IPSec VPN (Adtran -> Cisco)

MonkerzMonkerz Member Posts: 842
Hello all,

First off, I haven't really ever messed with IPSec before today. Just what I've seen in my books.

I have been messing around in my lab with VPNs on Adtran devices, but I am wanting to do the same with Cisco. I have worked with Adtran for some time now, and after looking though the command reference I was able to get two tunnels up and going. I am now wanting to swap out my "hub" Adtran router with a Cisco 2821 utilizing Fa0/1 as the WAN port but I am having a hard time finding documentation.

Like I said before, I am new to IPSec and the terminology/configuration is still kind of confusing for me. Below is the config of the 1335 I am attempting to convert to 2821.

If anyone could point me to a good source of documentation, "other than stating cisco.com", or break down my config in Cisco's syntax, It would be greatly appreciated.
!! ADTRAN, Inc. OS version 18.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
!
!
hostname "Router1"
!
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip routing
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 44.44.44.20
  peer 44.44.44.35
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike policy 101
  initiate main
  respond anymode
  local-id address 44.44.44.20
  peer 44.44.44.30
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address 44.44.44.30 preshared-key RTR3KEY ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
crypto ike remote-id address 44.44.44.35 preshared-key RTR2KEY ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description TO_ROUTER2
  match address VPN_TO_RTR2
  set peer 44.44.44.35
  set transform-set MAIN_TRANS_SET
  ike-policy 100
crypto map VPN 20 ipsec-ike
  description TO_ROUTER3
  match address VPN_TO_RTR3
  set peer 44.44.44.30
  set transform-set MAIN_TRANS_SET
  ike-policy 101
!
vlan 1
  name "Default"
!
vlan 5
  name "VLAN0005"
!
!
interface switchport 0/1
  no shutdown
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
interface switchport 0/5
  no shutdown
!
interface switchport 0/6
  no shutdown
!
interface switchport 0/7
  no shutdown
!
interface switchport 0/8
  no shutdown
!
interface switchport 0/9
  no shutdown
!
interface switchport 0/10
  no shutdown
!
interface switchport 0/11
  no shutdown
!
interface switchport 0/12
  no shutdown
!
interface switchport 0/13
  no shutdown
!
interface switchport 0/14
  no shutdown
!
interface switchport 0/15
  no shutdown
!
interface switchport 0/16
  no shutdown
!
interface switchport 0/17
  no shutdown
!
interface switchport 0/18
  no shutdown
!
interface switchport 0/19
  no shutdown
!
interface switchport 0/20
  no shutdown
!
interface switchport 0/21
  no shutdown
!
interface switchport 0/22
  no shutdown
!
interface switchport 0/23
  no shutdown
!
interface switchport 0/24
  no shutdown
!
!
interface gigabit-switchport 0/1
  no shutdown
  switchport access vlan 5
!
interface gigabit-switchport 0/2
  no shutdown
!
interface vlan 1
  ip address  192.168.1.1  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 5
  ip address  44.44.44.20  255.255.255.0
  crypto map VPN
  ip route-cache express
  no shutdown
!
ip access-list extended VPN_TO_RTR2
  permit ip 192.168.1.0 0.0.0.255  172.16.1.0 0.0.0.255
  permit ip 10.0.0.0 0.0.0.255  172.16.1.0 0.0.0.255
!
ip access-list extended VPN_TO_RTR3
  permit ip 192.168.1.0 0.0.0.255  10.0.0.0 0.0.0.255
  permit ip 172.16.1.0 0.0.0.255  10.0.0.0 0.0.0.255
!
ip route 10.0.0.0 255.255.255.0 44.44.44.30
ip route 172.16.1.0 255.255.255.0 44.44.44.35
!
no tftp server
no tftp server overwrite
ip http server
no ip http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
end

Comments

  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    It is actually very similar to cisco config. Maybe looking at this will do you some good:
    IPsec quick and dirty - Packet Life
  • MonkerzMonkerz Member Posts: 842
    Thanks man.

    Evidently there are a bunch of ways to setup an IPSec VPN, my only challenge is to find the way that allows the Adtran to negotiate with the Cisco. I suppose this will be a lot of trial and error. I was able to get a VPN working today between the Cisco and Adtran, I saved the config and started poking at it to break it and fix it, but once I broke it I couldn't get it to re-establish. Even a reload wouldn't bring it back up.

    I am going to try this config when I get back from holiday. Don't think it is going to work because the Cisco is setting the tunnel as IPSec and the adtran is using a crypto map, but will give it a try anyway.
    ----------------------ADTRAN-----------------------
    ip crypto
    !
    crypto ike policy 100
      no local-id
      peer 22.22.22.22
      initiate main
      respond main
      attribute 1
        encryption 3des
        hash md5
        authentication pre-share
        group 1
        lifetime 86400
    !
    crypto ike remote-id address 22.22.22.22 preshared-key *******
    !
    crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac
      mode tunnel
    !
    ip access-list extended PERMITTED_OVER_VPN
      permit ip 192.168.1.0 0.0.0.255 any
      deny ip any any
    !
    crypto map VPN 1 ipsec-ike
      match address PERMITTED_OVER_VPN
      set peer 22.22.22.22
      set transfrom-set MAIN_TRANS_SET
      no set pfs
    !
    interface tunnel 1
      ip add 10.0.0.2 255.255.255.252
      tunnel source 11.11.11.11
      tunnel destination 22.22.22.22
      crypto map VPN
    
    
    ----------------------CISCO-------------------------
    !
    crypto isakmp policy 100
     encr 3des
     hash md5
     authentication pre-share
     lifetime 86400
    crypto isakmp key ******* address 11.11.11.11
    !
    crypto ipsec transform-set MYTRANSSET esp-3des esp-md5-hmac
    !
    crypto ipsec profile MY_IPSEC_PROFILE
     set transform-set MYTRANSSET
    !
    interface Tunnel1
     ip address 10.0.0.1 255.255.255.252
     tunnel source 22.22.22.22
     tunnel destination 11.11.11.11
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile MY_IPSEC_PROFILE
    !
    
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Well I guess the first thing is are you trying to make a GRE tunnel or a just a ipsec tunnel. This makes a significant difference:

    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

    F
    rom first glance your configs looks ok.
  • SteveO86SteveO86 Member Posts: 1,423
    Config looks ok for a GRE/IPSec tunnel. (Which in my opinion is almost always better then the Policy-based IPSec tunnels)

    One thing I would keep in the back of your mind is the IPSec security-association timers, each vendor tends to have their own default lifetimes and the don't always match.

    It will make for fun debug output to when they don't match..
    My Networking blog
    Latest blog post: Let's review EIGRP Named Mode
    Currently Studying: CCNP: Wireless - IUWMS
  • MonkerzMonkerz Member Posts: 842
    Well, I suppose I am trying to find the least invasive way to implement a secure tunnel off a production router. The current situation I am facing is a router that hosts two gre tunnels to remote branches, one a satellite office at an airport and the second in puerto rico. They are gre because we mainly deal with MPLS or P2P and my predecessor didn't feel like securing the tunnels (too lazy or what have you).

    So we have another site that will soon be turning up on DSL, yes DSL because the OM believes he is "tech savvy", and they purchased an Adtran 1335 for this site. Instead of running this tunnel through our checkpoint, I asked if I could set it up on the router that is already hosting 2 "Site-to-Sites" to kind of show my manager that the router will support IPSec thus allowing me to secure the other two tunnels on the router.

    The problem with this is, I have never setup a VPN between unlike devices. So I am labbing as much as I can to get it to work prior to the turn-up if this new site in Dec.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    I set up dislike vendor vpns all the time. The major thing is to make sure you choose settings both vendors you supports and you will be fine.
  • MonkerzMonkerz Member Posts: 842
    Ok, I managed to get this working between the Adtran and the Cisco routers, but I have one problem...

    The Cisco router we would say is in the DC and the Adtran router would be considered the remote branch. If I warm boot the Adtran, the tunnel recovers after the boot and traffic traverses the VPN. If I pull the power from the router and wait a few minutes then plug it back in, the tunnel does not recover. The ISAKMP SA timesout and "debug crypto isakmp", "debug crypto ipsec" or "debug crypto engine" output nothing. The only way I can recover the tunnel is by restarting the Cisco router.

    Any ideas?
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Odd. So it doesn't even try when you ping from the router side? Does it come up normally from the router side?
  • MonkerzMonkerz Member Posts: 842
    Just did a little more troubleshooting. Pinging from the Cisco's LAN side will not bring the tunnel up (which is how I was testing to begin with), but pinging from the Adtran's LAN will. After the tunnel is up, traffic will pass both ways.

    Is there a command that I'm missing to allow a Cisco device to initiate the association?
  • MonkerzMonkerz Member Posts: 842
    Ok, so I tinkered with this again this morning. It appears that the isakmp sa is still on the Cisco router when the Adtran is power-failed. Traffic from the Adtran's LAN creates the SA on the Adtran which brings up the tunnel. If I clear the SA on the Cisco, traffic from the Cisco's LAN will bring up the tunnel.

    I guess I need to read up an SA timeout.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Look into using dead peer detection (DPD) it might help it recover more quickly.
    The only easy day was yesterday!
  • MonkerzMonkerz Member Posts: 842
    Oh you genius! Thanks for everyone's help. I've posted the configs below if anyone is interested...

    Cisco 2821
    version 12.4!
    hostname TESTLAB_2821
    !
    crypto isakmp policy 100
     encr 3des
     hash md5
     authentication pre-share
    crypto isakmp key UtTeRmYnAmE address 22.22.22.22
    crypto isakmp keepalive 10 periodic
    !
    crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac
    !
    crypto map VPN 10 ipsec-isakmp
     set peer 22.22.22.22
     set security-association lifetime seconds 28800
     set security-association idle-time 600
     set transform-set MANUAL_TRANS_SET
     match address 101
    !
    interface GigabitEthernet0/1
     ip address 11.11.11.11 255.255.255.0
     duplex auto
     speed auto
     crypto map VPN
    !
    ip route 0.0.0.0 0.0.0.0 11.11.11.10
    !
    !
    access-list 101 permit ip any 10.40.45.0 0.0.0.255
    !
    end
    

    Adtran 1335
    ! ADTRAN, Inc. OS version 18.02.01.00.E
    hostname "TESTLAB_Adtran"
    !
    ip crypto
    !
    crypto ike policy 100
      initiate main
      respond anymode
      local-id address 22.22.22.22
      peer 11.11.11.11
      attribute 1
        encryption 3des
        hash md5
        authentication pre-share
        lifetime 86400
    !
    crypto ike remote-id address 11.11.11.11 preshared-key UtTeRmYnAmE ike-policy 100 crypto map IPSec_VPN 10 nat-t v1 disable nat-t v2 disable
    !
    crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac
      mode tunnel
    !
    crypto map IPSec_VPN 10 ipsec-ike
      description TO_DC_VPN_EDGE
      match address PERMITTED_OVER_VPN
      set peer 11.11.11.11
      set transform-set MANUAL_TRANS_SET
      ike-policy 100
    !
    vlan 1
      name "Default"
    !
    vlan 50
      name "VLAN0050"
    !
    ~removed unused interfaces~
    !
    interface gigabit-switchport 0/1
      description INTERNET_FACING_PORT
      no shutdown
      switchport access vlan 50
    !
    interface vlan 1
      ip address  10.40.45.1  255.255.255.0
      ip route-cache express
      no shutdown
    !
    interface vlan 50
      ip address  22.22.22.22  255.255.255.248
      crypto map IPSec_VPN
      ip route-cache express
      no shutdown
    !
    ip access-list extended PERMITTED_OVER_VPN
      permit ip 10.40.45.0 0.0.0.255  any
    !
    ip route 0.0.0.0 0.0.0.0 22.22.22.20
    !
    end
    
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Glad I could help
    The only easy day was yesterday!
Sign In or Register to comment.