Hi, Has anybody got a quick run down on configuring the vpn between a UC520 and the 87x series of routers? I'm trying to avoid using CCA as I like to configure it all via the CLI, I was hoping someone could post the generated configs from CCA for both ends so I can do it via the CLI and not let CCA break my setup. Thanks -Dan |
|||
 |
UC500.comCisco Communication Manager Express, UC520, SMB VOIP reference and community |
I am getting an error
I am getting an error messages while using your configuration.
MungerRemote(config-if)#ip nhrp authentication DMVPN_NW
^
% Invalid input detected at '^' marker.
MungerRemote(config-if)#ip nhrp map 10.91.123.1 x.x.x.x - my public ip
^
% Invalid input detected at '^' marker.
MungerRemote(config-if)#ip nhrp network-id 100000
^
% Invalid input detected at '^' marker.
MungerRemote(config-if)#ip nhrp holdtime 360
^
% Invalid input detected at '^' marker.
MungerRemote(config-if)#ip nhrp nhs 10.91.123.1
^
% Invalid input detected at '^' marker.
Any ideas?
The caret is under nhrp.
Not so EzVPN
I tried it with CCA, I think I'm missing something ..
Some things I didnt like about the CCA+Ezvpn way:
* The phone behind the 87x router is on the same VLAN as the data network
* I couldnt seem to get ezvpn network extension mode going, only client
* I cant manage both the 87x series & UC520 from the same CCA session, I had log into each of them seperately..which I thought was odd, I was sure I read somewhere that this is possible.
I've ended up with a dynamic multipoint VPN setup.
Here's the config if anyone's interested, I've also thrown in the QoS Policy im using.
Head End / UC520 :
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key somerandomsecurekey address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
!
!
!
interface Tunnel0
description mGRE Interface
bandwidth 1000
ip address 10.91.123.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1360
delay 1000
qos pre-classify
tunnel source FastEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile DMVPN
!
-=-=-=-=-=-=-=-==- The Client / Spoke End -=-=-=-=-=-=-=-==-
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key somerandomsecurekey address x.x.x.x (WAN Address of UC520)
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set ESP-3DES-SHA
!
!
!
!
!
!
interface Tunnel0
bandwidth 1000
ip address 10.91.123.3 255.255.255.248
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 10.91.123.1 x.x.x.x(WAN Address of UC520)
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.91.123.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination x.x.x.x (WAN Address of UC520)
tunnel key 100000
tunnel protection ipsec profile DMVPN
!
=-=-=-=-=-=-= The QOS Policy =-=-=-=-=-=-
!
class-map match-any Transactional
match dscp af21
match dscp af22
match dscp af23
class-map match-any Signaling
match dscp cs3
match dscp af31
class-map match-any Routing
match dscp cs6
class-map match-any Voice
match dscp ef
class-map match-any SManagement
match dscp cs2
!
!
policy-map QoS-Policy-1
class Voice
priority percent 33
class Singnaling
bandwidth percent 5
class Routing
bandwidth percent 5
class Management
bandwidth percent 5
class Transactional
bandwidth percent 5
class class-default
fair-queue
random-detect
policy-map QoS-Policy-2
class class-default
shape average 1024000
service-policy QoS-Policy-1
!
!
interface FastEthernet 0/0
service-policy out QoS-Policy-2
!
Due to the UC520 not supporting routing protocols, you'll need to add static route's at each route to make it come up. For the client end I've added routes for;
ip route 10.1.10.0 255.255.255.252 10.91.123.1
ip route 10.1.1.0 255.255.255.0 10.91.123.1
ip route 192.168.10.0 255.255.255.0 10.91.123.1
And on the UC520 you'll need to add a route back to the network on the 87x router.
Good config - but I am missing something
Everything looks in line with the other DMVPN configs I have seen out there, plus you added in compensation for our lack of routing abilities.. That said I can't get it to come up properly.
If you would be so kind as to take a look, at the following config lines it would be appreciated.
UC520#sh crypto session
Crypto session current status
Interface: Dialer0
Session status: DOWN
Peer: 174.152.164.35 port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.200.10
Active SAs: 0, origin: dynamic crypto map
Interface: Dialer0
Session status: DOWN-NEGOTIATING
Peer: 70.156.228.12 port 500
IKE SA: local 20.21.22.23/500 remote 70.156.228.12/500 Inactive
877W#sh crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-IDLE
Peer: 20.21.22.23 port 500
IKE SA: local 70.156.228.12/500 remote 20.21.22.23/500 Active
IKE SA: local 70.156.228.12/500 remote 20.21.22.23/500 Inactive
IPSEC FLOW: permit 47 host 70.156.228.12 host 20.21.22.23
Active SAs: 0, origin: crypto map
UC520 Head End
--------------
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key uc500dotcom address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group EZVPN_GROUP_1
key uc500dotcom
dns 4.2.2.1 199.72.1.1
wins 192.168.1.160
domain SOUND.local
pool EZVPN_POOL_1
acl 105
save-password
include-local-lan
max-users 10
!
!
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP_AES_SHA ESP_3DES_SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface Tunnel0
bandwidth 1000
ip address 10.19.74.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1400
ip flow ingress
ip nhrp authentication DMVPN_NW
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
!
ip local pool EZVPN_POOL_1 192.168.200.10 192.168.200.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.10.1 255.255.255.255 Integrated-Service-Engine0/0
ip route 10.10.10.0 255.255.255.0 10.19.74.3
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 permit udp 10.1.1.0 0.0.0.255 eq 2000 any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip 10.1.10.0 0.0.0.3 any
access-list 102 deny ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 permit udp 10.1.10.0 0.0.0.3 any eq 2000
access-list 103 deny ip 10.1.10.0 0.0.0.3 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit ip host 192.168.200.10 any
access-list 104 permit ip host 192.168.200.11 any
access-list 104 permit ip host 192.168.200.12 any
access-list 104 permit ip host 192.168.200.13 any
access-list 104 permit ip host 192.168.200.14 any
access-list 104 permit ip host 192.168.200.15 any
access-list 104 permit ip host 192.168.200.16 any
access-list 104 permit ip host 192.168.200.17 any
access-list 104 permit ip host 192.168.200.18 any
access-list 104 permit ip host 192.168.200.19 any
access-list 104 permit ip host 192.168.200.20 any
access-list 104 permit ip host 192.168.200.21 any
access-list 104 permit ip host 192.168.200.22 any
access-list 104 permit ip host 192.168.200.23 any
access-list 104 permit ip host 192.168.200.24 any
access-list 104 permit ip host 192.168.200.25 any
access-list 104 permit ip host 192.168.200.26 any
access-list 104 permit ip host 192.168.200.27 any
access-list 104 permit ip host 192.168.200.28 any
access-list 104 permit ip host 192.168.200.29 any
access-list 104 permit ip host 192.168.200.30 any
access-list 104 permit tcp any any established
access-list 104 permit udp any any eq non500-isakmp
access-list 104 permit udp any any eq isakmp
access-list 104 permit tcp any any eq 1723
access-list 104 permit esp any any
access-list 104 permit ahp any any
access-list 104 permit gre any any
access-list 104 permit udp any eq domain any
access-list 104 permit tcp any any eq www
access-list 104 deny ip 10.1.10.0 0.0.0.3 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 10.1.1.0 0.0.0.255 any
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 permit ip any any
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip any host 192.168.200.10
access-list 105 deny ip any host 192.168.200.11
access-list 105 deny ip any host 192.168.200.12
access-list 105 deny ip any host 192.168.200.13
access-list 105 deny ip any host 192.168.200.14
access-list 105 deny ip any host 192.168.200.15
access-list 105 deny ip any host 192.168.200.16
access-list 105 deny ip any host 192.168.200.17
access-list 105 deny ip any host 192.168.200.18
access-list 105 deny ip any host 192.168.200.19
access-list 105 deny ip any host 192.168.200.20
access-list 105 deny ip any host 192.168.200.21
access-list 105 deny ip any host 192.168.200.22
access-list 105 deny ip any host 192.168.200.23
access-list 105 deny ip any host 192.168.200.24
access-list 105 deny ip any host 192.168.200.25
access-list 105 deny ip any host 192.168.200.26
access-list 105 deny ip any host 192.168.200.27
access-list 105 deny ip any host 192.168.200.28
access-list 105 deny ip any host 192.168.200.29
access-list 105 deny ip any host 192.168.200.30
access-list 105 permit ip 10.1.10.0 0.0.0.3 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
Cisco 877w Spoke
----------------
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key uc500dotcom address 20.21.22.23
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set ESP_AES_SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
!
!
bridge irb
!
!
interface Tunnel0
bandwidth 1000
ip address 10.19.74.3 255.255.255.0
ip mtu 1400
ip nhrp authentication DMVPN_NW
ip nhrp map 10.19.74.1 20.21.22.23
ip nhrp network-id 100000
ip nhrp holdtime 360
ip nhrp nhs 10.19.74.1
ip tcp adjust-mss 1360
delay 1000
tunnel source Dialer0
tunnel destination 20.21.22.23
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.1.1.0 255.255.255.0 10.19.74.1
ip route 10.1.10.0 255.255.255.252 10.19.74.1
ip route 192.168.1.0 255.255.255.0 10.19.74.1
!
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_11##
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit udp host 20.21.22.23 any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit esp host 20.21.22.23 any
access-list 101 remark Auto generated by SDM for EzVPN (esp) EZVPN_REMOTE_CONNECTION_1
access-list 101 permit ahp host 20.21.22.23 any
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any established
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq domain any
access-list 101 permit udp any any eq ntp
access-list 101 permit tcp any any eq 3389
access-list 101 permit udp any any eq 3389
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
dialer-list 1 protocol ip permit
!
!
Re: Not so EZVPN
Great config, I have been looking for examples of this for a while.
I do have a couple of questions though:
1. What made you go with a Dynamic VPN over a standard
static IPSEC VPN?
2. One of the points you made for not using the CCA EZVPN was the data/voice networks were on the same VLAN. Were you able to overcome this using the CLI?
3. On the 871 router are you using the advanced IP or the Sec bundle for the IOS.
Again thanks for the example.