From mtzcesar at gmail.com Wed Jun 1 14:49:35 2005 From: mtzcesar at gmail.com (Cesar Martinez) Date: Wed, 1 Jun 2005 11:49:35 -0700 Subject: [VPN] vpn CISCO-SMC Message-ID: I have Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A and SMC router barricade I need make one vpn Lan to Lan whit ipsec, this is My parameters In both sites Hashing Algoritm: SHA1 Authentication Mode : Pre-Share Keys Time Interal : 86400 seg Encryption : 3des 168 Dh: Group 2 Ike Negotiation Mode Main and ipsec des-56 esp sha mode main The phase 1 ike It is realized well but phase 2 ipsec I have this error 26160 06/01/2005 11:28:46.640 SEV=7 IKEDBG/65 RPT=6548 xxx.xxx.xxx.xxx Group [L2L: Smc] IKE QM Initiator FSM error history (struct &0x1e3c3a8) , : QM_DONE, EV_ERROR QM_WAIT_MSG2, EV_TIMEOUT QM_WAIT_MSG2, NullEvent QM_SND_MSG1, EV_SND_MSG 26165 06/01/2005 11:28:46.640 SEV=9 IKEDBG/0 RPT=26450 sending delete/delete with reason message 26166 06/01/2005 11:28:46.640 SEV=9 IKEDBG/0 RPT=26451 xx.xxx.xx.xx Group [L2L: Smc] constructing blank hash 26167 06/01/2005 11:28:46.640 SEV=9 IKEDBG/0 RPT=26452 constructing IPSec delete payload And the log of the equipment smc appears SDP error: no fount[192.168.0.190]<->[ip smc] from peer IP address (ip public the vpn concentrator) the 192.168.0.190 is the ip private the firewall pix Thank you From evyncke at cisco.com Thu Jun 2 04:56:29 2005 From: evyncke at cisco.com (Eric Vyncke) Date: Thu, 02 Jun 2005 10:56:29 +0200 Subject: [VPN] Re: IPSec Tunnel for voice traffic without encryption, possible ? In-Reply-To: <40qjma$2d597u@sj-inbound-e.cisco.com> References: <5.1.0.14.2.20050531103409.03143b50@127.0.0.1> Message-ID: <5.1.0.14.2.20050602105221.03173318@127.0.0.1> At 11:45 1/06/2005 -0700, Shawn Nunley wrote: >Eric Vyncke [mailto:evyncke at cisco.com] wrote: > >>IPsec and VoIP work fine together at the expense of a much >> higher required bandwidth (due to IPsec headers). This may >> be your case. > >Actually, higher bandwidth is only going to alleviate a problem that is >related to the volume of data that can be passed between the two endpoints. >The real problem in using a VPN technology on top of a real-time service >like voice is latency. If the encryption layer adds any significant latency >to the conversation, it can really mess with voice traffic. You can add >bandwidth until you're blue in the face and the problem will still be there. Of course, you need to get a small latency. I won't argue on that :-) But, most (if not all) current VPN products are fast enough (most with dedicated HW) so that latency is not a problem nowadays. And, having helped people to use VoIP over IPsec (even over Internet -- which is what I'm using when teleworking), I can confirm that the two remaining issues are bandwidth (x3 or x4 compared to plain voice) and another issue linked to QoS handling on the slowest link (typically the uplink for residential) where QoS (and specially link fragmentation & interleave over MLPPP) is critical. Hope this helps -eric From TristanRhodes at weber.edu Fri Jun 10 14:18:28 2005 From: TristanRhodes at weber.edu (Tristan RHODES) Date: Fri, 10 Jun 2005 12:18:28 -0600 Subject: [VPN] Cisco VPN for remote users - Pix 515 Message-ID: I want to use a Pix 515 device to setup a VPN for remote users. Here is what I think the connection will look like. [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]----[VPN-515] Users will connect to their ISP and fire up the Cisco VPN client. They will connect to the VPN-515 device and start a VPN session. They will be assigned an IP on one of our internal networks. From then on, they should have access as if they were located on campus. Lets assume that the 6500 has an interface addressed 10.0.200.1/24. The VPN-515 has an outside IP address of 10.0.200.254/24. I am not sure how to configure the VPN-515 to make this happen. Should I use a second interface on the VPN-515 to connect back into the 6500, or should I do one-arm routing? Will I need a new IP network for users? Any help would be appreciated. Tristan Rhodes From Dana.Dawson at qwest.com Fri Jun 10 18:31:28 2005 From: Dana.Dawson at qwest.com (Dana J. Dawson) Date: Fri, 10 Jun 2005 17:31:28 -0500 Subject: [VPN] Re: Cisco VPN for remote users - Pix 515 In-Reply-To: References: Message-ID: <1BE329EC-355D-4548-888D-D579C500BC08@qwest.com> Unless you're running the new PIX 7.0 software, the PIX won't work in "one-arm" mode, so you'll need to use another of the PIX interfaces for the connection to the rest of your network. I'll assume you'll use the inside interface for that. The PIX also doesn't automatically do proxy arp for VPN client addresses that are assigned from the subnet the PIX interface is in, but you can force it to by adding static arp entries with the "alias" keyword at the end. If you have a large pool of addresses this is a pain, so it's usually better to assign client addresses from a unique subnet and then make sure the rest of your network routes traffic to that subnet to the inside interface of the PIX. Since you'll be doing NAT between the PIX and the clients, make sure you add the "isakmp nat-traversal 20" command to your config. This enables the NAT-Traversal feature that encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which is often necessary if either or both ends of the VPN are behind a NAT device. None of the Cisco sample configs seem to include it, but it's a very good feature and you should probably always use it when configuring IPSec in a PIX. I think that covers all your questions. If not, or you have more, send 'em on and we'll see what we can do. Good luck! Dana --- Dana J. Dawson Dana.Dawson at qwest.com Sr. Staff Engineer CCIE #1937 Qwest Communications 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote: > I want to use a Pix 515 device to setup a VPN for remote users. > > Here is what I think the connection will look like. > > [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]---- > [VPN-515] > > Users will connect to their ISP and fire up the Cisco VPN client. > They > will connect to the VPN-515 device and start a VPN session. They will > be assigned an IP on one of our internal networks. From then on, they > should have access as if they were located on campus. > > Lets assume that the 6500 has an interface addressed 10.0.200.1/24. > The VPN-515 has an outside IP address of 10.0.200.254/24. > > I am not sure how to configure the VPN-515 to make this happen. > Should > I use a second interface on the VPN-515 to connect back into the 6500, > or should I do one-arm routing? Will I need a new IP network for > users? > > Any help would be appreciated. > > Tristan Rhodes > _______________________________________________ > VPN mailing list > VPN at lists.shmoo.com > http://lists.shmoo.com/mailman/listinfo/vpn > From bax at shepfam.net Fri Jun 10 18:50:34 2005 From: bax at shepfam.net (Baxter Shepperson) Date: Fri, 10 Jun 2005 15:50:34 -0700 Subject: [VPN] Best way to setup VPN for clients? Message-ID: <0DC34789-E92E-4995-8D22-3B5958387C53@shepfam.net> Have a working PPTP config for my 6.3 Pix 515 but users are whining about not being able to surf the internet while connected. Ran the VPN Wizard in PDm for L2tp over IPSEC but can't connect using that yet. What other parameters do I need to set after running the wizard? Is there a way to make my existing pptp config work? From aidamx at kukulkan.net Sat Jun 11 14:44:14 2005 From: aidamx at kukulkan.net (Aida Lumbreras) Date: Sat, 11 Jun 2005 13:44:14 -0500 Subject: [VPN] Re: Best way to setup VPN for clients? In-Reply-To: <0DC34789-E92E-4995-8D22-3B5958387C53@shepfam.net> References: <0DC34789-E92E-4995-8D22-3B5958387C53@shepfam.net> Message-ID: The problem you are having has to do with Split tunneling which is the type of configuration that you need to enable internet access when the pptp tunnel comes up. Now, this concept does not apply directly to pptp client and it cannot be configured on the pix (but cisco vpn clients does have it and it is very easy to enable it on the pix), this is actually a known issue with Microsoft. But we do have a workaround to do split tunneling on PPTP connections. You will have to manually modify the routes on the client itself (win2k workstation for example) to be able to have split tunneling. Consider the following scenario: When the PPTP tunnel comes up on the PC, the PPTP route is installed with a higher metric than the previous default, so we lose Internet connectivity. To remedy this, knowing that the network inside our router was 10.13.1.X (for example), we run a batch file (batch.bat) to modify the Microsoft routing table, delete the default and reinstall the default route (this required knowing the IP address the PPTP client was assigned, i.e. 192.168.1.1): Route delete 0.0.0.0 Route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1 (normal public DG) Route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric 1 (route to reach the networks behind the router/pix) Hope this helps -- Aida Lumbreras From bax at shepfam.net Sat Jun 11 14:46:31 2005 From: bax at shepfam.net (Baxter Shepperson) Date: Sat, 11 Jun 2005 11:46:31 -0700 Subject: [VPN] Re: Best way to setup VPN for clients? In-Reply-To: References: <0DC34789-E92E-4995-8D22-3B5958387C53@shepfam.net> Message-ID: <26B2C2A9-7771-4ADF-96AA-514AEC912C63@shepfam.net> So is there a better solution instead of using PPTP? Would like this to be transparent to the users. Appreciate the quick response and your time by the way :) On Jun 11, 2005, at 11:44 AM, Aida Lumbreras wrote: > The problem you are having has to do with Split tunneling which is > the type of configuration that you need to enable internet access > when the pptp tunnel comes up. Now, this concept does not apply > directly to pptp client and it cannot be configured on the pix (but > cisco vpn clients does have it and it is very easy to enable it on > the pix), this is actually a known issue with Microsoft. But we do > have a workaround to do split tunneling on PPTP connections. > > You will have to manually modify the routes on the client itself > (win2k workstation for example) to be able to have split tunneling. > > Consider the following scenario: > > When the PPTP tunnel comes up on the PC, the PPTP route is installed > with a higher metric than the previous default, so we lose Internet > connectivity. To remedy this, knowing that the network inside our > router was 10.13.1.X (for example), we run a batch file (batch.bat) > to modify the Microsoft routing table, delete the default and > reinstall the default route (this required knowing the IP address the > PPTP client was assigned, i.e. 192.168.1.1): > > Route delete 0.0.0.0 > Route add 0.0.0.0 mask 0.0.0.0 161.44.17.1 metric 1 (normal public DG) > Route add 10.13.1.0 mask 255.255.255.0 192.168.1.1 metric 1 (route > to reach the networks behind the router/pix) > > > Hope this helps > > > > -- > Aida Lumbreras > > From aidamx at kukulkan.net Sun Jun 12 16:40:13 2005 From: aidamx at kukulkan.net (Aida Lumbreras) Date: Sun, 12 Jun 2005 15:40:13 -0500 Subject: [VPN] Re: Best way to setup VPN for clients? In-Reply-To: <26B2C2A9-7771-4ADF-96AA-514AEC912C63@shepfam.net> References: <0DC34789-E92E-4995-8D22-3B5958387C53@shepfam.net> <26B2C2A9-7771-4ADF-96AA-514AEC912C63@shepfam.net> Message-ID: The easiest and faster would be to configure cisco vpn clients. You can download the software from the following link: http://www.cisco.com/cgi-bin/tablebuild.pl/vpnclient-3des and redistribute it to your colleges. And here are the steps to configure cvpn client on the pix: Define a pool of address to assign the clients ip local pool poolclient 10.1.2.1-10.1.2.254 Configure Phase 1 and Phase 2 PHASE 1 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 isakmp enable outside isakmp nat-traversal 20 PHASE 2 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside VPN CLIENT vpngroup vpn3000 address-pool poolclient vpngroup vpn3000 dns-server vpngroup vpn3000 wins-server vpngroup vpn3000 split-tunnel split vpngroup vpn3000 idle-time 1800 vpngroup vpn3000 password access-list split permit ip 255.255.255.0 10.1.2.0 255.255.255.0 access-list nonat permit ip 255.255.255.0 10.1.2.0 255.255.255.0 nat (inside) 0 access-list nonat Hope this helps! Aida Lumbreras From Dana.Dawson at qwest.com Mon Jun 13 16:32:08 2005 From: Dana.Dawson at qwest.com (Dana J. Dawson) Date: Mon, 13 Jun 2005 15:32:08 -0500 Subject: [VPN] Re: Cisco VPN for remote users - Pix 515 In-Reply-To: References: Message-ID: <54664193-7F65-46DB-B598-421CDB11F4BC@qwest.com> Tristan, I think your understanding is correct and that your plan should work, And yes, I think it's usually better to configure your dynamic vpn client address pool from a unique subnet rather than taking it from the subnet to which the inside interface connects, but because the PIX won't do redirects there can be situations where it's best to use the connected subnet. The usual situation where this is the case is if there are other routers on that connected network that provide connectivity to other parts of your network and you have servers that are configured with just a default gateway. If those servers specify the PIX as the gateway in hopes that the PIX will also redirect traffic to those other routers for access to the rest of your network, that's a problem. You could change the default gateway in the servers to be one of those other routers and depend on it to do the redirecting, but sometimes even that's not an appealing option and the static arp entries with the "alias" keyword is the cleaner solution. If you think you might need this have questions let me know. For your reference here are two links to pages at Cisco that I find useful. The first is to a list of various IPSec sample configurations for various different products and topologies (including VPN configurations between Cisco and other vendors' products). It's not organized as nicely as it could be, but doing a search within the page for the appropriate keyword ("PIX" in this case) is frequently helpful: The other link is from the above page and is a pretty good sample config for a PIX terminating the "Unity" VPN client (as compared to the old IRE-based "Cisco Secure" client, which is no longer available). One thing I usually add which typically doesn't appear in Cisco's sample PIX configs is the "isakmp nat-traversal 20" command. This enables the "NAT-T" feature that detects NAT and encapsulates the ESP traffic in UDP/4500 headers if necessary so that intermediate NAT devices are less likely to cause trouble. It's a very useful command for both VPN client and site-to-site VPN connections and should be on by default in the PIX in my opinion (it is on by default in the newer versions of IOS - go figure). The other feature this sample doesn't show is xauth user authentication. In 6.3 Cisco added local authentication capability for VPN clients, which is a useful feature for small-scale deployments. If you have a lot of users, you'll probably want to use an external AAA server (RADIUS or TACACS+). The command for enabling xauth is: crypto map mymap client authentication LOCAL I've used the same name for the crypto map as appears in the sample config below, and have specified the "LOCAL" aaa method. That would allow you to configure local username/password entries for your users. You could alternatively define a RADIUS or TACACS+ server method and reference that instead. If you just use the config from the sample below, your users will not be prompted for a password when they initiate a VPN connection to the PIX. Anyway, here's the URL for the PIX sample: I think that's everything. Good luck, and let me know if you have more questions. Dana --- Dana J. Dawson Dana.Dawson at qwest.com Sr. Staff Engineer CCIE #1937 Qwest Communications 600 Stinson Blvd., Suite 1S Minneapolis MN 55413-2620 "Hard is where the money is." On Jun 13, 2005, at 2:36 PM, Tristan RHODES wrote: > Dana, > > Thanks for your reply. I appreciate your time and effort. > > I am running Pix 6.3 software so I will probably use the inside > interface like you said. > > [6500](a)-----(b)[515](c)-----| > |(d) | > --------------------------------- > > Legend: > (a) = 6500 interface VLAN 200 (10.10.200.1/24) > (b) = Pix "outside" interface (10.10.200.254/24) > (c) = Pix "inside" interface (10.10.201.254/24) > (d) = 6500 interface VLAN 201 (10.10.201.1/24) > > I think you are telling me that I should use a third network for > users... perhaps 10.10.203.0/24. > > If this design is correct, my next step is to setup the VPN and > routing > correctly. Any hints? > > Tristan From TristanRhodes at weber.edu Mon Jun 13 15:36:20 2005 From: TristanRhodes at weber.edu (Tristan RHODES) Date: Mon, 13 Jun 2005 13:36:20 -0600 Subject: [VPN] Re: Cisco VPN for remote users - Pix 515 Message-ID: Dana, Thanks for your reply. I appreciate your time and effort. I am running Pix 6.3 software so I will probably use the inside interface like you said. [6500](a)-----(b)[515](c)-----| |(d) | --------------------------------- Legend: (a) = 6500 interface VLAN 200 (10.10.200.1/24) (b) = Pix "outside" interface (10.10.200.254/24) (c) = Pix "inside" interface (10.10.201.254/24) (d) = 6500 interface VLAN 201 (10.10.201.1/24) I think you are telling me that I should use a third network for users... perhaps 10.10.203.0/24. If this design is correct, my next step is to setup the VPN and routing correctly. Any hints? Tristan >>> "Dana J. Dawson" wrote on 06/10/05 4:31 PM: > Unless you're running the new PIX 7.0 software, the PIX won't work in > "one-arm" mode, so you'll need to use another of the PIX interfaces > for the connection to the rest of your network. I'll assume you'll > use the inside interface for that. The PIX also doesn't > automatically do proxy arp for VPN client addresses that are assigned > from the subnet the PIX interface is in, but you can force it to by > adding static arp entries with the "alias" keyword at the end. If > you have a large pool of addresses this is a pain, so it's usually > better to assign client addresses from a unique subnet and then make > sure the rest of your network routes traffic to that subnet to the > inside interface of the PIX. Since you'll be doing NAT between the > PIX and the clients, make sure you add the "isakmp nat-traversal 20" > command to your config. This enables the NAT-Traversal feature that > encapsulates ESP traffic in UDP/4500 packets if it detects NAT, which > is often necessary if either or both ends of the VPN are behind a NAT > device. None of the Cisco sample configs seem to include it, but > it's a very good feature and you should probably always use it when > configuring IPSec in a PIX. > > I think that covers all your questions. If not, or you have more, > send 'em on and we'll see what we can do. > > Good luck! > > Dana > > --- > Dana J. Dawson Dana.Dawson at qwest.com > Sr. Staff Engineer CCIE #1937 > Qwest Communications > 600 Stinson Blvd., Suite 1S > Minneapolis MN 55413-2620 > > "Hard is where the money is." > > On Jun 10, 2005, at 1:18 PM, Tristan RHODES wrote: > >> I want to use a Pix 515 device to setup a VPN for remote users. >> >> Here is what I think the connection will look like. >> >> [VPN-user]----[Internet]----[Egress-Firewall]----[6500-Router]---- >> [VPN-515] >> >> Users will connect to their ISP and fire up the Cisco VPN client. >> They >> will connect to the VPN-515 device and start a VPN session. They will >> be assigned an IP on one of our internal networks. From then on, they >> should have access as if they were located on campus. >> >> Lets assume that the 6500 has an interface addressed 10.0.200.1/24. >> The VPN-515 has an outside IP address of 10.0.200.254/24. >> >> I am not sure how to configure the VPN-515 to make this happen. >> Should >> I use a second interface on the VPN-515 to connect back into the 6500, >> or should I do one-arm routing? Will I need a new IP network for >> users? >> >> Any help would be appreciated. >> >> Tristan Rhodes >> _______________________________________________ >> VPN mailing list >> VPN at lists.shmoo.com >> http://lists.shmoo.com/mailman/listinfo/vpn >> From tbird at precision-guesswork.com Thu Jun 30 17:23:15 2005 From: tbird at precision-guesswork.com (Tina Bird) Date: Thu, 30 Jun 2005 14:23:15 -0700 Subject: [VPN] openVPN developers? Message-ID: <006401c57db9$f2392420$4a00000a@hq.infoexpress.com> any of the openVPN developers on this list? i would like to chat with them before my USENIX secure remote access tutorial... thanks for any info - tbird