Ipsec vpn over the internet lab

JeanM

Hi,

Anybody interested in establishing a test vpn tunnel? I've been working on it in my lab, but would like to see if I can get it to work over the internet as well.

A basic ping, or I can assign the local interface to a vm running on esxi host for rdp test?

I am fairly new to site to site vpn, so someone who has done this before and has a spare router to establish a test session would be ideal!

thanks

docrice

Another option is to set up an AWS account and create a VPC. AWS will auto-generate an IOS site-to-site IPSec VPN config for you.

JeanM

docrice - ty for suggestion, will check that out!

I just made the following lab, and I think I got it to work. I connected two 2621's back to back to "simulate isp cloud". From there on, I just added a couple more routers and made sure there is connectivity from end to end, and to each interface ip from any other interface ip.

In phase two, I added s2s vpn configuration on the "moscow" 2620xm and "texas" 2811 routers. Once this was completed, I did more ping tests and this is where I would like to know if this is desired or not.

1. From the moscow router, I can ping everything other than the remote 10.10.10.100 ip.

moscow#ping 10.10.10.100


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.100, timeout is 2 seconds:


*Mar 1 00:45:27.243: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.10.1, src_addr= 10.10.10.100, prot= 1.....
Success rate is 0 percent (0/5)

2. From the texas router, I can ping everything other than the remote 192.168.10.100 ip.

texas#ping 192.168.10.100


Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.100, timeout is 2 seconds:


*Jan 26 09:25:42.735: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.
(ip) vrf/dest_addr= /10.10.10.1, src_addr= 192.168.10.100, prot= 1.....
Success rate is 0 percent (0/5)


3. the show crypto isakmp sa shows QM_IDLE on both end routers.

texas#show crypto isakmp sa
dst src state conn-id slot status
10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE



moscow#show crypto isakmp sa
dst src state conn-id slot status
10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE







Diagram of my lab -

JeanM

config of vpn routers below -

1.
moscow#sh run
Building configuration...


Current configuration : 1333 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname moscow
!
boot-start-marker
boot system flash:c2600-adventerprisek9-mz.124-25d.bin
boot-end-marker
!
enable password cisco
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key lol address 10.10.10.1
!
!
crypto ipsec transform-set SET-NAME esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 10.10.10.1
set transform-set SET-NAME
set pfs group2
match address S2S-VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
description link to cloud1
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
crypto map S2S-VPN
!
interface Serial0/0
no ip address
shutdown
!
interface Serial0/1
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.100
!
!
no ip http server
no ip http secure-server
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 192.168.10.0 0.0.0.255 10.10.10.0 0.0.0.255
!
!
!





2.
texas#sh run
Building configuration...


Current configuration : 1303 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname texas
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
!
!
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key lol address 192.168.10.1
no crypto isakmp ccm
!
!
crypto ipsec transform-set SET-NAME esp-aes esp-sha-hmac
!
crypto map S2S-VPN 100 ipsec-isakmp
set peer 192.168.10.1
set transform-set SET-NAME
set pfs group2
match address S2S-VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
description to ISP
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
crypto map S2S-VPN
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.100
!
!
ip http server
no ip http secure-server
!
ip access-list extended S2S-VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
!
!
!

JeanM

Q. Shouldn't the output of "show crypto isakmp sa" command on the texas router show dst of 192.168.10.1 and src of 10.10.10.1 , or opposite of the other vpn router?

texas#show crypto isakmp sa
dst src state conn-id slot status
10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE

JeanM

I also noticed that traceroute from 192.168.10.1 to 10.10.100.1 and back does not show any hops as it normally would.
Is this a good indication that the connection is infact going over s2s vpn?


texas#
texas#traceroute 192.168.10.1


Type escape sequence to abort.
Tracing the route to 192.168.10.1


1 192.168.10.1 4 msec 4 msec *
texas#
texas#
texas#192.168.10.1
Trying 192.168.10.1 ... Open




User Access Verification


Password:
moscow>en
Password:
moscow#
moscow#trace
moscow#traceroute 10.10.10.1


Type escape sequence to abort.
Tracing the route to 10.10.10.1


1 10.10.10.1 8 msec 8 msec *
moscow#
moscow#

atorven

I’m new to VPNS but I’ll have a go, as you’re trying to simulate an “ISP Cloud” I’ve made the following assumptions, ISP1 doesn’t/can’t get to the Texas LAN and the same is true for ISP2 and the Moscow LAN. You’ve successfully setup your vpn between Moscow and Texas, let’s say that Moscow is trying to ping 10.10.10.100 which is the IP address of the LAN interface of ISP2, Moscow will send the traffic through the tunnel to the Texas router as instructed by the Crypto ACL, now Texas will decrypt the traffic and forward it to ISP2, ISP2 won’t have a route to get to the Moscow LAN so it will either drop the traffic or forward via it’s default route. To solve your problem you could configure static routes on the ISP routers for the remote LANS pointing to the local LAN as the next hop.

Legacy User

JeanM wrote: »

Q. Shouldn't the output of "show crypto isakmp sa" command on the texas router show dst of 192.168.10.1 and src of 10.10.10.1 , or opposite of the other vpn router?

texas#show crypto isakmp sa
dst src state conn-id slot status
10.10.10.1 192.168.10.1 QM_IDLE 1 0 ACTIVE

The command:
Show crypto isakmp sa detail

Show detailed info on the encryption, source, destination ip, everything thats going on in the Phase 1 tunnel.

JeanM

atorven - in real life (not in a lab), ISP1 and ISP2 will not have static routes to the "inside/local" subnets , so what would be the point of configuring it as such? Basically, isn't the whole point of the s2s is to establish connectivity over a cloud as long as the peering ends have l3 connectivity? How would you establish static routes from one peering isp to another if the interested traffic or lans are on the private subnets? Or is this something you add on the vpn routers in addition to the vpn tunnel?

That was also why I was thinking that if the traceroute is showing one hop, then the vpn tunnel is doing it's job as it's "point to point" tunnel right?

Sorry for all these questions, I want to make sure I understand the logic behind it

dmarcisco - I'll fire this up tomorrow and check what it shows.

Jollycork

If I remember correctly, site to site endpoints , then the virtual tunnel is setup and maintained by the endpoints. [persistent tunnel] Users access the tunnel as if they are on the local network. no hops to the destination.

If it's client to site [endpoint] then typically the client and endpoint establish and maintains the virtual tunnel until the client disconnects. no next hop router to get to the destination.

for site to site tunnels, if you stuck a router between the clients on each side of the site to site routers, then the tracert hop count would be 1 to the next hop router to get to the destination.

atorven

In real life you wouldn’t include your outside interface in your crypto ACL, I was curious so I labbed up your scenario, my diagnosis/fix was wrong and below is what I observed through debugs and wireshark,

• From Moscow when trying to ping ISP2’s 10.10.10.100 interface, I can see ESP packets with a destination of Texas, is then decrypting these packets and forwarding them to ISP2 and from ISP2 it replies to the icmp packets and sends the reply directly to Moscow, Moscow is receiving these icmp replies unencrypted (it expects encrypted packets from that network due to the ACL) so that's why you get that syslog message

JeanM

atorven - interesting! So, how would you change this config so that it's data is encrypted between 10.10.10.1 and 192.168.10.1 ?

JeanM

Got the s2s tunnel going today with a friend of mine, and a windows shared folder worked over the internet . Next up, to get two call managers to work over s2k tunnel .