IPSec VPN (Adtran -> Cisco)

Hello all,

First off, I haven't really ever messed with IPSec before today. Just what I've seen in my books.

I have been messing around in my lab with VPNs on Adtran devices, but I am wanting to do the same with Cisco. I have worked with Adtran for some time now, and after looking though the command reference I was able to get two tunnels up and going. I am now wanting to swap out my "hub" Adtran router with a Cisco 2821 utilizing Fa0/1 as the WAN port but I am having a hard time finding documentation.

Like I said before, I am new to IPSec and the terminology/configuration is still kind of confusing for me. Below is the config of the 1335 I am attempting to convert to 2821.

If anyone could point me to a good source of documentation, "other than stating cisco.com", or break down my config in Cisco's syntax, It would be greatly appreciated.

!! ADTRAN, Inc. OS version 18.02.01.00.E
! Boot ROM version 15.01.B1
! Platform: NetVanta 1335 PoE, part number 1700525E2
!
!
hostname "Router1"
!
clock no-auto-correct-DST
!
ip subnet-zero
ip classless
ip routing
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 44.44.44.20
  peer 44.44.44.35
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike policy 101
  initiate main
  respond anymode
  local-id address 44.44.44.20
  peer 44.44.44.30
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
!
crypto ike remote-id address 44.44.44.30 preshared-key RTR3KEY ike-policy 101 crypto map VPN 20 no-mode-config no-xauth
crypto ike remote-id address 44.44.44.35 preshared-key RTR2KEY ike-policy 100 crypto map VPN 10 no-mode-config no-xauth
!
crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac
  mode tunnel
!
crypto map VPN 10 ipsec-ike
  description TO_ROUTER2
  match address VPN_TO_RTR2
  set peer 44.44.44.35
  set transform-set MAIN_TRANS_SET
  ike-policy 100
crypto map VPN 20 ipsec-ike
  description TO_ROUTER3
  match address VPN_TO_RTR3
  set peer 44.44.44.30
  set transform-set MAIN_TRANS_SET
  ike-policy 101
!
vlan 1
  name "Default"
!
vlan 5
  name "VLAN0005"
!
!
interface switchport 0/1
  no shutdown
!
interface switchport 0/2
  no shutdown
!
interface switchport 0/3
  no shutdown
!
interface switchport 0/4
  no shutdown
!
interface switchport 0/5
  no shutdown
!
interface switchport 0/6
  no shutdown
!
interface switchport 0/7
  no shutdown
!
interface switchport 0/8
  no shutdown
!
interface switchport 0/9
  no shutdown
!
interface switchport 0/10
  no shutdown
!
interface switchport 0/11
  no shutdown
!
interface switchport 0/12
  no shutdown
!
interface switchport 0/13
  no shutdown
!
interface switchport 0/14
  no shutdown
!
interface switchport 0/15
  no shutdown
!
interface switchport 0/16
  no shutdown
!
interface switchport 0/17
  no shutdown
!
interface switchport 0/18
  no shutdown
!
interface switchport 0/19
  no shutdown
!
interface switchport 0/20
  no shutdown
!
interface switchport 0/21
  no shutdown
!
interface switchport 0/22
  no shutdown
!
interface switchport 0/23
  no shutdown
!
interface switchport 0/24
  no shutdown
!
!
interface gigabit-switchport 0/1
  no shutdown
  switchport access vlan 5
!
interface gigabit-switchport 0/2
  no shutdown
!
interface vlan 1
  ip address  192.168.1.1  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 5
  ip address  44.44.44.20  255.255.255.0
  crypto map VPN
  ip route-cache express
  no shutdown
!
ip access-list extended VPN_TO_RTR2
  permit ip 192.168.1.0 0.0.0.255  172.16.1.0 0.0.0.255
  permit ip 10.0.0.0 0.0.0.255  172.16.1.0 0.0.0.255
!
ip access-list extended VPN_TO_RTR3
  permit ip 192.168.1.0 0.0.0.255  10.0.0.0 0.0.0.255
  permit ip 172.16.1.0 0.0.0.255  10.0.0.0 0.0.0.255
!
ip route 10.0.0.0 255.255.255.0 44.44.44.30
ip route 172.16.1.0 255.255.255.0 44.44.44.35
!
no tftp server
no tftp server overwrite
ip http server
no ip http secure-server
no snmp agent
no ip ftp server
ip ftp server default-filesystem flash
no ip scp server
no ip sntp server
!
!
end

Find more posts tagged with

Comments

Bl8ckr0uter

It is actually very similar to cisco config. Maybe looking at this will do you some good:
IPsec quick and dirty - Packet Life

Monkerz

Thanks man.

Evidently there are a bunch of ways to setup an IPSec VPN, my only challenge is to find the way that allows the Adtran to negotiate with the Cisco. I suppose this will be a lot of trial and error. I was able to get a VPN working today between the Cisco and Adtran, I saved the config and started poking at it to break it and fix it, but once I broke it I couldn't get it to re-establish. Even a reload wouldn't bring it back up.

I am going to try this config when I get back from holiday. Don't think it is going to work because the Cisco is setting the tunnel as IPSec and the adtran is using a crypto map, but will give it a try anyway.

----------------------ADTRAN-----------------------
ip crypto
!
crypto ike policy 100
  no local-id
  peer 22.22.22.22
  initiate main
  respond main
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
    group 1
    lifetime 86400
!
crypto ike remote-id address 22.22.22.22 preshared-key *******
!
crypto ipsec transform-set MAIN_TRANS_SET esp-3des esp-md5-hmac
  mode tunnel
!
ip access-list extended PERMITTED_OVER_VPN
  permit ip 192.168.1.0 0.0.0.255 any
  deny ip any any
!
crypto map VPN 1 ipsec-ike
  match address PERMITTED_OVER_VPN
  set peer 22.22.22.22
  set transfrom-set MAIN_TRANS_SET
  no set pfs
!
interface tunnel 1
  ip add 10.0.0.2 255.255.255.252
  tunnel source 11.11.11.11
  tunnel destination 22.22.22.22
  crypto map VPN


----------------------CISCO-------------------------
!
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 lifetime 86400
crypto isakmp key ******* address 11.11.11.11
!
crypto ipsec transform-set MYTRANSSET esp-3des esp-md5-hmac
!
crypto ipsec profile MY_IPSEC_PROFILE
 set transform-set MYTRANSSET
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.252
 tunnel source 22.22.22.22
 tunnel destination 11.11.11.11
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MY_IPSEC_PROFILE
!

Bl8ckr0uter

Well I guess the first thing is are you trying to make a GRE tunnel or a just a ipsec tunnel. This makes a significant difference:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009438e.shtml

From first glance your configs looks ok.

SteveO86

Config looks ok for a GRE/IPSec tunnel. (Which in my opinion is almost always better then the Policy-based IPSec tunnels)

One thing I would keep in the back of your mind is the IPSec security-association timers, each vendor tends to have their own default lifetimes and the don't always match.

It will make for fun debug output to when they don't match..

Monkerz

Well, I suppose I am trying to find the least invasive way to implement a secure tunnel off a production router. The current situation I am facing is a router that hosts two gre tunnels to remote branches, one a satellite office at an airport and the second in puerto rico. They are gre because we mainly deal with MPLS or P2P and my predecessor didn't feel like securing the tunnels (too lazy or what have you).

So we have another site that will soon be turning up on DSL, yes DSL because the OM believes he is "tech savvy", and they purchased an Adtran 1335 for this site. Instead of running this tunnel through our checkpoint, I asked if I could set it up on the router that is already hosting 2 "Site-to-Sites" to kind of show my manager that the router will support IPSec thus allowing me to secure the other two tunnels on the router.

The problem with this is, I have never setup a VPN between unlike devices. So I am labbing as much as I can to get it to work prior to the turn-up if this new site in Dec.

Bl8ckr0uter

I set up dislike vendor vpns all the time. The major thing is to make sure you choose settings both vendors you supports and you will be fine.

Monkerz

Ok, I managed to get this working between the Adtran and the Cisco routers, but I have one problem...

The Cisco router we would say is in the DC and the Adtran router would be considered the remote branch. If I warm boot the Adtran, the tunnel recovers after the boot and traffic traverses the VPN. If I pull the power from the router and wait a few minutes then plug it back in, the tunnel does not recover. The ISAKMP SA timesout and "debug crypto isakmp", "debug crypto ipsec" or "debug crypto engine" output nothing. The only way I can recover the tunnel is by restarting the Cisco router.

Any ideas?

Bl8ckr0uter

Odd. So it doesn't even try when you ping from the router side? Does it come up normally from the router side?

Monkerz

Just did a little more troubleshooting. Pinging from the Cisco's LAN side will not bring the tunnel up (which is how I was testing to begin with), but pinging from the Adtran's LAN will. After the tunnel is up, traffic will pass both ways.

Is there a command that I'm missing to allow a Cisco device to initiate the association?

Monkerz

Ok, so I tinkered with this again this morning. It appears that the isakmp sa is still on the Cisco router when the Adtran is power-failed. Traffic from the Adtran's LAN creates the SA on the Adtran which brings up the tunnel. If I clear the SA on the Cisco, traffic from the Cisco's LAN will bring up the tunnel.

I guess I need to read up an SA timeout.

dtlokee

Look into using dead peer detection (DPD) it might help it recover more quickly.

Monkerz

Oh you genius! Thanks for everyone's help. I've posted the configs below if anyone is interested...

Cisco 2821

version 12.4!
hostname TESTLAB_2821
!
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key UtTeRmYnAmE address 22.22.22.22
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
 set peer 22.22.22.22
 set security-association lifetime seconds 28800
 set security-association idle-time 600
 set transform-set MANUAL_TRANS_SET
 match address 101
!
interface GigabitEthernet0/1
 ip address 11.11.11.11 255.255.255.0
 duplex auto
 speed auto
 crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 11.11.11.10
!
!
access-list 101 permit ip any 10.40.45.0 0.0.0.255
!
end

Adtran 1335

! ADTRAN, Inc. OS version 18.02.01.00.E
hostname "TESTLAB_Adtran"
!
ip crypto
!
crypto ike policy 100
  initiate main
  respond anymode
  local-id address 22.22.22.22
  peer 11.11.11.11
  attribute 1
    encryption 3des
    hash md5
    authentication pre-share
    lifetime 86400
!
crypto ike remote-id address 11.11.11.11 preshared-key UtTeRmYnAmE ike-policy 100 crypto map IPSec_VPN 10 nat-t v1 disable nat-t v2 disable
!
crypto ipsec transform-set MANUAL_TRANS_SET esp-3des esp-md5-hmac
  mode tunnel
!
crypto map IPSec_VPN 10 ipsec-ike
  description TO_DC_VPN_EDGE
  match address PERMITTED_OVER_VPN
  set peer 11.11.11.11
  set transform-set MANUAL_TRANS_SET
  ike-policy 100
!
vlan 1
  name "Default"
!
vlan 50
  name "VLAN0050"
!
~removed unused interfaces~
!
interface gigabit-switchport 0/1
  description INTERNET_FACING_PORT
  no shutdown
  switchport access vlan 50
!
interface vlan 1
  ip address  10.40.45.1  255.255.255.0
  ip route-cache express
  no shutdown
!
interface vlan 50
  ip address  22.22.22.22  255.255.255.248
  crypto map IPSec_VPN
  ip route-cache express
  no shutdown
!
ip access-list extended PERMITTED_OVER_VPN
  permit ip 10.40.45.0 0.0.0.255  any
!
ip route 0.0.0.0 0.0.0.0 22.22.22.20
!
end

dtlokee

Glad I could help