In Germany some internetprovider doesn’t offer a static WAN IP address. So the easiest way to connect a branch office router via IPsec VPN protocol to the central network address is using a Cisco EasyVPN connection with network-extension mode. In this example we have two networks:
The IP subnet of our mainoffice is 192.168.1.0 /24 and our branch office has the subnet 192.168.2.0 /24 (yes, I want to keep it simple ^^). The first usable IP address is assigned to the Cisco router. The configuration of the mainoffice router is as simple as providing Cisco VPN client access to roadwarriors:
RouterA
Basic configuration for authentication
aaa new-model
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization network groupauth local
!
username RouterB_xauthuser password G3ntl3m@n
This will be our IPsec configuration
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DynamicPeers 10
set transform-set ESP-AES-SHA
!
!
crypto map CompanyVPN client authentication list userauth
crypto map CompanyVPN isakmp authorization list groupauth
crypto map CompanyVPN client configuration address respond
crypto map CompanyVPN 200 ipsec-isakmp dynamic DynamicPeers
Now we have to bind the crypto map to our outside interface. In this example we are also using X-Auth user authentication within the VPN tunnel. We are using dialer-interfaces on both sites but you can also configure the crypto map on any other outside interface
interface Dialer1
crypto map CompanyVPN
At this point you will see that the crypto service is coming up and the router is now reachable for VPN from the internet. If you have configured an access-list, don’t forget to allow the IPsec ports:
ip access-list extended wan_in
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmpinterface Dialer1
ip access-group wan_in in
Now we will configure an EasyVPN group for our branch office
crypto isakmp client configuration group OfficeB
key myS3cr3t
acl vpn_traffic
save-password
!
ip access-list extended vpn_traffic
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
The configuration at the mainoffice is done. Now let’s go to the branch office router
RouterB
Basic IPsec VPN configuration
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
Than we will configure “ezvpn” with the parameters we choose at the RouterB configuration
crypto ipsec client ezvpn VPNtoMAINOFFICE
connect auto
group OfficeB key myS3cr3t
mode network-extension
peer 80.60.50.40
acl vpn_traffic
username RouterB_xauthuser password G3ntl3m@n
xauth userid mode local
!
ip access-list extended vpn_traffic
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
The last thing we need to do is do bind this ezvpn-group to our inside and outside interface:
interface Vlan1
crypto ipsec client ezvpn VPNtoMAINOFFICE inside
!
interface Dialer1
crypto ipsec client ezvpn VPNtoMAINOFFICE
after this you will see the ISAKMP service and the vpn tunnel is coming:
Apr 20 07:44:20.755: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Apr 20 07:44:23.283: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= RouterB_xauthuser Group=OfficeB Client_public_addr=40.50.60.70 Server_public_addr=80.60.50.40 NEM_Remote_Subnets=192.168.2.0/255.255.255.0 end
You can test the connection by sending a ping packet to the remote router
ping 192.168.1.1 source 192.168.2.1
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/89/92 ms
You can also check the IPsec parameters:
RouterA#show crypto ipsec sa
interface: Dialer1
Crypto map tag: CompanyMap, local addr 80.60.50.40protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer 40.50.60.70 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0local crypto endpt.: 80.60.50.40, remote crypto endpt.: 40.50.60.70
path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
current outbound spi: 0x6BBD6C57(1807576151)
PFS (Y/N): N, DH group: noneinbound esp sas:
spi: 0xC9F0F07D(3388010621)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: CompanyMap
sa timing: remaining key lifetime (k/sec): (4582408/3555)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEinbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6BBD6C57(1807576151)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000046, crypto map: CompanyMap
sa timing: remaining key lifetime (k/sec): (4582408/3555)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVEoutbound ah sas:
outbound pcp sas:
So we have build a site2site VPN tunnel with two routers while one of them only connects to the other router in case that there is only a ISP access with a dynamic wan IP address. You can also built an EIGRP configuration within a GRE Tunnel. I will show this with another post.
I hope I could help some people with this configuration example!
Have a great weekend!
One Response