[c-nsp] IPSec to MPLS VPN

Virgil virgil at webcentral.com.au
Tue Apr 25 21:01:03 EDT 2006 

On 26/4/06 1:57 AM, "Kristofer Sigurdsson" <kristosig at gmail.com> wrote:

> I do remember trying to implement a solution on a 7200 a couple of
> years ago, where the IPSec clients came in from wherever and were
> supposed to be able to go anywhere (i.e. they could browse the general
> Internet through us, even though they were connected to the Internet
> via some other provider).  This did not work because IOS wouldn't
> allow traffic to exit the router on the same interface as it came in
> on.  If I remember correctly, we were using some 12.3T variant.
> According to Cisco TAC, this could not be done.  Has this been
> changed, or is that not applicable in this scenerio?

Here's an EasyVPN Server configuration on an IOS router:
Does everything a PIX would do, plus hair-pinning.

aaa authentication login AuthByRadius group RADIATOR
aaa authorization network AuthByRadius group RADIATOR
aaa accounting network AuthByRadius start-stop group RADIATOR
!
ip cef             
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp xauth timeout 90
!
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
crypto ipsec transform-set 3desmd5 esp-3des esp-md5-hmac
!
crypto dynamic-map MODE 10
 set security-association lifetime seconds 86400
 set transform-set 3desmd5
crypto dynamic-map MODE 20
 set transform-set 3dessha
!
!
crypto map EasyVPN local-address Loopback0
crypto map EasyVPN client authentication list AuthByRadius
crypto map EasyVPN isakmp authorization list AuthByRadius
crypto map EasyVPN client configuration address respond
crypto map EasyVPN 10 ipsec-isakmp dynamic MODE
!
interface Loopback0
 description IPSEC target
 ip address 1.2.3.4 255.255.255.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
!
interface FastEthernet0.4
 encapsulation dot1Q 4
 ip address 1.2.4.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip ospf message-digest-key 1 md5 xxxx
 no ip mroute-cache
 no snmp trap link-status
 no cdp enable
 crypto map EasyVPN
!                  
router ospf 7496
 log-adjacency-changes
 area 2 authentication message-digest
 redistribute static
 passive-interface default
!
!!!!!!!!!!
!This IPSEC client address ranges
ip route 192.168.128.0 255.255.255.0 FastEthernet0.4
!
!!!!!!!!!!!!!!!!
! Split tunneling - deny is VPN
access-list 166 deny   ip 192.168.0.0 0.0.15.255 192.168.128.0 0.0.0.255
access-list 166 deny   ip 192.168.32.0 0.0.7.255 192.168.128.0 0.0.0.255
access-list 166 permit ip host 0.0.0.0 192.168.128.0 0.0.0.255


Apologies if I missed anything.  This box is an AS5300 that also does
POTS/ISDN/DoV as well as PPTP and IPSEC on a stick.

Regards
Virgil

-- 
Virgil
Network Architect, AS7496
virgil at webcentral dot com

More information about the cisco-nsp mailing list