Solved

Windows Server 2003 IPSEC vpn to cisco 1710 Router VPN connection

Posted on 2004-08-09
35
1,439 Views
Last Modified: 2008-01-09
I am looking for a "how to" to connect a cisco 1710 router with ipsec through a tunnel to a windows server 2003 behind a linksys router that has put the server in a DMZ.
I have attempted the one that is located in the cisco site, but am unable to get it to function properly.

0
Comment
Question by:GBorsuk
  • 21
  • 12
  • 2
35 Comments
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'm working on this very issue for a client today. I've setup a Win2k3 server, and I'm waiting on a PIX license upgrade, and I have another router (a Linksys) all setup in my lab. Perhaps I can get this to work...or at least figure out why it won't..
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Is the Linksys doing NAT ?
If so, you will need to set up NAT traversal (NAT-T) at both ends, and ensure the Linksys NATs UDP 4500 into the DMZ.
0
 

Author Comment

by:GBorsuk
Comment Utility
No the linksys is just a gateway.  I have it setup to DMZ the server.  
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
I'm not having any luck. I can get the tunnel to establish directly connected to the PIX interface outside, but not if I'm behind the linksys, with the server set as the DMZ host.
Can't get ISAKMP to establish an SA at all...
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
SUCCES! With XP laptop. Should be the same with the Win2k3 server.

PIX Config:

access-list no_nat permit ip 192.168.122.128 255.255.255.128 host 192.168.1.100
access-list 110 permit ip 192.168.122.128 255.255.255.128 host 192.168.1.100
ip address outside 21.21.21.21 255.255.255.0
ip address inside 192.168.122.252 255.255.255.128
ip address dmz1 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
nat (inside) 0 access-list no_nat
route inside 0.0.0.0 0.0.0.0 192.168.122.132 1
route outside 192.168.1.0 255.255.255.0 21.21.21.22 1

sysopt connection permit-ipsec
sysopt ipsec pl-compatible
crypto ipsec transform-set TEST esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600

crypto map TEST 15 ipsec-isakmp
crypto map TEST 15 match address 110
crypto map TEST 15 set peer 21.21.21.22   <--- public p address of Linksys
crypto map TEST 15 set transform-set TEST
crypto map TEST interface outside
isakmp enable outside
isakmp key ******** address 21.21.21.22 netmask 255.255.255.255 no-xauth no-conf
ig-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption 3des
isakmp policy 15 hash md5
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400

Follow the steps here exactly to create 2 filter lists:
http://support.microsoft.com/default.aspx?scid=kb;en-us;816514

In the NetA to NetB tunnel rule, the tunnel endpoint is the outside interface of the PIX
In the NetB to NetA tunnel rule, the tunnel endpoint is your local private IP address
0
 

Author Comment

by:GBorsuk
Comment Utility
Is the xp box right on the public net?

0
 

Author Comment

by:GBorsuk
Comment Utility
Can you do me a favor and give me the walk through with the xp client and the rules.  I have followed that doc at microsoft and have had no luck with it..

What is the ipsec section in xp like. did you use custom?  What where the settings.  This is where the cisco docs and microsoft differ.  One says mirror rules the other says not to.

George
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>Is the xp box right on the public net?
No, it is behind a Linksys router, IP address 192.168.1.100

Disregard the Cisco docs, and use the step-by-step from Microsoft (uncheck the miror)
I used this step-by-step for Windows2K:
http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

NetA is the network ID of the Windows 2000 gateway internal network.
 192.168.1.0

W2KintIP is the IP address assigned to the Windows 2000 gateway internal network adapter.
 192.168.1.100

W2KextIP is the IP address assigned to the Windows 2000 gateway external network adapter.
 192.168.1.100

3rdExtIP is the IP address assigned to the third-party gateway external network adapter.
 21.21.21.21  <-- my PIX outside interface

3rdIntIP is the IP address assigned to the third-party gateway internal network adapter.

NetB is the network ID of the third-party gateway internal network.
  192.168.122.128/255.255.255.128

Start/Run/secpol.msc
Then step-by-step with the link...

0
 

Author Comment

by:GBorsuk
Comment Utility
did you dmz the linksys?
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Yes....    .100 is DMZ host
0
 

Author Comment

by:GBorsuk
Comment Utility
is there any way you can get me screen shots of the ipsec filter action in both rules. The msft doc is confusing, and i have done this now about 10 times and have not had it work.

George
0
 

Author Comment

by:GBorsuk
Comment Utility
Here is the router config i am using...

!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxx
!
logging buffered 4096 debugging
logging rate-limit console 10 except errors
enable secret xxxx
!
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
!
no ip domain-lookup
ip name-server 206.222.97.50
ip name-server 206.222.97.82
ip name-server 216.21.234.74
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
crypto isakmp policy 1
 authentication pre-share
 hash sha
 group 2
 lifetime 28800
!
crypto isakmp policy 2
 authentication pre-share
 hash md5
 group 2
 lifetime 86400
!
crypto isakmp key mykey address yyy.yyy.63.82
!
!
crypto ipsec transform-set rtpset2 esp-3des esp-sha-hmac
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!
crypto map rtp 1 ipsec-isakmp
 set peer yyy.yyy.63.82
 set transform-set rtpset2
 match address 111
!
!
interface Ethernet0
 description Connection to Internet
 ip address xx.xxx.144.45 255.255.255.192
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map rtp
!
interface FastEthernet0
 description Connection to Private Network
 ip address 192.168.3.1 255.255.255.0
 ip nat inside
 no ip route-cache
 ip policy route-map nonat
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
!
ip nat pool NAT xxx.xxx.144.45 xxx.xxx.144.45 netmask 255.255.255.192
ip nat inside source route-map nonat pool NAT overload
!
ip nat inside source static tcp 192.168.3.2 3389 xxx.xxx.144.45 3389 extendable
!
ip classless
ip route 192.168.1.0 255.255.255.0 216.144.45
ip route 0.0.0.0 0.0.0.0 xxx.xxx.144.1
no ip http server
!
!
!
access-list 111 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 122 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 122 permit ip 192.168.3.0 0.0.0.255 any
!
route-map nonat permit 10
  match ip address 122
!
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
 access-class 2 in
 password xxxx
 login
line vty 5 15
 login
!
end


the win 2003 server is 192.168.1.3
i have a device at 192.168.3.2 which is just a xp client to try pings, behind the cisco box. The cisco 1710 is on the interent with a routable ip.

I will make a web page for you to see my ipsec screen shots on my win2003 server to see what i am doing wrong.
the win 2003 server is behind the linksys and it has dmz ported to the ip of 192.168.1.3.  pptp and ppp forwarding are enabled on the lindsys. changing that does not seem to make any difference.
I will post a line to the page in few min.

0
 

Author Comment

by:GBorsuk
Comment Utility
http://www.aginix.com/vpn/vpn.htm  thats the link for the images for my ipsec rules. please look them over to see what i am missing.

When i ping from the Win 2003 serer to the 192.168.3.x address space i get the negotiating message and on the router when i issue show cry isa sa i get the following:
dst             src             state           conn-id    slot
xxx.xxx.144.45   yyy.yyy.63.82    MM_NO_STATE           1       0



0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
In your policies, be sure to add the encryption:

crypto isakmp policy 1
 authentication pre-share
 encryption 3des <=====
 hash sha
 group 2

>192.168.3.2 -- what is the default gateway of this system? The PIX 3.1?


>crypto isakmp key mykey address yyy.yyy.63.82
                            ^^^^

"mykey" is the same as XYZ123 that you have on your server?

I would expect
crypto isakmp key XYZ123 address yyy.yyy.63.82

Everything else looks right.

From the router, can you post results of "show ip access-list"

0
 

Author Comment

by:GBorsuk
Comment Utility
the key is the same. i blanked it out before they match the xyz123

Extended IP access list 111
    permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 (4 matches)
Extended IP access list 122
    deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 (8 matches)
    permit ip 192.168.3.0 0.0.0.255 any (51 matches)

i also get a

01:09:58: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed w
ith peer at yyy.yyy.63.82
0
 

Author Comment

by:GBorsuk
Comment Utility
default gateway for 192.168.3.2 is 192.168.3.1 (the cisco 1710) and its gateway is public xxx.xxx.144.45

0
 

Author Comment

by:GBorsuk
Comment Utility
Got it! it was the 3des in the crypto policy!

What is the best policy to setup and use?  and what is the best transform set to use.  I want to set it up to use only one set enterprise wide.

Thanks for the help!
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:GBorsuk
Comment Utility
strange that i cant ping anything other than the server at the 192.168.1.x side.
there is a client at 192.168.1.34 that will not travel accross the tunnel.

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You did add the encryption to your policy, right?

Try adding this to your 1710, too:

crypto isakmp keepalive 30


Just for giggles, on your Linksys, in the port forwarding, go ahead and forward
port 500 udp and port 50 tcp to the server IP

0
 

Author Comment

by:GBorsuk
Comment Utility
oh, the server has 2 nics in it.
0
 

Author Comment

by:GBorsuk
Comment Utility
I cleared the ipsec passthorugh, ppp pass through and remove the dmz.  i have 500 and 50 forwarded to the server on the linksys and it still works
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
>What is the best policy to setup and use?  and what is the best transform set to use.  I want to set it up to use only one set enterprise wide.
What you have is the best and easiest to work with most clients. 3DES/SHA, group 2

I can't help you on the 2-NIC server thing to pass traffic from another host... I was only trying to get host to remote lan..
You've worn me out on this one so far!

Glad you're working, though!.


0
 

Author Comment

by:GBorsuk
Comment Utility
i'm wondering if i put a route on the linksys that points the 192.168.3.0 network to the interface 192.168.1.3 if it will work.

Will let you know.
0
 

Author Comment

by:GBorsuk
Comment Utility
When i turn off ipsec pass through it prevents a new tunnel from forming. so that setting has to be on, and port forwarding of port 500 and 50.
0
 

Author Comment

by:GBorsuk
Comment Utility
And adding the static route on the linksys to point 192.168.3.0 to 192.168.1.3 worked perfectly!

Thanks for all your help!

0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Wooo hooo!
0
 

Author Comment

by:GBorsuk
Comment Utility
One wierd thing happening.  When i let the tunnel sit for a while, if i try to connect from the 192.168.3.2 side to the 192.168.1.2 side the ping times out forever, until i ping from the 192.168.1.2 side then it works.  its like initially the cisco does no know where to route the packets to.

Any idea?
0
 

Author Comment

by:GBorsuk
Comment Utility
it gets stuck here

dst             src             state           conn-id    slot
yyy.yy.63.82    xxx.xxx.144.45   MM_KEY_EXCH           3       0
0
 

Author Comment

by:GBorsuk
Comment Utility
after issuing a Clear Crypto SA then everything gets rolling again.  Weird
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Remove this statement from the router:
>ip route 192.168.1.0 255.255.255.0 216.144.45

Let that traffic go out the default because the gateway that you have is not local to the 1700
0
 

Author Comment

by:GBorsuk
Comment Utility
Found it, you need to port forward 4500 from linksys to server for IKE to work on outside key exchange.

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
With all due respect, that was the first thing I said... !
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
Tim's right. That was part of the equation, as you have discovered. As long as the server is in the DMZ, then all traffic will be forwarded. Take it out of the DMZ and you need to specify UDP 4500.

We owe Tim some points for the assist..
0
 

Author Comment

by:GBorsuk
Comment Utility
Your right.  Unfortunatly I closed the question already, wish is could split the points.

Thanks Tim.
0
 
LVL 79

Expert Comment

by:lrmoore
Comment Utility
You can always post a new question "points for tim_holman" and reference this question in the body, like:
For your assistance in
http://www.experts-exchange.com/Networking/Microsoft_Network/Q_21086711.html#11766844


<8-}
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now