Today I started to work with IPExpert CCIE Security workbook 1 Lab 4a – VPN-solutions. During my work I made the following notes which might be interresting to read for other CCIE-candidates. I will also from now on continue to do these notes and post them on this blog. Explaining and writing is simply a great way for me to learn.
Also, if my boss some day ask me what the heck I am doing all these work-hours, I will gladly give him a link to this blog. 
Task 4.1 – IOS CA
This was quite straight-forward. Make an IOS become a root certificate authority for later use.
- What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
- When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
- Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.
Task 4.2 – IOS L2L
This is all about enrollment of certificates from the CA in previous task to two IOS-routers and setup an ipsec-tunnel.
- What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
- When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
- Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.
Task 4.3 – VPN IOS-ASA
The task was to setup a tunnel between IOS and ASA. Preshared-key, all straight-forward. However, I was asked to prioritize to certan traffic going into the tunnel from the IOS-router. This was done by creating a service-policy on outside-interface like this:
class-map match-all VPN-CLASS
match access-group 150 ! The ACL that defines the traffic to prioritize
policy-map VPN-POLICY
class VPNCLASS
priority 200 (I was also assign to restrict the prioritized traffic to 200kbps)
interface Fa1/1
service-policy output VPN-POLICY
- And, dont forget to do “qos pre-classify” on the crypto map! Otherwise your class-map has to look for ESP-traffic and that is not very granular, is it?
- “create lo3 on r2, assign it ip 192.168.3.2/24″ and “create a vpn tunnel between Vlan100 and the newly created loopback network”. I used “host 192.168.3.2″ in acl, but it clearly states “the loopback _network_”. Darn!
Task 4.4 L2L Aggressive mode with PSK
- Stuck Twice.
I PROMISE NEVER TO FORGET TO APPLY THE CRYPTO MAP TO THE INTERFACE AGAIN
I PROMISE NOT TO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN
I PROMISE NOTTO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN
- Stuck again. Couldn´t get the tunnel up even when comparing my configs with the solution guide. After getting help from OSL I made it:
Hi
I am struggling with this task, I simply cannot get the tunnel up. And I cant see what Ive done wrong.
Background: Make a tunnle between r2 and r5. Assume that r5-ip is dynamic, the tunnel should only be initiated from r5. (that is: dynamic map on r2).
The relevant parts of the config looks like this:
Answer from Brandon:
Not sure if this is it or not but you have crypto isakmp key ipexpert
hostname r5.ipexpert.com and the debug shows FQDN name : R5.ipexpert.com
Voila! Changed the “r5″ to “R5″ and it started working!
Task 4.5 L2L Overlapping subnets.
The task was to create a tunnel between 4 routers to protect traffic between internal nets. The restrictions was: no static routing, no crypto maps and no GRE.
- I havent worked very much with tunnel-interfaces but this was a pleasant first date. It´s kind of magic making a virtual interface and make the router route traffic thru it. Even more coolish when you encrypt the traffic and make a routing protocol talk thru the tunnel.
- Since I wasn´t allowed to use static routing I had to create loopback-interfaces to force knowledge of that local networks translated address-space into the routing-protocol. I was thinking of some kind of “add-reverse-route”-option for the “ip nat source static network”-command but I guess there is no such solution? Or could this routing-issue be solved in another way?
Task 4.6 – Easy VPN Server on IOS
- This task deals with connecting a plain ipsec-client from XP workstation to an VPN-server on ios. First step was to verify connectivity on XP. Wrong IP, changing it. Now, a good advice from someone “who knows”: Do NOT add a default route on the student NIC of the labb pc:s. It has 2 nics and the other one is convinently named “Outside NIC – Do not Touch!” which is fine because thats how you reach the machine over internet. But if you add a default “gateway” on the student nic (which you are allowed to fool with) you will convert that kind little XP-machine into an unpredicible beast. If you are lucky u will reach it after a while and remove that default gw. So I´ve heard.
- IOS auto-enroll and the enroll-feature of ipsec vpn client is cool. Just point it to http://<ios ca ip>/cgi-bin/pkiclient.exe and request a certificate.
- I had to look at the solution guide quite alot in this case. Even when doing that I couldnt get the vpn-client to connect. I just got these error messages:
Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH (peer 8.9.2.200)
Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH (peer 8.9.2.200)
- Suddenly I looked at the bottom right corner of my screen and saw tht the time was 3 minutes until the lab-period was over. I have never backed up a bunch of routers this fast before. First thing next lab-attempt will be to load the configs and troubleshoot the EasyVPN-config of R4.
Conclusion of this lab so far: It´s intense! I´ve been configuring plenty of VPN-solutions before, but I guess that my experience covers only 20-30% of the VPN-related topics in this lab. All these profiles-configurations in IOS are all new to me. I guess I have some CCO-chapters to read during the weekend…
{ 1 trackback }
{ 3 comments }
Great posting..you could be the IPX eyes, whereas my site'll be the INE eyes!
Together , we will kick CCIE butt!
Ah, like Yin & Yang. Cool. And me being IPX reminds me of the good(?) old(??) Netware-years.
Regarding your first couple of notes. If you want to hard code it to a trust-point, I think the following will work.
crypto isakmp profile MYPROF
ca trust-point MYCA
match identity host myhost.blah.com
crypto map MYMAP 10 ipsec-isakmp
set isakmp-profile MYPROF
….
Comments on this entry are closed.