IPSec VPN (Adtran -> Cisco)
Hello all,
First off, I haven't really ever messed with IPSec before today. Just what I've seen in my books.
I have been messing around in my lab with VPNs on Adtran devices, but I am wanting to do the same with Cisco. I have worked with Adtran for some time now, and after looking though the command reference I was able to get two tunnels up and going. I am now wanting to swap out my "hub" Adtran router with a Cisco 2821 utilizing Fa0/1 as the WAN port but I am having a hard time finding documentation.
Like I said before, I am new to IPSec and the terminology/configuration is still kind of confusing for me. Below is the config of the 1335 I am attempting to convert to 2821.
If anyone could point me to a good source of documentation, "other than stating cisco.com", or break down my config in Cisco's syntax, It would be greatly appreciated.
First off, I haven't really ever messed with IPSec before today. Just what I've seen in my books.
I have been messing around in my lab with VPNs on Adtran devices, but I am wanting to do the same with Cisco. I have worked with Adtran for some time now, and after looking though the command reference I was able to get two tunnels up and going. I am now wanting to swap out my "hub" Adtran router with a Cisco 2821 utilizing Fa0/1 as the WAN port but I am having a hard time finding documentation.
Like I said before, I am new to IPSec and the terminology/configuration is still kind of confusing for me. Below is the config of the 1335 I am attempting to convert to 2821.
If anyone could point me to a good source of documentation, "other than stating cisco.com", or break down my config in Cisco's syntax, It would be greatly appreciated.
!! ADTRAN, Inc. OS version 18.02.01.00.E ! Boot ROM version 15.01.B1 ! Platform: NetVanta 1335 PoE, part number 1700525E2 ! ! hostname "Router1" ! clock no-auto-correct-DST ! ip subnet-zero ip classless ip routing ! ip crypto ! crypto ike policy 100 initiate main respond anymode local-id address 44.44.44.20 peer 44.44.44.35 attribute 1 encryption 3des hash md5 authentication pre-share ! crypto ike policy 101 initiate main respond anymode local-id address 44.44.44.20 peer 44.44.44.30 attribute 1 encryption 3des hash md5 authentication pre-share ! crypto ike remote-id address 44.44.44.30 preshared-key RTR3KEY ike-policy 101 crypto map VPN 20 no-mode-config no-xauth crypto ike remote-id address 44.44.44.35 preshared-key RTR2KEY ike-policy 100 crypto map VPN 10 no-mode-config no-xauth ! crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac mode tunnel ! crypto map VPN 10 ipsec-ike description TO_ROUTER2 match address VPN_TO_RTR2 set peer 44.44.44.35 set transform-set MAIN_TRANS_SET ike-policy 100 crypto map VPN 20 ipsec-ike description TO_ROUTER3 match address VPN_TO_RTR3 set peer 44.44.44.30 set transform-set MAIN_TRANS_SET ike-policy 101 ! vlan 1 name "Default" ! vlan 5 name "VLAN0005" ! ! interface switchport 0/1 no shutdown ! interface switchport 0/2 no shutdown ! interface switchport 0/3 no shutdown ! interface switchport 0/4 no shutdown ! interface switchport 0/5 no shutdown ! interface switchport 0/6 no shutdown ! interface switchport 0/7 no shutdown ! interface switchport 0/8 no shutdown ! interface switchport 0/9 no shutdown ! interface switchport 0/10 no shutdown ! interface switchport 0/11 no shutdown ! interface switchport 0/12 no shutdown ! interface switchport 0/13 no shutdown ! interface switchport 0/14 no shutdown ! interface switchport 0/15 no shutdown ! interface switchport 0/16 no shutdown ! interface switchport 0/17 no shutdown ! interface switchport 0/18 no shutdown ! interface switchport 0/19 no shutdown ! interface switchport 0/20 no shutdown ! interface switchport 0/21 no shutdown ! interface switchport 0/22 no shutdown ! interface switchport 0/23 no shutdown ! interface switchport 0/24 no shutdown ! ! interface gigabit-switchport 0/1 no shutdown switchport access vlan 5 ! interface gigabit-switchport 0/2 no shutdown ! interface vlan 1 ip address 192.168.1.1 255.255.255.0 ip route-cache express no shutdown ! interface vlan 5 ip address 44.44.44.20 255.255.255.0 crypto map VPN ip route-cache express no shutdown ! ip access-list extended VPN_TO_RTR2 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255 ! ip access-list extended VPN_TO_RTR3 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 172.16.1.0 0.0.0.255 10.0.0.0 0.0.0.255 ! ip route 10.0.0.0 255.255.255.0 44.44.44.30 ip route 172.16.1.0 255.255.255.0 44.44.44.35 ! no tftp server no tftp server overwrite ip http server no ip http secure-server no snmp agent no ip ftp server ip ftp server default-filesystem flash no ip scp server no ip sntp server ! ! end
Comments
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□It is actually very similar to cisco config. Maybe looking at this will do you some good:
IPsec quick and dirty - Packet Life -
Monkerz Member Posts: 842Thanks man.
Evidently there are a bunch of ways to setup an IPSec VPN, my only challenge is to find the way that allows the Adtran to negotiate with the Cisco. I suppose this will be a lot of trial and error. I was able to get a VPN working today between the Cisco and Adtran, I saved the config and started poking at it to break it and fix it, but once I broke it I couldn't get it to re-establish. Even a reload wouldn't bring it back up.
I am going to try this config when I get back from holiday. Don't think it is going to work because the Cisco is setting the tunnel as IPSec and the adtran is using a crypto map, but will give it a try anyway.----------------------ADTRAN----------------------- ip crypto ! crypto ike policy 100 no local-id peer 22.22.22.22 initiate main respond main attribute 1 encryption 3des hash md5 authentication pre-share group 1 lifetime 86400 ! crypto ike remote-id address 22.22.22.22 preshared-key ******* ! crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac mode tunnel ! ip access-list extended PERMITTED_OVER_VPN permit ip 192.168.1.0 0.0.0.255 any deny ip any any ! crypto map VPN 1 ipsec-ike match address PERMITTED_OVER_VPN set peer 22.22.22.22 set transfrom-set MAIN_TRANS_SET no set pfs ! interface tunnel 1 ip add 10.0.0.2 255.255.255.252 tunnel source 11.11.11.11 tunnel destination 22.22.22.22 crypto map VPN ----------------------CISCO------------------------- ! crypto isakmp policy 100 encr 3des hash md5 authentication pre-share lifetime 86400 crypto isakmp key ******* address 11.11.11.11 ! crypto ipsec transform-set MYTRANSSET esp-3des esp-md5-hmac ! crypto ipsec profile MY_IPSEC_PROFILE set transform-set MYTRANSSET ! interface Tunnel1 ip address 10.0.0.1 255.255.255.252 tunnel source 22.22.22.22 tunnel destination 11.11.11.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile MY_IPSEC_PROFILE !
-
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Well I guess the first thing is are you trying to make a GRE tunnel or a just a ipsec tunnel. This makes a significant difference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml
From first glance your configs looks ok. -
SteveO86 Member Posts: 1,423Config looks ok for a GRE/IPSec tunnel. (Which in my opinion is almost always better then the Policy-based IPSec tunnels)
One thing I would keep in the back of your mind is the IPSec security-association timers, each vendor tends to have their own default lifetimes and the don't always match.
It will make for fun debug output to when they don't match..My Networking blog
Latest blog post: Let's review EIGRP Named Mode
Currently Studying: CCNP: Wireless - IUWMS -
Monkerz Member Posts: 842Well, I suppose I am trying to find the least invasive way to implement a secure tunnel off a production router. The current situation I am facing is a router that hosts two gre tunnels to remote branches, one a satellite office at an airport and the second in puerto rico. They are gre because we mainly deal with MPLS or P2P and my predecessor didn't feel like securing the tunnels (too lazy or what have you).
So we have another site that will soon be turning up on DSL, yes DSL because the OM believes he is "tech savvy", and they purchased an Adtran 1335 for this site. Instead of running this tunnel through our checkpoint, I asked if I could set it up on the router that is already hosting 2 "Site-to-Sites" to kind of show my manager that the router will support IPSec thus allowing me to secure the other two tunnels on the router.
The problem with this is, I have never setup a VPN between unlike devices. So I am labbing as much as I can to get it to work prior to the turn-up if this new site in Dec. -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□I set up dislike vendor vpns all the time. The major thing is to make sure you choose settings both vendors you supports and you will be fine.
-
Monkerz Member Posts: 842Ok, I managed to get this working between the Adtran and the Cisco routers, but I have one problem...
The Cisco router we would say is in the DC and the Adtran router would be considered the remote branch. If I warm boot the Adtran, the tunnel recovers after the boot and traffic traverses the VPN. If I pull the power from the router and wait a few minutes then plug it back in, the tunnel does not recover. The ISAKMP SA timesout and "debug crypto isakmp", "debug crypto ipsec" or "debug crypto engine" output nothing. The only way I can recover the tunnel is by restarting the Cisco router.
Any ideas? -
Bl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□Odd. So it doesn't even try when you ping from the router side? Does it come up normally from the router side?
-
Monkerz Member Posts: 842Just did a little more troubleshooting. Pinging from the Cisco's LAN side will not bring the tunnel up (which is how I was testing to begin with), but pinging from the Adtran's LAN will. After the tunnel is up, traffic will pass both ways.
Is there a command that I'm missing to allow a Cisco device to initiate the association? -
Monkerz Member Posts: 842Ok, so I tinkered with this again this morning. It appears that the isakmp sa is still on the Cisco router when the Adtran is power-failed. Traffic from the Adtran's LAN creates the SA on the Adtran which brings up the tunnel. If I clear the SA on the Cisco, traffic from the Cisco's LAN will bring up the tunnel.
I guess I need to read up an SA timeout. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□Look into using dead peer detection (DPD) it might help it recover more quickly.The only easy day was yesterday!
-
Monkerz Member Posts: 842Oh you genius! Thanks for everyone's help. I've posted the configs below if anyone is interested...
Cisco 2821
version 12.4! hostname TESTLAB_2821 ! crypto isakmp policy 100 encr 3des hash md5 authentication pre-share crypto isakmp key UtTeRmYnAmE address 22.22.22.22 crypto isakmp keepalive 10 periodic ! crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac ! crypto map VPN 10 ipsec-isakmp set peer 22.22.22.22 set security-association lifetime seconds 28800 set security-association idle-time 600 set transform-set MANUAL_TRANS_SET match address 101 ! interface GigabitEthernet0/1 ip address 11.11.11.11 255.255.255.0 duplex auto speed auto crypto map VPN ! ip route 0.0.0.0 0.0.0.0 11.11.11.10 ! ! access-list 101 permit ip any 10.40.45.0 0.0.0.255 ! end
Adtran 1335! ADTRAN, Inc. OS version 18.02.01.00.E hostname "TESTLAB_Adtran" ! ip crypto ! crypto ike policy 100 initiate main respond anymode local-id address 22.22.22.22 peer 11.11.11.11 attribute 1 encryption 3des hash md5 authentication pre-share lifetime 86400 ! crypto ike remote-id address 11.11.11.11 preshared-key UtTeRmYnAmE ike-policy 100 crypto map IPSec_VPN 10 nat-t v1 disable nat-t v2 disable ! crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac mode tunnel ! crypto map IPSec_VPN 10 ipsec-ike description TO_DC_VPN_EDGE match address PERMITTED_OVER_VPN set peer 11.11.11.11 set transform-set MANUAL_TRANS_SET ike-policy 100 ! vlan 1 name "Default" ! vlan 50 name "VLAN0050" ! ~removed unused interfaces~ ! interface gigabit-switchport 0/1 description INTERNET_FACING_PORT no shutdown switchport access vlan 50 ! interface vlan 1 ip address 10.40.45.1 255.255.255.0 ip route-cache express no shutdown ! interface vlan 50 ip address 22.22.22.22 255.255.255.248 crypto map IPSec_VPN ip route-cache express no shutdown ! ip access-list extended PERMITTED_OVER_VPN permit ip 10.40.45.0 0.0.0.255 any ! ip route 0.0.0.0 0.0.0.0 22.22.22.20 ! end