|
|
|
Ch03: Cisco SOHO VPNsFrom Linux Home Networking
IntroductionHere is a brief explanation on how to configure a "permanent" Small Office / Home Office (SOHO) VPN using low end Cisco routers and PIX firewalls. There is a sample PIX configuration in the appendix in which remote users can use Windows based VPN software on their notebook computers to access the SOHO site by first dialing into their ISP and then connecting to the PIX with the software such as Cisco's EasyVPN suite. As you can imagine, this "temporary" VPN setup can be quite useful. ScenarioIn this example we have two SOHO offices.
Site1
Site2
Other InformationThe administrator at Site 1 wants to be able to access all the protected servers at site 2 by using their real IP addresses and vice versa. For example; Site 1 will refer to Site 2 servers with their 192.168.2.X IP addresses, not the Internet NAT addresses on the 6.25.232.X network.
VPN TerminologiesBefore we begin, it is best to review some basic VPN terminologies in the Linux Home Networking guide's appendix Ap01 Miscellaneous Linux Topics
Site 1 - Router VPN Configuration StepsThere are a number of steps that need to be done to create the VPN. IKEPhase 1 of the creation of a VPN tunnel first requires an exchange of the encryption capabilities of the VPN devices at both ends of the tunnel. The second phase involves encrypting the data by either using either:
Cisco router / firewall devices usually require you to configure each of the various combinations of key encryption capabilities available. The device will then send all of the combinations to the remote VPN as part of the negotiation to decide which one to use.
crypto isakmp policy 9 hash md5 authentication pre-share I've chosen only one combination for the sake of simplicity, but you could add more like this. If your device is licensed appropriately, and you intend to establish a connection with a Linux VPN device, then you should consider a 3DES option which Linux FreeS/WAN prefers. Here is a snippet that includes 3DES and may other policy capabilities. crypto isakmp policy 1 encr 3des authentication pre-share ! crypto isakmp policy 4 encr 3des authentication pre-share group 2 ! crypto isakmp policy 5 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 10 authentication pre-share group 2 ! crypto isakmp policy 12 authentication pre-share ! crypto isakmp policy 20 hash md5 authentication pre-share group 2 ! crypto isakmp policy 23 encr 3des hash md5 authentication pre-share
crypto isakmp key VPNsecretPASSWORD address 6.25.232.1 IPSec
crypto ipsec security-association lifetime seconds 86400
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto ipsec transform-set s1s2trans esp-des esp-md5-hmac If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one: crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac You can create multiple transform sets depending on your security requirements. For example; you could create a transform set named "weak" with regular DES encryption and another named "strong" using the better 3DES method.
crypto map to-site2 10 ipsec-isakmp set peer 6.25.232.1 set transform-set s1s2trans match address 101 You can add additional map entries to correspond with tunnels to other remote sites with additional priorities. Just remember to create the appropriate access control lists and pre-shared keys. Here is an example of additional map entries using two different transform sets: crypto map to-site2 150 ipsec-isakmp set peer 108.112.44.95 set transform-set s1s2trans match address 101 crypto map to-site2 153 ipsec-isakmp set peer 4.21.116.23 set transform-set s1s2trans-strong match address 102 crypto map to-site2 158 ipsec-isakmp set peer 223.52.37.25 set transform-set s1s2trans-strong set pfs group2 match address 103
interface BVI1 crypto map to-site2 This example assumes you are using a router with a built in DSL modem. In such a case, the external Internet facing interface would most likely be called BVI1 with a "sister" interface ATM0. Make sure both are configured correctly. If you are using a router with an external DSL / Cable modem, then there will only be one Internet facing interface to configure. This interface would be usually named either Ethernet0 or Ethernet1 depending on the type of router. The Site 2 configuration uses an external DSL / Cable modem. Site 1 - Configuration Exampleversion 12.1 service timestamps debug uptime service timestamps log uptime ! hostname soho1 ! ip subnet-zero no ip domain-lookup ! bridge irb ! ! * Configure IKE properties ! crypto isakmp policy 9 authentication pre-share hash md5 crypto isakmp key VPNsecretPASSWORD address 6.25.232.1 ! ! * Configure IPSec properties ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec transform-set s1s2trans esp-des esp-md5-hmac ! ! * If the remote site prefers to use 3DES, (Linux FreeS/WAN only does 3DES) then you may want to ! * replace the above statement with this one: ! ! crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac ! ! ! * Define the Site1 to Site2 traffic to be encrypted ! crypto map to-site2 10 ipsec-isakmp set peer 6.25.232.1 set transform-set s1s2trans match address 101 ! ! * Give the protected interface an IP address and ! * and let it know that it should do NAT as a protected ! * "inside" interface ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside interface ATM0 no ip address no atm ilmi-keepalive pvc 0/35 encapsulation aal5snap bundle-enable dsl operating-mode auto bridge-group 1 ! * Encryption will be done on interface BVI1 according to ! * the crypto map statement interface BVI1 ip address 97.158.253.25 255.255.255.248 ip nat outside crypto map to-site2 ip mtu 1412 ! * Tells the router to NAT all traffic that passes through it: ! * 1) From the inside to the outside, ! * 2) And whose IP address matches those in route map "nonat" ! * 3) Must get an outside "public" address that is the same as ! * interface BVI1 ! * ! * Replaces the following command used on the basic DSL router page ! * ! * ip nat inside source list 1 interface BVI1 overload ip nat inside source route-map nonat interface BVI1 overload ! * This statement performs the static address translation ! * for the Web server. ! * With this statement, users trying to reach 97.158.253.26 ! * will be automatically redirected to 192.168.1.100 ! * which in this case is the Web server. ! ip nat inside source static 192.168.1.100 97.158.253.26 ! * Set your default gateway as provided by your ISP ! * Set a route to Site2 via the Tunnel IP of the ! * router at Site2 ! ip classless ip route 0.0.0.0 0.0.0.0 97.158.253.30 ! * Encrypt all traffic passing over the tunnel ! * interface between the two sites ! access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 ! ! * ACL used by route map "nonat" to exclude traffic ! * between Site1 and Site2 from NAT process as this ! * will pass through the VPN tunnel ! access-list 150 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 192.168.1.0 0.0.0.255 any ! * Use a route map to define which traffic from the private ! * network should be included in the NAT process: route-map nonat permit 10 match ip address 150 Site 2 - Router VPN Configuration Steps (Scenario A)There are a number of steps that need to be done to create the VPN on the other end of the tunnel. IKE
crypto isakmp policy 9 hash md5 authentication pre-share
crypto isakmp key VPNsecretPASSWORD address 97.158.253.25 IPSec
crypto ipsec security-association lifetime seconds 86400
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one: crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
crypto map to-site1 10 ipsec-isakmp set peer 6.25.232.1 set transform-set s1s2trans match address 101
interface Ethernet1 crypto map to-site1 Site 2 - Configuration Example (Scenario A)Current Configuration: ! version 12.1 service timestamps debug uptime service timestamps log uptime ! hostname soho2 ! ip subnet-zero no ip domain-lookup ! * Configure IKE properties ! crypto isakmp policy 9 authentication pre-share hash md5 crypto isakmp key VPNsecretPASSWORD address 97.158.253.25 ! ! * Configure IPSec properties ! crypto ipsec security-association lifetime seconds 86400 crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac ! ! * If the remote site prefers to use 3DES, (Linux FreeS/WAN only does 3DES) then you may want to ! * replace the above statement with this one: ! * ! * crypto ipsec transform-set s2s1trans esp-3des esp-md5-hmac ! ! ! * Define the Site1 to Site2 traffic to be encrypted ! crypto map to-site1 10 ipsec-isakmp set peer 97.158.253.25 set transform-set s2s1trans match address 101 ! ! * Encryption will be done according to the crypto ! * map statement ! interface Ethernet1 ip address 6.25.232.1 255.255.255.248 ip nat outside crypto map to-site1 ! ! * Give the protected interface an IP address and ! * and let it know that it should do NAT as a protected ! * "inside" interface ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! ! * Tells the router to NAT all traffic that passes through it: ! * 1) From the inside to the outside, ! * 2) And whose IP address matches those in route map "nonat" ! * 3) Must get an outside "public" address that is the same as ! * interface ethernet1 ! * ! * Replaces the following command used on the basic DSL router page ! * ! * ip nat inside source list 1 interface ethernet1 overload ! ip nat inside source route-map nonat interface ethernet1 overload ! ! * Set your default gateway as provided by your ISP ! * Set a route to Site2 via the Tunnel IP of the router ! * at Site2 ! ip classless ip route 0.0.0.0 0.0.0.0 6.25.232.6 ! ! * Encrypt all traffic passing over the tunnel interface ! * between the two sites ! access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 ! ! * ACL used by route map "nonat" to exclude traffic between ! * Site1 and Site2 ! * from NAT process as this will pass through the VPN tunnel ! access-list 150 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 150 permit ip 192.168.2.0 0.0.0.255 any ! ! * Use a route map to define which traffic from the private ! * network should be included in the NAT process: ! route-map nonat permit 10 match ip address 150 Site 2 - Router VPN Configuration Steps (Scenario B)There are a number of steps that need to be done to create the VPN on the other end of the tunnel. IKE
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 authentication pre-share
isakmp key VPNsecretPASSWORD address 97.158.253.25 netmask 255.255.255.255
isakmp identity address
isakmp enable outside IPSec
192.168.2.0 to 192.168.1.0 access-list ipsec permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) then you may want to replace the above statement with this one: crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
crypto map s2s1ipsec 10 match address ipsec crypto map s2s1ipsec 10 set peer 97.158.253.25 crypto map s2s1ipsec 10 set transform-set s2s1trans crypto map s2s1ipsec 10 set security-association lifetime seconds 86400 In this case the crypto map is named "s2s1ipsec" and each statement has a sequence number or "ranking" of "10". Statements with lower "sequence numbers" are considered before those with higher values. Just like the routers, you can add more statements for tunnels to other remote VPN devices. You just have to remember to make sure that:
crypto map s2s1ipsec interface outside
sysopt connection permit-ipsec Site 2 - Configuration Example (Scenario B)nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password uR0ZSMuMGz09CMpz encrypted passwd uR0ZSMuMGz09CMpz encrypted hostname ciscopix domain-name stcla1.sfba.home.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names ! ! * Allow IPSec traffic from Site2's private ! * network to Site1's private network ! access-list ipsec permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 ! ! * Do not Network Address Translate (NAT) traffic ! * originating on Site2's private network destined ! * to Site1's private network. This ACL is the first ! * step. ! access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 pager lines 25 logging on logging timestamp logging trap warnings logging history warnings logging facility 22 logging host inside 192.168.2.237 interface ethernet0 10baset interface ethernet1 10full icmp deny any outside mtu outside 1500 mtu inside 1500 ! * Setup the IP addresses of the interfaces ip address outside 6.25.232.1 255.255.255.248 ip address inside 192.168.2.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm logging informational 100 pdm history enable arp timeout 14400 global (outside) 1 interface ! ! * Do not NAT traffic that matches access list "nonat", ! * NAT everything else ! nat (inside) 0 access-list nonat nat (inside) 1 192.168.2.0 255.255.255.255 0 0 route outside 0.0.0.0 0.0.0.0 6.25.232.6 1 timeout xlate 0:05:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 filter activex 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ntp server 192.168.2.237 source inside http server enable http 192.168.2.0 255.255.255.0 inside snmp-server host inside 192.168.2.237 no snmp-server location no snmp-server contact snmp-server community passwdboo snmp-server enable traps tftp-server inside 192.168.2.237 /ciscopix-confg floodguard enable no sysopt route dnat telnet 192.168.2.0 255.255.255.0 inside telnet timeout 15 ssh 192.168.2.0 255.255.255.0 inside ssh timeout 15 dhcpd address 192.168.2.20-192.168.2.30 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside ! ! * IPSec policies: ! sysopt connection permit-ipsec crypto ipsec transform-set s2s1trans esp-des esp-md5-hmac ! ! * If the remote site prefers to use the more secure 3DES method, (Linux FreeS/WAN only does 3DES) ! * then you may want to replace the above statement with this one: ! ! * crypto ipsec transform-set s2s1trans esp-3des esp-md5-hmac ! crypto map s2s1ipsec 10 set security-association lifetime seconds 86400 crypto map s2s1ipsec 10 ipsec-isakmp crypto map s2s1ipsec 10 match address ipsec crypto map s2s1ipsec 10 set peer 97.158.253.25 crypto map s2s1ipsec 10 set transform-set s2s1trans crypto map s2s1ipsec interface outside ! ! * IKE policies: ! isakmp enable outside isakmp key VPNsecretPASSWORD address 97.158.253.25 netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 1 terminal width 80 Troubleshooting Cisco VPNsCisco provides a number of commands to test the status of your site – to – site VPN tunnel. If your tunnel fails to be created you'll need to ensure that all the parameters are set up correctly. The most common failure I've seen is having mismatched isakmp transform sets. Displaying the Key Exchange StatusThe "show crypto isakmp sa" command works on both routers and PIX firewalls and is used to determine whether the first phase of the VPN tunnel establishment (isakmp key exchange) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels. soho1# show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
6.25.232.1 97.158.253.25 QM_IDLE 0 0
soho1#
Displaying the IPSec Tunnel StatusThe "show crypto ipsec sa" command works on both routers and PIX firewalls and is used to determine whether the second phase of the VPN tunnel establishment (IPSec) was successful. In the example below Site 1 & 2 have a working tunnel with the status output showing the Internet IP addresses of the VPN devices at both ends of the tunnels. soho1# sh crypto ipsec sa
interface: BVI1
Crypto map tag: to-site2, local addr. 6.25.232.1
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 97.158.253.25:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 871118, #pkts encrypt: 871118, #pkts digest 871118
#pkts decaps: 917581, #pkts decrypt: 917581, #pkts verify 917581
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 99, #recv errors 0
local crypto endpt.: 6.25.232.1, remote crypto endpt.: 97.158.253.25
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 95992f5
inbound esp sas:
spi: 0xe43e931d(3829306141)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 6, crypto map: to-site2
sa timing: remaining key lifetime (k/sec): (4601836/22657)
IV size: 8 bytes
replay detection support: Y
...
...
outbound esp sas:
spi: 0x95992f5(156865269)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5, crypto map: to-site2
sa timing: remaining key lifetime (k/sec): (4605007/22656)
IV size: 8 bytes
replay detection support: Y
...
...
soho1#
DebuggingCisco has the very useful debug set of commands which you can use to follow the sequence of events that occur during the establishment of the VPN tunnel. Unfortunately the use of the debug command is beyond the scope of this book. 
|
|