LoDoGg Forums - Cisco router IOS (2610) as a VPN Server

This is a great article on how to configure your Cisco router that is running a Security bundle (IOS) to accept IPSEC tunnels. I have been having some issues with NAT’ing once I’m connected but I will post an update!
~~~~~~~~~~~~~~~~

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml#vpn405

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!

!--- Enable authentication, authorization and accounting (AAA)
!--- for user authentication and group authorization.

aaa new-model
!

!--- In order to enable Xauth for user authentication,
!--- enable the aaa authentication commands.

aaa authentication login userauthen local

!--- In order to enable group authorization, enable
!--- the aaa authorization commands.

aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!

!--- For local authentication of the IPsec user,
!--- create the user with a password.

username user password 0 cisco
!
!
!

!--- Create an Internet Security Association and
!--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

!--- Create a group that is used to specify the
!--- WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication. Use ACL 101 used for
!--- the Split tunneling in the VPN Clinet end.

crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!

!--- Create the Phase 2 Policy for actual data encryption.

crypto ipsec transform-set myset esp-3des esp-md5-hmac
!

!--- Create a dynamic map and apply
!--- the transform set that was created earlier.

crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!

!--- Create the actual crypto map,
!--- and apply the AAA lists that were created earlier.

crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside

!--- Apply the crypto map on the outbound interface.

interface FastEthernet1/0
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Serial2/0
no ip address
!
interface Serial2/1
no ip address
shutdown
!
interface Serial2/2
no ip address
shutdown
!
interface Serial2/3
no ip address
shutdown

!--- Create a pool of addresses to be
!--- assigned to the VPN Clients.

!
ip local pool ippool 192.168.1.1 192.168.1.2
ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2

!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.

ip nat inside source list 111 interface FastEthernet1/0 overload
!

!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.

access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

!--- Configure the interesting traffic to be encrypted from the VPN Client
!--- to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.

access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

control-plane
!
line con 0
line aux 0
line vty 0 4
!
end

~~~~~~

IPsec Diagnostic Tools within Cisco IOS
The most commonly used categories of diagnostic tools used within Cisco IOS are show and debug commands. Throughout the course of this chapter, we will use variations of these two command sets to diagnose issues commonly found within Cisco IOS. As we've discussed, there are detailed steps that occur during the formation of Internet Security Association and Key Management Protocol (ISAKMP) and IPsec negotiation between two IPsec VPN endpoints. We will examine common errors in these steps through execution of the following debugging commands within IOS:
• debug crypto isakmp
• debug crypto IPsec

Additionally, we will explore several show commands necessary to uncover common errors and performance issues related to the negotiate of IPsec VPN tunnels, including fragmentation/maximum transmission unit (MTU) issues, quality of service (QoS) issues, Network Address Translation (NAT) issues, and issues relating to recursive routing. A subset of the commands we will discuss to address these issues includes:
• show crypto isakmp sa
• show crypto isakmp sa nat
• show crypto IPsec sa
• show crypto engine connections active
• show crypto engine connections dropped-packet
• show crypto engine connections flow
• show crypto engine qos

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version
judithscott Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 27 January 2009 Online Status: Offline Posts: 2	Quote Reply Topic: Cisco router IOS (2610) as a VPN Server Posted: 28 January 2009 at 12:04am
	its very nice information, thank you for giving this information, i will try this.

lodogg Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 25 January 2003 Online Status: Offline Posts: 1831	Quote Reply Posted: 24 March 2008 at 12:28pm
	Cisco Document on the ipsec setup! uploads/1/rtr-ipsec-internet-connect.pdf

lodogg Members Profile Send Private Message Find Members Posts Visit Members Homepage Add to Buddy List Admin Group Joined: 25 January 2003 Online Status: Offline Posts: 1831	Quote Reply Posted: 24 March 2008 at 12:21pm
	This is a great article on how to configure your Cisco router that is running a Security bundle (IOS) to accept IPSEC tunnels. I have been having some issues with NAT’ing once I’m connected but I will post an update! ~~~~~~~~~~~~~~~~ http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml#vpn405 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN ! boot-start-marker boot-end-marker ! ! !--- Enable authentication, authorization and accounting (AAA) !--- for user authentication and group authorization. aaa new-model ! !--- In order to enable Xauth for user authentication, !--- enable the aaa authentication commands. aaa authentication login userauthen local !--- In order to enable group authorization, enable !--- the aaa authorization commands. aaa authorization network groupauthor local ! aaa session-id common ! resource policy ! ! !--- For local authentication of the IPsec user, !--- create the user with a password. username user password 0 cisco ! ! ! !--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations. crypto isakmp policy 3 encr 3des authentication pre-share group 2 !--- Create a group that is used to specify the !--- WINS and DNS server addresses to the VPN Client, !--- along with the pre-shared key for authentication. Use ACL 101 used for !--- the Split tunneling in the VPN Clinet end. crypto isakmp client configuration group vpnclient key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101 ! !--- Create the Phase 2 Policy for actual data encryption. crypto ipsec transform-set myset esp-3des esp-md5-hmac ! !--- Create a dynamic map and apply !--- the transform set that was created earlier. crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! !--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier. crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! ! ! interface Ethernet0/0 ip address 10.10.10.1 255.255.255.0 half-duplex ip nat inside !--- Apply the crypto map on the outbound interface. interface FastEthernet1/0 ip address 172.16.1.1 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map clientmap ! interface Serial2/0 no ip address ! interface Serial2/1 no ip address shutdown ! interface Serial2/2 no ip address shutdown ! interface Serial2/3 no ip address shutdown !--- Create a pool of addresses to be !--- assigned to the VPN Clients. ! ip local pool ippool 192.168.1.1 192.168.1.2 ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 172.16.1.2 !--- Enables Network Address Translation (NAT) !--- of the inside source address that matches access list 111 !--- and gets PATed with the FastEthernet IP address. ip nat inside source list 111 interface FastEthernet1/0 overload ! !--- The access list is used to specify which traffic !--- is to be translated for the outside Internet. access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 111 permit ip any any !--- Configure the interesting traffic to be encrypted from the VPN Client !--- to the central site router (access list 101). !--- Apply this ACL in the ISAKMP configuration. access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 control-plane ! line con 0 line aux 0 line vty 0 4 ! end ~~~~~~ IPsec Diagnostic Tools within Cisco IOS The most commonly used categories of diagnostic tools used within Cisco IOS are show and debug commands. Throughout the course of this chapter, we will use variations of these two command sets to diagnose issues commonly found within Cisco IOS. As we've discussed, there are detailed steps that occur during the formation of Internet Security Association and Key Management Protocol (ISAKMP) and IPsec negotiation between two IPsec VPN endpoints. We will examine common errors in these steps through execution of the following debugging commands within IOS: • debug crypto isakmp • debug crypto IPsec Additionally, we will explore several show commands necessary to uncover common errors and performance issues related to the negotiate of IPsec VPN tunnels, including fragmentation/maximum transmission unit (MTU) issues, quality of service (QoS) issues, Network Address Translation (NAT) issues, and issues relating to recursive routing. A subset of the commands we will discuss to address these issues includes: • show crypto isakmp sa • show crypto isakmp sa nat • show crypto IPsec sa • show crypto engine connections active • show crypto engine connections dropped-packet • show crypto engine connections flow • show crypto engine qos