« Throttling Bandwidth for Certain Internet Sites | Main | Configuration Change Tracking...Built in?!? »
December 14, 2006
Configuring a Cisco Router to Accept VPN Connections
This blog has been a long-time-coming as someone asked me quite some time ago to post the simplest way to accomplish this (for a home environment). I hate to admit this, but my home PC (where I get all my email) was hacked since I allowed Microsoft's Remote Desktop Protocol (RDP) and VNC from anywhere on the Internet (very bad idea). That was the end of that - now VPN connections are required to get to my home PC. Well, the simplest way to configure a VPN on a router is to use the Cisco SDM...but Real Cisco Techs™ use the command line :). So here we go:
First thing you need to do is specify an authentication method. Since I'm assuming this is for a home environment, using the local router database is just fine:
Router(config)# aaa authentication login LOCAL_DB local (defines a login method called LOCAL_DB that uses the local DB)
Router(config)# username Jeremy password cisco (creates a user account in the local DB)
Second, you need to define a DHCP pool of addresses for your VPN clients. This is the address range that they will be assigned when they connect. This should be a unique range not in use on your LAN:
Router(config)# ip local pool CLIENT_ADDRESSES 172.30.50.10 172.30.50.20
Next, you have to create an ISAKMP policy. This is a policy that secures Phase 1 of the VPN negotiation. Phase 1 is there to allow you to securely exchange the encryption keys you'll be using for the VPN. Without this phase, someone could sniff your encryption keys and compromise the VPN security:
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr aes (my preferred encryption: 128-bit AES; fast and secure)
Router(config-isakmp)# authentication pre-share (says that I'll need to type a secret key on the router & VPN client)
Router(config-isakmp)# group 2 (Diffie-helman group 2...super strong keys to lock down Phase 1)
Now, I need to configure a client configuration group. This is what gives the clients their settings (such as DNS server, IP address, etc...).
Router(config)# crypto isakmp client configuration group HOME
Router(config-isakmp-group)# key s3cr3t (the client has to provide this key to connect to the VPN)
Router(config-isakmp-group)# dns 172.30.100.11 (assigns a DNS server to the client)
Router(config-isakmp-group)# domain ciscoblog.com (assigns a DNS suffix to the client)
Router(config-isakmp-group)# pool CLIENT_ADDRESSES (says that this client will get an IP address from the CLIENT_ADDRESS pool)
There is MUCH more you can put under the above config to define things like split tunneling and access control...but that discussion is for another day :)
Next up, we can configure the settings for the IPSEC tunnel (all this stuff until now has been Phase 1, pre-tunnel info). Initially, we must set up a transform set. This defines what level of encryption (scrambling data so people can't read it) and hashing (checking to make sure data doesn't change) we'd like to use:
Router(config)# crypto ipsec transform-set JEREMYS_SET esp-aes esp-sha-hmac
As a fly-by description, the line above sets the VPN encryption to AES 128-bit and uses SHA-1 (160-bit, I believe) hashing. This is what I'd recommend, but you can choose whatever levels you'd like (just hit the ? key to see all your options).
Now we can create a crypto map. A crypto map takes all these settings and sums them together into something we can apply to an interface:
Router(config)# crypto dynamic-map CLIENT_MAP 1 (creates a dynamic map, which is used for remote access clients)
Router(config-crypto-map)# set transform-set JEREMYS_SET (says that this will be the transform set used for clients)
Router(config-crypto-map)# reverse-route (puts the client IP address in the routing table when the client connects)
Router(config)# crypto map JEREMY_VPN client authentication list LOCAL_DB (links authentication method to the VPN)
Router(config)# crypto map JEREMY_VPN isakmp authorization list LOCAL_DB (links authorization settings - what a user can do - to the VPN)
Router(config)# crypto map JEREMY_VPN client configuration address respond (allows router to respond to DHCP requests from clients)
Router(config)# crypto map JEREMY_VPN 100 ipsec-isakmp dynamic CLIENT_MAP (applies the dynamic crypto map to the real crypto map)
FINALLY, we can apply the crypto map to the interface:
Router(config)# interface fa0/1 (my DSL connection interface)
Router(config-if)# crypto map JEREMY_VPN (applies the crypto map from above)
The router is now ready to accept VPN connections. Now that I'm looking back over this, I'm sure it's generated many more questions than it answered...ask away :).
Posted by JC at December 14, 2006 8:16 PM
Trackback Pings
TrackBack URL for this entry:
http://www.cioara.org/cgi-bin/mt-tb.cgi/115
Comments
Jeremy,
Nice post. I am curious if your CVOICE nuggets includes some Call Manger review? big picture? I recently was contracted into a wan support position with 1 of the larger telcos and they plan to start support for true voice solutions ie. Cisco. I lack in the knowledge of voice in a bad way outside of QoS which is not voice but needed to support it, which once again I'll give you a plug for a "SWEET!" 642-642. I just want to make sure I purchase the right nugget. 642-432 CVOICE should be a good start?
Thanks,
A satisfied disciple:)
Posted by: David Lundgren at December 14, 2006 10:05 PM
Hi Jeremy,
Nice post! I was wondering if you know how your pc was hacked, via RDP or VNC? I have the idea that RDP is pretty secure since there are no real vulnerabilities reported? Do you have more info regarding this?
Thanks
Ruben
Posted by: Ruben at December 18, 2006 4:33 AM
David - Thanks for the kind words :). CVOICE contains very little CallManager material; that'll be part of CIPT, which is due out as soon as I can finish CCNP updates.
Ruben - My PC was hacked via VNC. I was using RealVNC, which contained a known vulnerability (not known at the time, of course) that allowed an intruder in without authentication. Yikes! VPN took care of that...
More information on the hack: http://secunia.com/advisories/20107/
Posted by: JC at December 18, 2006 9:17 AM
Is there any way to do something like this with some low end linksys (cisco) wrt54g routers? I'm looking to connect the router at my girlfriends house to the router my home so that I can be connected to my home network when I am on her wireless.
Posted by: Dave at January 6, 2007 1:42 PM
Hello JC,
i did everythink as you posted here. But i am still unable to connect with vpn client.
This is debug message from IOS:
ISAKMP (0:13): Checking ISAKMP transform 12 against priority 21 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:13): Preshared authentication offered but does not match policy!
I have configured aaa new model:
aaa new-model
!
!
aaa authentication login userlist local
Please could you help me?
Tomas
Posted by: bacilko1 at January 10, 2007 3:15 AM
I like your article. i have something similar to this setup. Do you know if there is a way to log vpn connections like this to a syslog server. All i can find info on is how to do this with RADIUS.
-Dustin
Posted by: dustin at February 27, 2007 1:11 PM
Post was great! I have the Cisco Pix configuration file and am trying to get a VPN client to work to no avail. Is it possible to reverse engineer? Also, what does the show or wr t look like?
Posted by: Joe Terry at March 7, 2007 6:17 AM
Hi Jeremy,
Thanks for a nice article.
I have on question,
if i want to restrict one interface of my router to accept ONLY VPN connections and deny all other connectoins, How can I do that?
Posted by: Kishore at March 12, 2007 11:13 PM
How will the clients know how to route to the internal network?
Posted by: Joe at April 16, 2007 11:43 PM
Hi
My config is very similar to your but I am trying to connect with an XP pc to the router but it does not get connected at all it comes up with SA not offered. Can you help.
Marius
Posted by: Marius at April 18, 2007 5:05 AM
Hi Jeremy,
I love your stuff and videos that you do with CBT. I'm kind of stuck with my configuration for an Easy VPN server. I have a 2821 router attached to my SBC DSL modem with Static IP (69.x.x.x). And on the other interface (10.x.x.3) I have a switch connected just doing switching. Off this switch there's a call manager and a PC hanging (both within the 10.x.x.x IP Address range).
I am successfully able to VPN to the 69.x.x.x interface from my PC using Cisco VPN client (My VPN'ed IP becomes 1.1.1.10). But for some reason, I'm not able to ping either the Call Manager or the 10.x.x.3 interface on the router. My final objective is to attach the CIPC on my laptop to the CCM. Any pointers on where I could be wrong will be MUCCCCCH appreciated.
thanks,
Kamran
Posted by: Kamran at April 24, 2007 5:11 PM
Jeremy,
sorry for spamming but are you sure this config is correct in your article above:
Router(config)# crypto dynamic-map CLIENT_MAP 1
Router(config-crypto-map)# set transform-set JEREMYS_SET
Router(config-crypto-map)# reverse-route
Router(config)# crypto map JEREMY_VPN client
shouldn't the crypto map name be "CLIENT_MAP" instead of "JEREMY_VPN"?
thx,
Kamran
Posted by: Kamran at April 24, 2007 7:32 PM
Jeremy,
I love your Blog.
Please advise me, why if we Configure aaa new model on the CISCO as5400/5300, the passw via vty/telnet is change?
My configure aaa :
no aaa new-model
aaa authentication login local line
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection h323 stop-only group radius
aaa nas port voip
radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server key 7 13060E100E1E517C
Regards,
Bayu-
Jakarta-Indonesia
Posted by: bayu at April 26, 2007 4:28 AM
i want to know one thing in cisco router pls explain me How can block the ICMP traffic on cisco router if u know than email me
Posted by: hitesh at May 13, 2007 12:02 PM
hi guys,
I need help for configure this VPN in my router cisco. I am not getting to understand and to configure correctly.
please help me.
Paulo Célio
Posted by: Paulo célio at May 14, 2007 1:57 PM
heloo sir
i want to configure the router but i don't know the configuration if you can help me in this regards it will be very helpfull for me
thank you
Bilal Ahmadi
Posted by: Bilal Ahmadi at May 16, 2007 4:42 AM
I need the Configuration for making vpn for CISCO router as client side.
Regards
Hadi
Posted by: hadi Nazari at June 18, 2007 10:06 AM
I need to connect a CVPN v 4.8 client to a Cisco 2621xm router
but I'm experincing a lot of problems. My
router config is as follows:PLease help
I still cannot connect via via VPN client. Please help
username cisco password 0 class
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr des
authentication pre-share
group 2
!
crypto isakmp client configuration group HOME
key secret
dns 192.168.99.1
domain cisco.com
pool CLIENT_ADDRESSES
!
crypto ipsec transform-set VPN_TRANSFORM esp-des esp-md5-hmac
!
!
crypto dynamic-map CLIENT_MAP 1
set transform-set VPN_TRANSFORM
reverse-route
!
!
crypto map REMOTE_VPN client authentication list LOCAL_DB
crypto map REMOTE_VPN isakmp authorization list LOCAL_DB
crypto map REMOTE_VPN client configuration address respond
crypto map REMOTE_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map REMOTE_VPN
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 192.168.110.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.110.0
!
ip local pool CLIENT_ADDRESSES 192.168.99.10 192.168.99.20
Posted by: tony at July 3, 2007 6:08 AM
thanks for above knowldege.
I want to know what is crypto?why we have used
Crypto command in cisco?plz send me reply as early
as possible on my mail i-d.
Posted by: deepak at July 27, 2007 2:21 AM
I am trying the same exact config on my 2621 but my IOS doesnt seem to have a group command for "crypto isakmp client configuration..." All I have is crypto isakmp client configuration ?
address-pool Set network address for client
Any ideas? I am running this version
IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.2(46), RELEASE SOFTWARE (fc1)
and I have a feeling it is my IOS version. Please help. Thanks.
-Jay
Posted by: Jay at August 7, 2007 9:53 AM
it is good to connect the pc to the modem first before connecting to the router.
Posted by: bukky omojayogbe at September 22, 2007 5:29 PM
hi i m pradeep
Posted by: pradeep at March 27, 2008 7:36 AM
Great post!!!
How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?
Posted by: blanchardl at September 25, 2008 12:37 PM
Quote: How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?
...and compare to the account who authenticated the request.
Posted by: Louie at September 25, 2008 12:46 PM