Community ForumCommunity Wiki * Blog Home  * Log in

Posts Tagged ‘IPsec’

Shared IPsec with DMVPN and VRF-Lite

posted in Cisco Networking, Technical
by on October 11th, 2010 tags: , ,

Not long ago I was tasked with developing a connectivity solution for some remote sites that we needed to connect to our corporate WAN but where our preferred Service Provider was not available. Indeed, the only connectivity these sites had was a standard Internet connection using the local ISP.

Our SP provides us with an MPLS service, and we have a couple different MPLS VPNs that we use for different purposes. One use is around different extending different security zones across the WAN to offer various services to our remote sites. With MPLS this was easy. With the Internet, being able to offer the same service to our client seemed to cause more problems that it was worth.

After doing a little research I came up with a design that combined a couple different technologies. I’m a huge DMVPN fan, and when ever I need to do hub-and-spoke with VPNs I’m always vocalizing my view. Our organization also uses VRF-Lite extensively to segregate traffic within our network. Using it here seemed like the best way to not have a separate physical hub router for each security zone I wanted to extend to a remote site. After getting this far I thought to myself “Wouldn’t it be nice if I could send ALL my GRE tunnels down a single IPsec tunnel?” Well, low and behold, this is possible.

Read the rest of this post »

IPSEC Over a 3G WAN to ASA5510

posted in Cisco Networking, Technical
by on July 6th, 2010 tags: , , , , ,

I have recently been working on a network solution for a Mobile (transit) van that will run 4 IPSEC tunnels over 3G back to our core network. I thought I would document the process I followed, it could come in useful for you guys.

I used a Cisco Easy VPN solution as the peer points on the 3G routers are dynamic private IPs that are nat’d in the cloud. Cisco Easy VPN allows an Easy VPN Client to dial into the Cisco Easy VPN Server (the ASA in my case) as opposed to both sides initiating and building the IPSEC tunnel, only the VPN Client will initiate IPSEC process.

In the design I am using 4 x Cisco 881 3G routers and 1 Cisco ASA 5510. This document only goes through configuring one of the Cisco 881’s plus the ASA. If you want to add this script to another router then it’s just a case of

- Applying a new LAN IP subnet (see stage 2 part C)
- Create a unique local account for phase 2 authentication (see stage 2 part E)
- Add the new LAN IP subnet to the no-nat ACL if this applies
- Add a static route on the ASA for the new remote network (see stage 2 part G)


Read the rest of this post »

PIX/ASA – Failover, LAN to LAN IPsec VPN, Remote Access VPN

posted in Cisco Networking, Technical
by on January 14th, 2010 tags: , , , , ,

I am sure that those who stop by this blog have been affected by the recession and cut backs in one way or another. As a consultant, I find myself having to adapt to customer’s requirements and take on fields that had been previously picked up by someone else. In a rare moment of introspection I was reminded of a quote: “It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.” It is this quote that is the basis for this “how to”. If you are a CCNA or normally just an R&S guy, who have been asked to put on another “hat” for the time being then this is for you.

The scenario is that your company has decided to use the “internet as its backbone” instead of using telco provided dedicated lines to cut back on costs (similar to this article on MPLS based VPNs). You, being the “Cisco guy”, have to set up a PoC (proof of concept) for a small network with the following features:

Read the rest of this post »