10.0.0.1 255.255.255.0
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
crypto ipsec client ezvpn Server
connect auto
group IPSECGROUP key cisco1234
mode client
peer 10.0.0.2
!local-address loopback 0 
username IPSECUSER password cisco
!xauth userid mode local 


interface loopback 0
crypto ipsec client ezvpn Server inside
interface vlan 10
crypto ipsec client ezvpn Server outside

ip route 0.0.0.0 0.0.0.0 10.0.0.2



 







 





hostname R1 - SERVER

int loopback 0
ip address 1.1.1.1 255.255.255.0
int f0/0
ip address 10.0.0.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 10.0.0.1

username IPSECUSER password cisco
aaa new-model
aaa authentication login default local
aaa authentication login ezvpn-authentication local
!define xauth authentication list.
aaa authorization network ezvpn-authorization local
!define the authorization list.

ip local pool IPSECPOOL 192.168.1.1 192.168.1.254
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
exit

ip access-list extended SPLIT_TUNNEL 
permit ip 1.1.1.0 0.0.0.255 any
exit

crypto isakmp client configuration group IPSECGROUP
key cisco1234
dns 100.100.100.100
wins 200.200.200.200
domain cisco.com
pool IPSECPOOL
acl SPLIT_TUNNEL
!the acl is split tunnel acl.
save-password
!allow the client save xauth password locally.
exit

crypto ipsec transform-set SET  esp-3des esp-sha-hmac 
exit

crypto dynamic-map DYNAMIC 10 
set transform-set SET
reverse-route
crypto map VPN client authentication list ezvpn-authentication
!choose the xauth authentication list.
crypto map VPN isakmp authorization list ezvpn-authorization
!choose the authorization list.

crypto map VPN client configuration address respond
!respond the client address request.
crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC


int f0/0
crypto map VPN





SW1 Client



PIX1 Server





hostname SW1 – CLIENT

int f1/8 
switchport access vlan 10
int f1/1 
switchport access vlan 10
interface loopback 0
ip address 2.2.2.2 255.255.255.0
interface vlan 10
ip address 10.0.0.1 255.255.255.0
exit



ip route 0.0.0.0 0.0.0.0 10.0.0.2
crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2


crypto ipsec client ezvpn Server
connect auto
group IPSECGROUP key cisco1234
mode client
peer 10.0.0.2
!local-address loopback 0 
username IPSECUSER password cisco
!xauth userid mode local 







interface loopback 0
crypto ipsec client ezvpn Server inside
interface vlan 10
crypto ipsec client ezvpn Server outside

 



hostname PIX1 – SERVER



int e0
ip address 10.0.0.2 255.255.255.0
nameif outside
no sh

int e1
nameif inside
ip address 1.1.1.1 255.255.255.0
no sh

route outside 0 0 10.0.0.1 

username IPSECUSER password cisco privilege 15

access-list SPLIT_TUNNEL permit ip 1.1.1.0 255.255.255.0 any

ip local pool IPSECPOOL 192.168.1.1-192.168.1.254

group-policy IPSECPOLICY internal
group-policy IPSECPOLICY attributes
  split-tunnel-policy tunnelspecified
dns-server value 100.100.100.100
wins-server value 200.200.200.200

address-pools value IPSECPOOL
split-tunnel-network-list value SPLIT_TUNNEL
password-storage enable

tunnel-group IPSECGROUP type ipsec-ra
tunnel-group IPSECGROUP general-attributes
  default-group-policy IPSECPOLICY
  authentication-server-group LOCAL ?
exit 

Tunnel-group IPSECGROUP ipsec-attributes
  Pre-shared-key cisco1234
Exit 



crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2

Crypto isakmp enable outside
crypto ipsec transform-set SET  esp-3des esp-sha-hmac 
crypto dynamic-map DYNAMIC 10 set transform-set SET

crypto map VPN 100 ipsec-isakmp dynamic DYNAMIC
crypto map VPN client authentication LOCAL ?
!choose the xauth authentication list.

crypto map VPN interface outside
sysopt connection permit-vpn








VERIFICATION





1) SW1 ezVPN client connected to R1 ezVPN server

SW1#

*Mar 1 00:08:08.811: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER Group=IPSECGROUP Client_public_addr=10.0.0.1 Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1

SW1#sh ip int b

Vlan10 10.0.0.1 YES manual up up

NVI0 10.0.0.1 YES unset up up

Loopback0 2.2.2.2 YES manual up up

Loopback10000 192.168.1.1 YES manual up up



SW1#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : Server

Inside interface list: Loopback0

Outside interface: Vlan10

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Address: 192.168.1.1 (applied on Loopback10000)

Mask: 255.255.255.255

DNS Primary: 100.100.100.100

NBMS/WINS Primary: 200.200.200.200

Default Domain: cisco.com

Save Password: Allowed

Split Tunnel List: 1

Address : 1.1.1.0

Mask : 255.255.255.0

Protocol : 0x0

Source Port: 0

Dest Port : 0

Current EzVPN Peer: 10.0.0.2





SW1#ping 1.1.1.1 source loopback 10000

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 236/307/356 ms

SW1#sh crypto ipsec sa

interface: Vlan10

Crypto map tag: Vlan10-head-0, local addr 10.0.0.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 10.0.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10

#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10

#pkts compressed: 0, #pkts decompressed: 

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2

path mtu 1500, ip mtu 1500, ip mtu idb Vlan10

current outbound spi: 0x1207E6F1(302507761)





SW1#sh crypto session

Crypto session current status

Interface: Vlan10

Session status: UP-ACTIVE

Peer: 10.0.0.2 port 500

IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active

IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map





2) SW1 ezVPN client connected to ASA ezVPN server





SW1#

*Mar 1 00:28:45.287: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=IP_public_addr=10.0.0.2

*Mar 1 00:28:47.463: EZVPN(Server) Server does not allow save password option,

enter your username and password manually

*Mar 1 00:28:47.467: EZVPN(Server): *** Logic Error ***

*Mar 1 00:28:47.471: EZVPN(Server): Current State: READY

*Mar 1 00:28:47.471: EZVPN(Server): Event: MODE_CONFIG_REPLY

*Mar 1 00:28:47.475: EZVPN(Server): Resetting the EZVPN state machine to recove

SW1#

*Mar 1 00:28:47.499: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=IP_public_addr=10.0.0.2

*Mar 1 00:28:52.535: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10

*Mar 1 00:28:52.803: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=IPSECUSER G Server_public_addr=10.0.0.2 Assigned_client_addr=192.168.1.1

SW1#

*Mar 1 00:28:53.203: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan


Password storage had to be added on ASA ‘password-storage enable’

SW1#sh ip int b





Vlan10 10.0.0.1 YES manual up up

NVI0 10.0.0.1 YES unset up up

Loopback0 2.2.2.2 YES manual up up

Loopback10000 192.168.1.1 YES manual up up 

SW1#sh crypto session

Crypto session current status

Interface: Vlan10

Session status: UP-ACTIVE

Peer: 10.0.0.2 port 500

IKE SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active

IPSEC FLOW: permit ip host 192.168.1.1 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map





SW1#sh crypto ipsec client ezvpn

Easy VPN Remote Phase: 6

Tunnel name : Server

Inside interface list: Loopback0

Outside interface: Vlan10

Current State: IPSEC_ACTIVE

Last Event: MTU_CHANGED

Address: 192.168.1.1 (applied on Loopback10000)

Mask: 255.255.255.255

DNS Primary: 100.100.100.100

NBMS/WINS Primary: 200.200.200.200

Save Password: Allowed

Split Tunnel List: 1

Address : 1.1.1.0

Mask : 255.255.255.0

Protocol : 0x0

Source Port: 0

Dest Port : 0

Current EzVPN Peer: 10.0.0.2





SW1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

10.0.0.2 10.0.0.1 QM_IDLE 1039 0 ACTIVE

IPv6 Crypto ISAKMP SA

PIX1# sh route

Gateway of last resort is 10.0.0.1 to network 0.0.0.0

C 1.1.1.0 255.255.255.0 is directly connected, inside

C 10.0.0.0 255.255.255.0 is directly connected, outside

S 192.168.1.1 255.255.255.255 [1/0] via 10.0.0.1, outside

S* 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside





SW1#ping 1.1.1.1 source loopback 10000





Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

.....

Success rate is 0 percent (0/5)

Hm.. doesn’t work;( Someone tell my why ?

PIX1# sh vpn-sessiondb remote

Session Type: IPsec

Username : IPSECUSER Index : 39

Assigned IP : 192.168.1.1 Public IP : 10.0.0.1

Protocol : IKE IPsec

License : IPsec

Encryption : 3DES Hashing : SHA1

Bytes Tx : 0 Bytes Rx : 2500

Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP

Login Time : 14:36:13 UTC Fri Oct 16 2009

Duration : 0h:13m:38s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none

PIX1# ping 192.168.1.1





Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 140/210/260 ms

Ok, at least work from ASA;) 





PIX1# sh vpn-sessiondb remote

Session Type: IPsec

Username : IPSECUSER Index : 39

Assigned IP : 192.168.1.1 Public IP : 10.0.0.1

Protocol : IKE IPsec

License : IPsec

Encryption : 3DES Hashing : SHA1

Bytes Tx : 500 Bytes Rx : 3500

Group Policy : IPSECPOLICY Tunnel Group : IPSECGROUP

Login Time : 14:36:13 UTC Fri Oct 16 2009

Duration : 0h:15m:07s

NAC Result : Unknown

VLAN Mapping : N/A VLAN : none





DYNAMIPS NET FILE:





autostart=false

[localhost:7200]

workingdir = C:\Documents and Settings\Dynamips\sec-iewb\wrk

[[3745]]

image = C:\Documents and Settings\Dynamips\images\C3745-AD.BIN

ram = 128

mmap = false

ghostios = true

sparsemem = true

[[Router R1]]

model = 3745

console = 2001

F0/0 = SW1 F1/1

[[Router SW1]]

model = 3745

console = 2012

slot1 = NM-16ESW 

# pix1

F1/8 = PIX1 e0 # outside

F1/9 = PIX1 e1 # inside

[pemu localhost] 

[[525]] 

image = C:\Documents and Settings\\Dynamips\images\pix804.bin

serial = 

key =

[[FW PIX1]]









Posted by



at






































No comments:











Post a Comment







        

      









Subscribe to:
Post Comments (Atom)