1. Home
  2. Cisco Systems
  3. SOHO VPN design thoughts

SOHO VPN design thoughts

Hello,

I'm hoping someone can help me here as I don't seem to be able to find the information on the cisco site. I need to setup a VPN between three sites over ADSL so that each has 2 always on site to site ipsec connections to the other sites. Each site also needs to be able to accept 5 vpn client connections(windows) to access the network. From what I can tell the 837 router looks the best bet with the added bonus of Qos. Is this possible with 3 837's and would it be possible to give say telnet a more 'weighted' priority than say http?

Any ideas/tips?

Thanks

Reply to
Timo.Green
Loading thread data ...

snipped-for-privacy@gmail.com schrieb:

I have a C836 connected to a Soho96 with IPsec, both with dynamic IP addresses. And both accept EZvpn connection (or PPTP if you like).

I don't know any reason, why it should not work with a third router the same way.

The Soho series do the IPsec encryption in software and the IPsec throughput is limited to about 80k/s with 3des or 130k/s with AES128.

Reply to
Uli Link

Hey Uli...

Can you post your running conf with regards to crypto map entires - as i'm having serious probs on a soho97 with dynamic-map to get a connection from a client on the net using cisco vpn 4.0.1 to terminate on the cisco.

Thanks! steve

Reply to
Steve

Steve schrieb:

The most parts of the config of my Soho96. Peer's config (C836) is a nearly a mirror + some features of the better C83x line.

You may need IOS 12.3(8)YG2, I prefer 12.4(1a) or 12.3(14)T4 and upgrading DRAM to 48MB, 12.3(8)YG2 may work with 32MB only on a Soho97

! version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service password-encryption ! hostname example-soho96 ! boot-start-marker boot-end-marker ! logging buffered 51200 informational logging console critical logging monitor notifications enable secret 5 $cutoff ! aaa new-model ! ! aaa authentication login default local-case aaa authentication login ezvpn_xauth local aaa authentication ppp default local-case aaa authorization console aaa authorization network ezvpn_group_auth local ! aaa session-id common ! resource policy ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip dhcp use vrf connected ip dhcp bootp ignore ip dhcp excluded-address 192.168.190.1 192.168.190.79 ip dhcp excluded-address 192.168.190.150 192.168.190.254 ! ip dhcp pool CLIENTS network 192.168.190.0 255.255.255.0 domain-name internal.local default-router 192.168.190.1 dns-server 192.168.189.5 192.168.190.1 lease infinite ! ! ip tcp path-mtu-discovery ip cef ip tftp source-interface Ethernet0 ip domain list internal.local ip domain name dnsalias.net ip name-server ... ip name-server ... ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 isakmp ip inspect name DEFAULT100 ntp ip inspect name DEFAULT100 nntp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 imaps ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sshell ip inspect name DEFAULT100 http java-list 2 ip inspect name DEFAULT100 telnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 https ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 imap3 ip inspect name DEFAULT100 imap ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 pop3 ip inspect name DEFAULT100 pop3s ip inspect name DEFAULT100 pptp ip inspect name DEFAULT100 ipsec-msft ip inspect name DEFAULT100 appleqtc ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ssh ip inspect name DEFAULT100 dns ip inspect name DEFAULT100 vdolive ip inspect name DEFAULT100 netbios-ssn ip inspect name DEFAULT100 netbios-dgm ip inspect name DEFAULT100 netbios-ns ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip ssh source-interface Ethernet0 ip ddns update method ddns-upd HTTP add http://user:ddnspwd@/nic/update?system=dyndns&hostname=&myip= interval maximum 28 0 0 0 ! ! async-bootp gateway 192.168.190.1 async-bootp dns-server 192.168.190.1 isdn switch-type basic-net3 ! ! ! username bubu secret 5 $... username ... username ... username ... ! ! ! crypto isakmp policy 5 encr 3des hash md5 authentication pre-share group 2 ! Restrict peer's dynamic ip if possible by mask ! else 0.0.0.0 0.0.0.0 works crypto isakmp key xxxxxx address 84.57.0.0 255.255.224.0 no-xauth ! since peer don't have a fixed IP, the hostname must match ! better than nothing crypto isakmp identity hostname crypto isakmp keepalive 240 3 no crypto isakmp ccm crypto isakmp client configuration address-pool local ezvpn-pool ! crypto isakmp client configuration group linkitup-ezvpn key xxxgroupkeyxxx dns 192.168.190.1 domain internal.local pool ezvpn-pool acl 125 pfs max-users 2 max-logins 2 crypto isakmp profile linkitup-ezvpn-pro match identity group linkitup-ezvpn client authentication list ezvpn_xauth isakmp authorization list ezvpn_group_auth client configuration address respond ! ! crypto ipsec transform-set tfs-3des esp-3des esp-md5-hmac ! crypto identity LAN2LAN description VPN-LAN2LAN fqdn example-c836.dnsalias.net ! ! crypto dynamic-map ezvpn-dmap 1 description EZVPN Client set security-association lifetime seconds 14400 set transform-set tfs-3des set pfs group2 set isakmp-profile linkitup-ezvpn-pro reverse-route ! ! crypto map linkitup 10 ipsec-isakmp description VPN-SDG-GRW set peer example-c836.dnsalias.net dynamic set security-association lifetime kilobytes 262144 set security-association lifetime seconds 28800 set transform-set tfs-3des set pfs group2 set identity LAN2LAN match address 120 reverse-route crypto map linkitup 65535 ipsec-isakmp dynamic ezvpn-dmap ! ! ! interface Null0 no ip unreachables ! interface Ethernet0 ip address 192.168.190.1 255.255.255.0 ip access-group 110 in ip nat inside ip route-cache flow ip tcp adjust-mss 1452 ! ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive ! next would be different for a Soho97/C837 dsl operating-mode annexb-ur2 ! interface ATM0.1 point-to-point no ip redirects no ip unreachables no ip proxy-arp ! next would depend on your ISP pvc 1/32 pppoe-client dial-pool-number 1 ! ! interface Dialer0 bandwidth 128 ip ddns update hostname example-soho96.dnsalias.net ip ddns update ddns-upd host members.dyndns.org ip address negotiated ip access-group 104 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip inspect DEFAULT100 out encapsulation ppp ip route-cache flow ip tcp adjust-mss 1452 dialer pool 1 dialer remote-name redback dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname pppoeusername ppp chap password 7 pppoepasswd crypto map linkitup crypto ipsec fragmentation before-encryption ! ! ip local pool ezvpn-pool 192.168.187.249 192.168.187.251 ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip dns server ! ip nat inside source route-map ROUTE_MAP interface Dialer0 overload ! logging source-interface Ethernet0 access-list 23 remark Telnet/HTTP access access-list 23 permit 192.168.190.0 0.0.0.255 access-list 23 permit 192.168.188.0 0.0.1.255 access-list 23 deny any access-list 50 remark FW-Java-blocking dummy access-list 50 permit any access-list 102 deny ip 192.168.190.0 0.0.0.255 192.168.188.0 0.0.1.255 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.249 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.250 access-list 102 deny ip 192.168.190.0 0.0.0.255 host 192.168.187.251 access-list 102 permit ip 192.168.190.0 0.0.0.255 any access-list 102 permit ip 172.22.234.0 0.0.0.7 any access-list 102 deny ip any any access-list 104 permit udp 195.50.140.240 0.0.0.15 eq domain any access-list 104 permit udp 145.253.2.0 0.0.0.255 eq domain any access-list 104 permit ip host 192.168.187.249 any access-list 104 permit ip host 192.168.187.250 any access-list 104 permit ip host 192.168.187.251 any access-list 104 permit tcp any any eq www access-list 104 permit tcp any any eq smtp access-list 104 permit icmp any any echo access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any packet-too-big access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any traceroute access-list 104 permit icmp any any unreachable access-list 104 permit esp any any access-list 104 permit gre any any access-list 104 permit udp any any eq isakmp access-list 104 permit udp any any eq non500-isakmp access-list 104 permit udp any any eq 10000 access-list 104 permit tcp any any eq 1723 access-list 104 permit tcp any any eq 139 access-list 104 permit udp host 192.53.103.104 eq ntp any eq ntp access-list 104 permit udp host 192.53.103.103 eq ntp any eq ntp access-list 104 permit udp host 151.189.13.46 eq ntp any eq ntp access-list 104 permit udp any any eq netbios-ns access-list 104 permit udp any any eq netbios-dgm access-list 104 remark Without next 2 ACE dyndns won't work access-list 104 permit tcp host 63.208.196.94 eq www any log access-list 104 permit tcp host 63.208.196.95 eq www any log access-list 104 deny ip 10.0.0.0 0.255.255.255 any access-list 104 deny ip 172.16.0.0 0.15.255.255 any access-list 104 deny ip 192.168.0.0 0.0.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip host 0.0.0.0 any access-list 104 permit tcp any any eq smtp log access-list 104 deny ip any any access-list 110 deny ip host 255.255.255.255 any access-list 110 deny ip 127.0.0.0 0.255.255.255 any access-list 110 permit ip any any access-list 120 remark LAN2LAN access-list 120 permit ip 192.168.190.0 0.0.0.255 192.168.188.0 0.0.1.255 access-list 125 permit ip 192.168.190.0 0.0.0.255 any dialer-list 1 protocol ip permit route-map ROUTE_MAP permit 1 match ip address 102 ! ! control-plane ! ! line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 access-class 23 in exec-timeout 120 0 ! scheduler max-task-time 5000 scheduler interval 500 no rcapi server ! ! sntp server 192.168.190.250 end

HTH

Reply to
Uli Link

Thanks for that ULI... going to give it a shot!!

running 12.3(10) with 32mb - do you have any links to tuturials specifically for dynamic-map as i've done a site-to-site without any probs but dynamic seems to be causing me some serious issues...

just for your ref here's what i was trying:

!--- IKE configuration

crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco123 address 0.0.0.0 crypto isakmp client configuration address-pool local VPN-IP-POOL

!--- IPSec configuration

crypto ipsec transform-set trans1 esp-3des esp-md5-hmac crypto dynamic-map VPN-DYN-MAP 10 set transform-set trans1

crypto map intmap client configuration address initiate crypto map intmap client configuration address respond crypto map intmap 10 ipsec-isakmp dynamic VPN-DYN-MAP

!--- interface Dialer1 crypto map intmap

ip local pool VPN-IP-POOL 10.10.10.200 10.10.10.254

Reply to
Steve

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.