Ipsec vpn over the internet lab

JeanMJeanM Member Posts: 1,117
Hi,

Anybody interested in establishing a test vpn tunnel? I've been working on it in my lab, but would like to see if I can get it to work over the internet as well.

A basic ping, or I can assign the local interface to a vm running on esxi host for rdp test?

I am fairly new to site to site vpn, so someone who has done this before and has a spare router to establish a test session would be ideal!

thanks
2015 goals - ccna voice / vmware vcp.

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Another option is to set up an AWS account and create a VPC. AWS will auto-generate an IOS site-to-site IPSec VPN config for you.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • JeanMJeanM Member Posts: 1,117
    docrice - ty for suggestion, will check that out!

    I just made the following lab, and I think I got it to work. I connected two 2621's back to back to "simulate isp cloud". From there on, I just added a couple more routers and made sure there is connectivity from end to end, and to each interface ip from any other interface ip.

    In phase two, I added s2s vpn configuration on the "moscow" 2620xm and "texas" 2811 routers. Once this was completed, I did more ping tests and this is where I would like to know if this is desired or not.

    1. From the moscow router, I can ping everything other than the remote 10.10.10.100 ip.

    moscow#ping 10.10.10.100


    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:


    *Mar 1 00:45:27.243: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.10.1, src_addr= 10.10.10.100, prot= 1.....
    Success rate is 0 percent (0/5)

    2. From the texas router, I can ping everything other than the remote 192.168.10.100 ip.

    texas#ping 192.168.10.100


    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:


    *Jan 26 09:25:42.735: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
    (ip) vrf/dest_addr= /10.10.10.1, src_addr= 192.168.10.100, prot= 1.....
    Success rate is 0 percent (0/5)


    3. the show crypto isakmp sa shows QM_IDLE on both end routers.

    texas#show crypto isakmp sa
    dst src state conn-id slot status
    10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE



    moscow#show crypto isakmp sa
    dst src state conn-id slot status
    10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE







    Diagram of my lab -

    2015 goals - ccna voice / vmware vcp.
  • JeanMJeanM Member Posts: 1,117
    config of vpn routers below -

    1.
    moscow#sh run
    Building configuration...


    Current configuration : 1333 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname moscow
    !
    boot-start-marker
    boot system flash:c2600-adventerprisek9-mz.124-25d.bin
    boot-end-marker
    !
    enable password cisco
    !
    no aaa new-model
    no network-clock-participate slot 1
    no network-clock-participate wic 0
    ip cef
    !
    !
    !
    !
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 100
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key lol address 10.10.10.1
    !
    !
    crypto ipsec transform-set SET-NAME esp-aes esp-sha-hmac
    !
    crypto map S2S-VPN 100 ipsec-isakmp
    set peer 10.10.10.1
    set transform-set SET-NAME
    set pfs group2
    match address S2S-VPN-TRAFFIC
    !
    !
    !
    !
    interface FastEthernet0/0
    description link to cloud1
    ip address 192.168.10.1 255.255.255.0
    duplex auto
    speed auto
    crypto map S2S-VPN
    !
    interface Serial0/0
    no ip address
    shutdown
    !
    interface Serial0/1
    no ip address
    shutdown
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 192.168.10.100
    !
    !
    no ip http server
    no ip http secure-server
    !
    ip access-list extended S2S-VPN-TRAFFIC
    permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
    !
    !
    !





    2.
    texas#sh run
    Building configuration...


    Current configuration : 1303 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname texas
    !
    boot-start-marker
    boot-end-marker
    !
    enable password cisco
    !
    no aaa new-model
    !
    resource policy
    !
    ip subnet-zero
    !
    !
    ip cef
    no ip dhcp use vrf connected
    !
    !
    no ip ips deny-action ips-interface
    !
    no ftp-server write-enable
    !
    voice-card 0
    no dspfarm
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 100
    encr aes
    authentication pre-share
    group 2
    crypto isakmp key lol address 192.168.10.1
    no crypto isakmp ccm
    !
    !
    crypto ipsec transform-set SET-NAME esp-aes esp-sha-hmac
    !
    crypto map S2S-VPN 100 ipsec-isakmp
    set peer 192.168.10.1
    set transform-set SET-NAME
    set pfs group2
    match address S2S-VPN-TRAFFIC
    !
    !
    !
    !
    interface FastEthernet0/0
    description to ISP
    ip address 10.10.10.1 255.255.255.0
    duplex auto
    speed auto
    crypto map S2S-VPN
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.10.10.100
    !
    !
    ip http server
    no ip http secure-server
    !
    ip access-list extended S2S-VPN-TRAFFIC
    permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
    !
    !
    !
    2015 goals - ccna voice / vmware vcp.
  • JeanMJeanM Member Posts: 1,117
    Q. Shouldn't the output of "show crypto isakmp sa" command on the texas router show dst of 192.168.10.1 and src of 10.10.10.1 , or opposite of the other vpn router?

    texas#show crypto isakmp sa
    dst src state conn-id slot status
    10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE
    2015 goals - ccna voice / vmware vcp.
  • JeanMJeanM Member Posts: 1,117
    I also noticed that traceroute from 192.168.10.1 to 10.10.100.1 and back does not show any hops as it normally would.
    Is this a good indication that the connection is infact going over s2s vpn?


    texas#
    texas#traceroute 192.168.10.1


    Type escape sequence to abort.
    Tracing the route to 192.168.10.1


    1 192.168.10.1 4 msec 4 msec *
    texas#
    texas#
    texas#192.168.10.1
    Trying 192.168.10.1 ... Open




    User Access Verification


    Password:
    moscow>en
    Password:
    moscow#
    moscow#trace
    moscow#traceroute 10.10.10.1


    Type escape sequence to abort.
    Tracing the route to 10.10.10.1


    1 10.10.10.1 8 msec 8 msec *
    moscow#
    moscow#
    2015 goals - ccna voice / vmware vcp.
  • atorvenatorven Member Posts: 319
    I’m new to VPNS but I’ll have a go, as you’re trying to simulate an “ISP Cloud” I’ve made the following assumptions, ISP1 doesn’t/can’t get to the Texas LAN and the same is true for ISP2 and the Moscow LAN. You’ve successfully setup your vpn between Moscow and Texas, let’s say that Moscow is trying to ping 10.10.10.100 which is the IP address of the LAN interface of ISP2, Moscow will send the traffic through the tunnel to the Texas router as instructed by the Crypto ACL, now Texas will decrypt the traffic and forward it to ISP2, ISP2 won’t have a route to get to the Moscow LAN so it will either drop the traffic or forward via it’s default route. To solve your problem you could configure static routes on the ISP routers for the remote LANS pointing to the local LAN as the next hop.
  • Legacy UserLegacy User Unregistered / Not Logged In Posts: 0 ■□□□□□□□□□
    JeanM wrote: »
    Q. Shouldn't the output of "show crypto isakmp sa" command on the texas router show dst of 192.168.10.1 and src of 10.10.10.1 , or opposite of the other vpn router?

    texas#show crypto isakmp sa
    dst src state conn-id slot status
    10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE


    The command:
    Show crypto isakmp sa detail

    Show detailed info on the encryption, source, destination ip, everything thats going on in the Phase 1 tunnel.
  • JeanMJeanM Member Posts: 1,117
    atorven - in real life (not in a lab), ISP1 and ISP2 will not have static routes to the "inside/local" subnets , so what would be the point of configuring it as such? Basically, isn't the whole point of the s2s is to establish connectivity over a cloud as long as the peering ends have l3 connectivity? How would you establish static routes from one peering isp to another if the interested traffic or lans are on the private subnets? Or is this something you add on the vpn routers in addition to the vpn tunnel?

    That was also why I was thinking that if the traceroute is showing one hop, then the vpn tunnel is doing it's job as it's "point to point" tunnel right?

    Sorry for all these questions, I want to make sure I understand the logic behind it :)

    dmarcisco - I'll fire this up tomorrow and check what it shows.
    2015 goals - ccna voice / vmware vcp.
  • JollycorkJollycork Member Posts: 149
    If I remember correctly, site to site endpoints , then the virtual tunnel is setup and maintained by the endpoints. [persistent tunnel] Users access the tunnel as if they are on the local network. no hops to the destination.

    If it's client to site [endpoint] then typically the client and endpoint establish and maintains the virtual tunnel until the client disconnects. no next hop router to get to the destination.

    for site to site tunnels, if you stuck a router between the clients on each side of the site to site routers, then the tracert hop count would be 1 to the next hop router to get to the destination.
  • atorvenatorven Member Posts: 319
    In real life you wouldn’t include your outside interface in your crypto ACL, I was curious so I labbed up your scenario, my diagnosis/fix was wrong and below is what I observed through debugs and wireshark,
    • From Moscow when trying to ping ISP2’s 10.10.10.100 interface, I can see ESP packets with a destination of Texas, is then decrypting these packets and forwarding them to ISP2 and from ISP2 it replies to the icmp packets and sends the reply directly to Moscow, Moscow is receiving these icmp replies unencrypted (it expects encrypted packets from that network due to the ACL) so that's why you get that syslog message
  • JeanMJeanM Member Posts: 1,117
    atorven - interesting! So, how would you change this config so that it's data is encrypted between 10.10.10.1 and 192.168.10.1 ?
    2015 goals - ccna voice / vmware vcp.
  • JeanMJeanM Member Posts: 1,117
    Got the s2s tunnel going today with a friend of mine, and a windows shared folder worked over the internet . Next up, to get two call managers to work over s2k tunnel .
    2015 goals - ccna voice / vmware vcp.
Sign In or Register to comment.