SVTI, DVTI, SSL VPN, and L2TP over IPSec On 1 Cisco Router
As per PacketU’s inquiry, static and dynamic VTI, L2TP over IPSec, and SSL VPN configurations work successfully within one router. I had one notebook running 3 different VPN clients at once; Cisco Anyconnect v2.4, Cisco VPN client v5, and Microsoft built-in client. It is interesting to note that with all 3 connected, the connection order in which traffic was encrypted was the Cisco VPN Client first, AnyConnect second, and Microsoft client third.
The topology consists of 1 – 1811 router (flash:c181x-adventerprisek9-mz.150-1.M.bin) and 1 – 881 router (flash:c880data-universalk9-mz.150-1.M1.bin) as well as a notebook running XP SP3. The 1811 is named R1-headoffice and is basically the “server” for the VPN clients. The 881 router is named R2-branch and is the peer for the static VTI. They are all connected together on a network of 136.1.0.0/24.
______________________________________________________
Final Configuration for 1811 – R1-headoffice
R1-headoffice#sh run
Building configuration…
Current configuration : 6497 bytes
!
! Last configuration change at 20:29:34 UTC Tue Jan 5 2010
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1-headoffice
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$0GNS$Y9ewwhbVl76Qdp8WylEyw.
!
aaa new-model
!
!
aaa authentication login aaa_vty_authen local
aaa authentication login aaa_con0_authen none
aaa authentication login aaa_ezvpn_authen local
aaa authentication login aaa_sslvpn_authen local
aaa authentication ppp default local
aaa authorization console
aaa authorization exec aaa_vty_author local
aaa authorization network aaa_ezvpn_author local
!
!
!
!
!
aaa session-id common
!
!
!
!
crypto pki trustpoint TP-self-signed-3691727871
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3691727871
revocation-check none
rsakeypair TP-self-signed-3691727871
!
!
crypto pki certificate chain TP-self-signed-3691727871
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363931 37323738 3731301E 170D3130 30313035 31393536
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393137
32373837 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CB26 95A0DBAF CF21E25D B1884067 39F32C5F 699AA22C 83975826 AF1BB0AB
F6BC0DCB 3E4ABD2A 505BE044 EB293878 86D34A5F 8E22C068 5088CAE3 5CB406F0
4A0365B2 4638A962 5460475B AA443DB4 AC22E945 6D3B9F86 3E9A9D1E 447C094D
DA22B54E 14E10ABB 67F98C13 1E1692D2 A7FA061D F5F3B3AA 473CB675 9881C339
3CB10203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D52312D 68656164 6F666669 6365301F 0603551D 23041830
1680146C DF299BAA 99336F8B 70313498 011124A4 14FE9530 1D060355 1D0E0416
04146CDF 299BAA99 336F8B70 31349801 1124A414 FE95300D 06092A86 4886F70D
01010405 00038181 00647222 7082103C 51612844 9B7E3156 63DC0228 67A2EAEC
F08B1D48 5E9AC6B9 25DA65BB F4E07837 4D49286F 819E445A B72B6A5A 770DE2C0
EA9654A1 2BCD2B5F 589E9546 C3C93C50 C53C0D0C 28B3B92B 459C6D02 5E53AA39
676B4097 A447F614 DC1D704B D91F5004 F5332A98 24264C87 7FCE2464 3EF07E76
731FE1E0 29CDF2FC E0
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 10
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
no l2tp tunnel authentication
l2tp tunnel timeout no-session 15
!
!
!
username ryan privilege 15 password 0 ryan
username l2tpipsec password 0 l2tpipsec.key
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 30
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key R1-headoffice_R2-br2 address 136.1.0.20
crypto isakmp key l2tp_ipsec_key address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group ezvpn_client
key ezvpn_key
pool ippool_ezvpn
acl acl_ezvpn_splittunnel
crypto isakmp profile isakmp_prof_dvti
match identity group ezvpn_client
client authentication list aaa_ezvpn_authen
isakmp authorization list aaa_ezvpn_author
client configuration address respond
keepalive 20 retry 5
virtual-template 50
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
crypto ipsec transform-set l2tp_ipsec esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile ipsec_prof_dvti
set transform-set aes256sha
set reverse-route tag 50
set isakmp-profile isakmp_prof_dvti
!
crypto ipsec profile ipsec_prof_svti
set transform-set aes256sha
!
!
crypto dynamic-map crypto_dynamic_l2tp-ipsec 10
set nat demux
set transform-set l2tp_ipsec
!
!
crypto map crypto_map 10 ipsec-isakmp dynamic crypto_dynamic_l2tp-ipsec
!
!
!
!
!
interface Tunnel1
ip address 172.16.1.1 255.255.255.0
tunnel source FastEthernet0
tunnel mode ipsec ipv4
tunnel destination 136.1.0.20
tunnel key 1000
tunnel protection ipsec profile ipsec_prof_svti
!
!
interface FastEthernet0
ip address 136.1.0.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map crypto_map
!
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
!
!
interface FastEthernet9
!
!
interface Virtual-Template10
ip unnumbered FastEthernet0
peer default ip address pool ippool_l2tpipsec
ppp mtu adaptive
ppp authentication chap ms-chap ms-chap-v2
!
!
interface Virtual-Template50 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_prof_dvti
!
!
interface Vlan1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Async1
no ip address
encapsulation slip
!
!
ip local pool ippool_ezvpn 10.1.50.100 10.1.50.110
ip local pool ippool_l2tpipsec 10.1.60.100 10.1.60.110
ip local pool ippool_sslvpn 10.1.70.100 10.1.70.110
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list acl_nat_control interface FastEthernet0 overload
ip route 0.0.0.0 0.0.0.0 136.1.0.30
ip route 10.2.1.0 255.255.255.0 Tunnel1
!
ip access-list extended acl_ezvpn_splittunnel
permit ip 10.1.1.0 0.0.0.255 10.1.50.0 0.0.0.255
!
ip access-list extended acl_nat_control
deny ip 10.1.1.0 0.0.0.255 10.2.1.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
line con 0
login authentication aaa_con0_authen
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
authorization exec aaa_vty_author
login authentication aaa_vty_authen
line vty 5 193
authorization exec aaa_vty_author
login authentication aaa_vty_authen
!
!
webvpn gateway ssl_vpn_gateway
ip interface FastEthernet0 port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3691727871
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.0202-k9.pkg sequence 1
!
webvpn context ssl_vpn_context
ssl authenticate verify all
!
!
policy group ssl_vpn_group_policy1
functions svc-required
svc address-pool “ippool_sslvpn”
svc keep-client-installed
svc split include 10.1.1.0 255.255.255.0
default-group-policy ssl_vpn_group_policy1
aaa authentication list aaa_sslvpn_authen
gateway ssl_vpn_gateway
inservice
!
end_____________________________________________________
______________________________________________________
Final Configuration for 881 – R2-branch
R2-br2#sh run
Building configuration…
Current configuration : 2196 bytes
!
! Last configuration change at 15:32:04 UTC Tue Jan 5 2010
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2-br2
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$6mVc$Cax/P/pcepCXsImiFAoBq0
!
aaa new-model
!
!
aaa authentication login aaa_vty_authen local
aaa authentication login aaa_con0_authen none
aaa authorization console
aaa authorization exec aaa_vty_author local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 25
!
!
ip source-route
!
!
!
!
ip cef
ip domain name test.com
no ipv6 cef
!
!
multilink bundle-name authenticated!
!
username ryan privilege 15 password 0 ryan
!
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key R1-headoffice_R2-br2 address 136.1.0.10
!
!
crypto ipsec transform-set aes256sha esp-aes 256 esp-sha-hmac
!
crypto ipsec profile ipsec_prof_svti
set transform-set aes256sha
!
!
!
!
!
!
interface Tunnel1
ip address 172.16.1.20 255.255.255.0
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel destination 136.1.0.10
tunnel key 1000
tunnel protection ipsec profile ipsec_prof_svti
!
!
interface FastEthernet0
!
!
interface FastEthernet1
no cdp log mismatch duplex
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
ip address 136.1.0.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
ip address 10.2.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list acl_nat_control interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 136.1.0.30
ip route 10.1.1.0 255.255.255.0 Tunnel1
!
ip access-list extended acl_nat_control
deny ip 10.2.1.0 0.0.0.255 10.1.1.0 0.0.0.255
permit ip 10.2.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
login authentication aaa_con0_authen
no modem enable
line aux 0
line vty 0 4
authorization exec aaa_vty_author
login authentication aaa_vty_authen
!
scheduler max-task-time 5000
end___________________________________________________________
______________________________________________________
Very Simple Instructions for Win XP client setup
win XP client configuration
Create new connection
Connect to the network at my workplace
VPN Connection
Give a connection name
Give the IP address of the server – 136.1.0.10
Click finish
Connection window will pop up. Click on properties
Click on the “security” tab. Click the radio button for “Advanced (custom settings). Click on IPSec settings.
Check in “Use pre-shared key for authentication” and enter the same key that you configured the router with – in this case – l2tp_ipsec_key Click OK
Now click on the “Networking” tab. For the option “Type of VPN”, use the frop down and select “L2TP IPSec VPN”. Click OK
Click OK to exit the Properties Page. You should be back to the connect screen
Log in with your username and password – in this case it can be ryan ryan . I used l2tpipsec and l2tpipsec.key
Click on connect and it should connect just fine.
To enable Split Tunnelling in Windows XP, do the following:
On a Windows XP Pro Computer, you’ll find it this way:
1) Right click the My Network Places icon on the desktop and click Properties.
2) Right click on your VPN client connections in the Network Connections window and click Properties.
3) Click the Networking tab, and then click on the Internet Protocol (TCP/IP) entry and click the Properties button.
4) On the General tab of the Internet Protocol (TCP/IP) Properties dialog box, click the Advanced button.
5) On the General tab of the Advanced TCP/IP Settings dialog box, note the “Use Default Gateway on Remote Network” option.
______________________________________________________
Verification for l2tp, svti and dvti – Phase 1 and 2
R1-headoffice#sh crypto isa sa det
Codes: C – IKE configuration mode, D – Dead Peer Detection
K – Keepalives, N – NAT-traversal
T – cTCP encapsulation, X – IKE Extended Authentication
psk – Preshared key, rsig – RSA signature
renc – RSA encryption
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime
Cap.
2001 136.1.0.10 136.1.0.20 ACTIVE aes sha psk 5 19:35:36
Engine-id:Conn-id = SW:1
2011 136.1.0.10 136.1.0.100 ACTIVE aes sha 2 23:59:37
CDX
Engine-id:Conn-id = SW:11
2010 136.1.0.10 136.1.0.100 ACTIVE 3des md5 psk 2 06:34:12
Engine-id:Conn-id = SW:10
IPv6 Crypto ISAKMP SA
R1-headoffice#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 136.1.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 136.1.0.20 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.20
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x7175754A(1903523146)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x25A1FCA(39460810)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 38, flow_id: Onboard VPN:38, sibling_flags 80000046, crypto map
: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4579905/2097)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7175754A(1903523146)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 39, flow_id: Onboard VPN:39, sibling_flags 80000046, crypto map
: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4579905/2097)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: FastEthernet0
Crypto map tag: crypto_map, local addr 136.1.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (136.1.0.10/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (136.1.0.100/255.255.255.255/17/1701)
current_peer 136.1.0.100 port 500
PERMIT, flags={}
#pkts encaps: 1559, #pkts encrypt: 1559, #pkts digest: 1559
#pkts decaps: 2329, #pkts decrypt: 2329, #pkts verify: 2329
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.100
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x883DFB78(2285763448)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x2BE310FB(736301307)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 40, flow_id: Onboard VPN:40, sibling_flags 80000006, crypto map
: crypto_map
sa timing: remaining key lifetime (k/sec): (4489513/2336)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x883DFB78(2285763448)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport, }
conn id: 41, flow_id: Onboard VPN:41, sibling_flags 80000006, crypto map
: crypto_map
sa timing: remaining key lifetime (k/sec): (4489520/2336)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 136.1.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.50.103/255.255.255.255/0/0)
current_peer 136.1.0.100 port 1266
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.0.10, remote crypto endpt.: 136.1.0.100
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x96A1A0F0(2527174896)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x8BBBE2B1(2344346289)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 42, flow_id: Onboard VPN:42, sibling_flags 80000046, crypto map
: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4486606/3557)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x96A1A0F0(2527174896)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 43, flow_id: Onboard VPN:43, sibling_flags 80000046, crypto map
: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4486606/3557)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
______________________________________________________
Verification for SSL VPN Connection
WebVPN user name = ryan ; IP address = 136.1.0.100 ; context = ssl_vpn_context
No of connections: 1
Created 00:01:26, Last-used 00:01:10
STC IP address 10.1.70.100 netmask 255.255.255.255
CSTP Started 00:00:55, Last-recieved 00:00:55
CSTP DPD-Request sent 0
Client Port: 1227
User Policy Parameters
Group name = ssl_vpn_group_policy1
Group Policy Parameters
idle timeout = 2100 sec
session timeout = Disabled
functions =
svc-required
citrix disabled
address pool name = “ippool_sslvpn”
dpd client timeout = 300 sec
dpd gateway timeout = 300 sec
keepalive interval = 30 sec
SSLVPN Full Tunnel mtu size = 1406 bytes
keep sslvpn client installed = enabled
rekey interval = 3600 sec
rekey method =
lease duration = 43200 sec
split include = 10.1.1.0 255.255.255.0