Lately I have tried to configure my router to work with VPN remote client, a task that should be very simple to configure,
But on my router there's also a zone-based firewall which made things a little bit more complicated…
VPN Configuration:
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group <group-name>
key <Pre-shared key>
dns <DNS server #1> <DNS server #2>
wins <WINS server #1>
domain <Domain name>
pool <IP address pool>
acl <ACL number>
!
crypto ipsec transform-set <transform set name> esp-aes 256 esp-md5-hmac
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 86400
set transform-set <transform set name>
reverse-route
!
crypto map <map name> client authentication list userauth
crypto map <map name> isakmp authorization list groupauth
crypto map <map name> client configuration address respond
crypto map <map name> 65535 ipsec-isakmp dynamic dynmap
!
Interface dialer 1
crypto map <map name>
I have also configured an access policy from zone Untrust (Outside/internet interface) to Self (which is the router) for allowing ISAKMP/ESP access:
class-map type inspect match-any VPN-ACCESS-CLASS
match access-group 123
policy-map type inspect UNTRUST-TO-SELF-POLICY
class type inspect SELF-ACCESS-CLASS
inspect session-ctrl
class type inspect VPN-ACCESS-CLASS
inspect
class class-default
drop log
zone-pair security UNTRUST-TO-SELF source untrust destination self
service-policy type inspect UNTRUST-TO-SELF-POLICY
access-list 123 permit esp any any
access-list 123 permit udp any any eq non500-isakmp
access-list 123 permit ahp any any
access-list 123 permit udp any any eq isakmp
and also let's not forget to differ NAT behavior for remote network access:
ip nat inside source list 111 interface Dialer1 overload
access-list 111 remark LAN NAT IP ACL
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.0.255
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
(Were 192.168.10.0/24 is my internal LAN and 192.168.12.0/24 is the remote network)
So up until here everything seems fine and when I have tried to connect with Cisco VPN client I succeeded to connect but….
No traffic passing to neither side!
Although I have tried every combination of access policies I didn't manage to allow remote users to access local resources and didn't understand how I should configure the firewall policy due to the fact that the VPN doesn't have an interface which associated with any zone.
So after a little research in the net I found out how to configure VPN with virtual access interface, and when you have interface, you can configure zone-based policies. Furthermore using a VPN with an interface gives us the ability to run multicast and dynamic routing protocol over the VPN connection.
So adding the following line to our configuration:
crypto isakmp profile ISAKMP-PROFILE
match identity group <group-name>
client authentication list local
isakmp authorization list local
client configuration address respond
virtual-template 1
!
crypto ipsec profile IPSEC_PROFILE
set transform-set <transform set name>
set isakmp-profile ISAKMP-PROFILE
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
zone-member security VPN
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
Take note that I already associated the virtual-template interface into zone VPN, so all I have to do is configure class-map->policy-map->zone-pair policies for access between VPN and Trust zones.
And here are the results:
Virtual-Template1 is up, line protocol is down
Hardware is Virtual Template interface
Interface is unnumbered. Using address of Vlan1 (192.168.10.1)
MTU 17940 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source <WAN IP address> (Dialer1)
Tunnel Subblocks:
src-track:
Virtual-Template1 source tracking subblock associated with Dialer1
Set of tunnels with source Dialer1, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Path MTU Discovery, ager 10 mins, min MTU 92
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "IPSEC-PROFILE")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
<Output omitted>
No comments:
Post a Comment