|« Switch Macros||Cisco Live 2010 Recap »|
|posted in Cisco Networking, Technical|
|by grichardson661 on July 6th, 2010||tags: 3G, 881, ASA, Cisco, Easy VPN, IPsec|
I have recently been working on a network solution for a Mobile (transit) van that will run 4 IPSEC tunnels over 3G back to our core network. I thought I would document the process I followed, it could come in useful for you guys.
I used a Cisco Easy VPN solution as the peer points on the 3G routers are dynamic private IPs that are nat’d in the cloud. Cisco Easy VPN allows an Easy VPN Client to dial into the Cisco Easy VPN Server (the ASA in my case) as opposed to both sides initiating and building the IPSEC tunnel, only the VPN Client will initiate IPSEC process.
In the design I am using 4 x Cisco 881 3G routers and 1 Cisco ASA 5510. This document only goes through configuring one of the Cisco 881’s plus the ASA. If you want to add this script to another router then it’s just a case of
- Applying a new LAN IP subnet (see stage 2 part C)
- Create a unique local account for phase 2 authentication (see stage 2 part E)
- Add the new LAN IP subnet to the no-nat ACL if this applies
- Add a static route on the ASA for the new remote network (see stage 2 part G)
Here are the stages.
1, Configure the cellular interface for 3G WAN on the Cisco 881
2, Configure Easy VPN (client) on the 881
3, Configure Easy VPN (server) on the ASA5510
Stage 1 – Configure the cellular interface for 3G WAN on the Cisco 881
A, Install the SIM card into the 3G module and connect the module to the 3G port on the 881 router and console into the box
B, Create a 3G cellular profile by entering privilege mode and add
cellular 0 gsm profile create 1 internet chap **username** **password**
Cellular 0 is the port on the front of the 881, internet is the APN name which can obtained from the 3G provider, in my case I’m using vodofone. The username and password are optional.
C, Create a chat-script as follows (below). The t-mobile is a reference that is called by line 3 (see further down) and the dialer 2 interface. The 1 after the 99* is the link to the cellular 0 gsm profile create 1 above.
chat-script t-mobile "" "ATDT*99*1#" TIMEOUT 30 "CONNECT
D, Now go under global config and add the following
line 3 script dialer t-mobile no exec
Notice the script command (above) under line 3 applies t-mobile which is part of the chat-script
Stage 2 – Configure Easy VPN (client) on the 881
A, Configure the 881 as an Easy VPN client
!crypto ipsec client ezvpn ASA connect auto group 3GRAGroup key **Key of your choice** mode network-extension peer **address to reach the ASA** username **?** password **?** This account also needs to exist on the ASA in order for the command below to work xauth userid mode local
B, Apply the following configuration to the cellular 0 and dialer2 interfaces.
interface Cellular0 no ip address encapsulation ppp dialer in-band dialer pool-member 2 dialer-group 2 async mode interactive interface Dialer2 ip address negotiated encapsulation ppp dialer pool 2 dialer idle-timeout 0 dialer string t-mobile dialer persistent dialer-group 2 no cdp enable ppp chap hostname **username** ppp chap password 7 01040306 ppp pap sent-username vodafone password 7 120E0015 ppp ipcp dns request crypto ipsec client ezvpn ASA outside
Notice the crypto ipsec client ezvpn ASA outside under the dialer2 interface, this is mapping the Easy VPN profile to the outside interface, the PPP Chap username and password is the same as the gsm 3G profile username and password created earlier. Dialer2 also has a reference back to the chat-script dailer string t-mobile.
C, Now configure the VLAN1 interface as follows
interface Vlan1 description LAN ip address 10.0.0.14 255.255.255.240 no ip redirects no ip proxy-arp ip tcp adjust-mss 1452 crypto ipsec client ezvpn ASA inside
Notice the crypto ipsec client ezvpn ASA inside mapping the Easy VPN profile to the inside interface.
D, Add a default route point to the dialer2 interface as follows.
ip route 0.0.0.0 0.0.0.0 dialer2
E, Create a local account for phase 2 authentication (this account also needs to exist on the ASA)
username cisco password cisco
With that in place the 3G WAN should come up. This can be verified by running a
Show cellular 0 profile 1 Profile Information ==================== Profile 1 = ACTIVE* -------- PDP Type = IPv4 PDP address = 10.160.1.1 Access Point Name (APN) = internet Authentication = CHAP Username: **, Password: **
Notice the APN, authentication, username and password, they all tie back to the profile created earlier in stage 1. Also note the Profile 1 = Active, this is telling you the 3G WAN is up.
Stage 3 – Configure Easy VPN (server) on the ASA5510
A, Add a static route on the ASA for the LAN subnet hanging off the 881
route outside 10.0.0.0 255.255.255.240 **IP Address of the interface where the Easy VPN Client peers too**
B, Apply the following transform sets, not all of these are needed, if I had the Cisco 881 in front of me I would look up the transforms sets the Easy VPN client uses and just apply them here.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set DES esp-3des esp-sha-hmac
C, Link the transforms sets (above) to a dynamic map (below) with a reference of def_dyn_map. 65535 is a priority lookup value.
crypto dynamic-map def-dyn-map 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5
D, Create a ipsec-isakmp crypto map, in my case outside_map and link the dynamic map def-dyn-map to it
crypto map outside_map 65535 ipsec-isakmp dynamic def-dyn-map
E, apply the outside_map to the outside interface
crypto map outside_map interface outside
F, Now create the phase 1 profile
crypto isakmp enable outside crypto isakmp policy 1 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400
Isakmp policy 20 matches one of the 15 pre-configured Easy VPN client polices on the 881. There are various polices in place that can be used.
G, The next stage is to configure the group-policies, tunnel-groups, pre-shared key and the account. See below
group-policy 3GPolicy attributes vpn-tunnel-protocol IPSec password-storage enable nem enable tunnel-group 3GRAGroup type remote-access tunnel-group 3GRAGroup general-attributes authorization-server-group LOCAL default-group-policy 3GPolicy tunnel-group 3GRAGroup ipsec-attributes pre-shared-key **Same key as the ASA profile on the 881** ! username cisco password cisco
Authorization-server-group LOCAL authenticates IPSEC phase 2 with the local accounts. If xauth userid mode interactive is applied to the phase 2 profile on the 881 then a username and password is required at the router (in privileged mode) to establish the tunnel. On the 881 the following message appears – EZVPN(ASA): Pending XAuth Request, Please enter the following command: when the client try’s to dial into the server. If xauth is in interactive mode then it is important on the ASA under group-policy 3GRAGroup attributes, password-storage enable is applied, this stores the initial authentication in memory on the ASA and prevents the router having to re-authenticate again after a reboot. The method I’ve configured – xauth userid mode local on the 881 authenticates phase 2 with the local account automatically instead of a user punching in the username and password if xauth interactive was used.
To verify the tunnel is up you can run show crypto isakmp sa on the router, you should be QM_IDLE with state ACTIVE and also verify the tunnel is active at phase 2 with sh crypto ipsec sa.
Depending on your firewall setup you may need to apply LAN subnet of the 881 to the no nat ACL/config depending on your firewall setup.
Also, with my example (above) all traffic will traverse the VPN. In my live build I have used static routes to filter which traffic can traverse the tunnel. An alternative solution to this is split tunneling.
That’s all for now. If you have any questions please fire away.
A thread has been created on the site forum specifically for commenting on this blog post.