Cisco VDSL config for ISP with RFC1483 bridging, DHCP and NAT

Telfort, a Dutch ISP, delivers VDSL connections using RFC1483 bridging. This is quite a different approach than the more common PPPoE setup. See below for an example.

First remove any ATM and Dialer interfaces you have defined, instead you use the Ethernet0 interface from the VDSL controller. Define a subinterface for the VLAN your ISP uses. In case of Telfort this is 34.

interface Ethernet0
no ip address
no shutdown
!
interface Ethernet0.34
encapsulation dot1Q 34
ip address dhcp
ip nat outside

On the subinterface you define that the IP address is requested through DHCP and with ip nat outside. Next apply the ip nat inside traffic on your internal interface, define your NAT rule and matching access list and you’re good to go. The default ip route is acquired via DHCP automatically.

interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 101 interface Ethernet0.34 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Advertisements

Mac OS X 10.7 experiences and incompatibilities

I’m currently running the GM version of Mac OS X 10.7 Lion and ran into a few things that I wanted to share with you.

First of all, Little Snitch 2.3.6 and Cisco AnyConnect 3.0.2 don’t work correctly with Lion. Little Snitch keeps respawning and never actually launches, it can be easily uninstalled using the uninstall option in the installer. If you want you can download a nightly build that solves these issues here (UPDATE: Little Snitch 2.4.1 is Lion compatible and available here). Cisco AnyConnect will authenticate but is unable to establish a connection and will produce an error message. If your life/salary depends on AnyConnect, refrain from installing Lion for now (UPDATE: see below).

Another piece of software that doesn’t survive the upgrade is the e.dentifier2 software from ANB Amro, you can safely download and reinstall it (here) and it will work correctly.

I hoped the archive option in Apple Mail would be compatible with GMail but unfortunately it is not. Google simply removes the “Inbox” tag from a message so it will only appear in the “All messages” box. Apple Mail creates a separate mailbox called “Archive” on the server and copies all mail in this location. I’ll keep looking for a better solution but for now I don’t see it.

The biggest thing is the reversed scrolling, it behaves now like the iPad and iPhone but you’re not working on an iPad so you keep messing it up. This will take me a while to get used to.

UPDATE: Cisco has released version 3.0.3 of the AnyConnect Secure Mobility client. This update unfortunately does not work with all gateways as it holds a certificate validation error and will sometimes not connect. The bug is filed with Cisco under ID CSCtr64798 and has a severity 2 status. In my experience it works fine if your router uses its self signed certificates. When using certificated signed by a CA your mileage my vary. There is a workaround available by importing the certificates to your local certification store. As of today (the 29th of July) Cisco states on their twitter feed that a fix is coming soon.

UPDATE 2: Cisco has issued a new update to their AnyConnect client that effectively solved the problems mentioned above. If you have a valid Cisco support contract you can grab it here. As mentioned in the comments the e.dentifier2 software from ABN Amro only works when Java is installed on Mac OS X. You can download Java for Lion here.

Cisco router configuration for a Tele2 VDSL connection

I got myself a Cisco 887V-W to replace the Comtrend modem that Tele2 ships with their 50 Mbit VDSL connection, once called Fiber Speed. Thanks goes out to Glazenbakje for a basic VDSL config that I could tweak to get it to work with Tele2.

I’d advise to upgrade to IOS 15.1T as it holds a newer ADSL firmware that does a better job calculating the attainable rate. If you connect your router and execute the sh controllers vdsl 0 command you’ll see something like this that indicates you have a VDSL carrier signal:

Modem Status: TC Sync (Showtime!)
DSL Config Mode: AUTO
Trained Mode: G.993.2 (VDSL2) Profile 17a
TC Mode: PTM
Selftest Result: 0x00
DELT configuration: disabled
DELT state: not running
Trellis: ON  ON
Line Attenuation:  0.0 dB  0.0 dB
Signal Attenuation:  0.0 dB  0.0 dB
Noise Margin:  6.2 dB  5.8 dB
Attainable Rate: 44884 kbits/s 5535 kbits/s
Actual Power: 14.2 dBm  1.4 dBm

And now for the basic config lines to get this going:

interface Ethernet0
no ip address
!
interface Ethernet0.32
encapsulation dot1Q 32
pppoe-client dial-pool-number 10
!
interface Vlan1
ip address 10.1.1.34 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!

interface Dialer 10
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
ip route-cache policy
dialer pool 10
dialer string 555
dialer-group 10
ppp authentication chap callin
ppp chap hostname <username>@3p.versatel.nl
ppp chap password 0 <your decoded password>
no cdp enable
!
ip nat inside source list 101 interface Dialer10 overload
ip route 0.0.0.0 0.0.0.0 Dialer10
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
dialer-list 10 protocol ip permit

Notes of interest: The VLAN ID that Tele2 uses for their internet connection is 32. They have different ID’s for i.e. the management connection to the modem but you don’t need those. They use CHAP for their PPPoE identification and I needed to use a dialer string with a random number to trigger the dial out.

In case you have any questions feel free to leave a comment and I’ll try to answer to the best of my ability.

Setting up a Cisco aironet bridge

Setting up a Cisco Aironet bridge should be simple but the webinterface is slow and can issue commands that can not be processed (like changing the priority for processing EAP requests). I gave up on the Cisco supplied tutorial (can be found here) and set it up through the CLI myself. A good FAQ concerning the Aironet hardware and setup can be found here.

I configured 2 Aironet 1310 outdoor antennas to act as a wireless bridge between 2 LAN’s. In Europe the allowed transmit power is far more strict than in the USA so any other antenna than the integrated antenna (like the parabolic dish) will output too much power. I therefore used the (AIR-BR1310G-E-K9) model with the integrated antenna in an autonomous setup  (required for bridge functions) to replace the current EnGenius EOC-5610 (discontinued, succeeded by the 5611) antenna that I found to be unreliable. The mounting kit (AIR-ACCRMK1300=) is advised if you plan on using it outdoors, the mounting materials are made out of aluminum and it comes with clear instructions and enough cabling to get you started.

Some stuff you want to know. While most cheap wireless antennas use a proprietary PoE standard over Ethernet, the Aironet uses a proprietary PoE injector over coax. The advantage is that you can mount the power injector inside while placing only the antenna itself outside. The power injector is included with the antenna.

Onwards with the configuration. I used the example from Cisco (mentioned before) to set up a simple WEP encryption with Cisco’s LEAP authentication. I configured one AP as a root bridge and used the built-in RADIUS server for LEAP authentication (why oh why isn’t this part of the default IOS?). The non-root bridge connects to the AP and authenticates itself with LEAP after which the connection is made. I didn’t use VLAN to keep things simple (there’s only 1 subnet to bridge anyway).

Read more of this post

SSID with a space in your Cisco config

Everybody says you shouldn’t do it but no one tells you why so I will.

You can create a new ssid with a space character in the config like this:

dot11 ssid My Network
vlan 75
authentication open
authentication key-management wpa
wpa-psk ascii 0 your_great_password

And this seems to be working fine. Since this network isn’t configured as guest-mode you’ll have to manually add it to your configuration and this is where the problems arise. Windows Vista i.e. will not login to this network, not even with the ‘join network when name is not being broadcasted’ check box is selected. So it doesn’t work and you want to change the ssid (and because Cisco tell you to).

And you can’t! Because of the extra space in the SSID there’s no way you can edit this ssid configuration again. When you try to remove it you’re stuck with the same problem. Fortunately there’s a trick, when configuring the dot11radio interface type the ssid name with brackets surounding it to remove it:

no ssid [My Network]

It will disable the ssid form the dot11radio configuration but it will not remove the entry itself form the configuration (if that would be possible you could also edit the entry ;). However since it’s no longer applied to the interface you can create a new ssid for that vlan and be home free.

If you want to reload the entire config be my guest but I’ve yet to see a customer worry about the way his config looks.

Using VPN Tracker 5 with a Cisco Easy VPN Server

When I wanted to connect my Mac to a Dynamic Multipoint VPN (a proprietary Cisco VPN technology) I quickly learned this could only be done by creating an Easy VPN Server on the DMVPN Hub and connect VPN Tracker to it. This simple guide explains how to configure VPN Tracker 5 if you rolled out your own Easy VPN Server (the connection to a DMVPN network is optional).

If you want to use VPN Tracker with a Cisco Easy VPN Server that you set up on your router there’s no default template (it only ships with templates for the PIX firewall and the Concentrator product line). Fortunately it’s all sort of the same and VPN Tracker does support the Cisco Easy VPN protocol perfectly so all you have to do is synchronize the phase 1 and phase 2 settings, set your passwords and off you go. Here’s a quick tutorial on how to do it.

First choose to create a new custom profile as shown here:

create_connection

Next let’s set the basic stuff.

basic_settings

– Use Cisco EasyVPN for Client provisioning. It will ensure the proper parameters (like a split-tunnel) are being parsed correctly.
– Enter your VPN Gateway IP address or host name and your primary authentication. This example is based on my setup of an Easy VPN Server as illustrated here. In this case I used preshared keys for authentication (this is your group password). I also used Extended Authentication (local users), you should tick this box and supply a username and password if required.
– The local identifier is the group name that you’re trying to connect to. For remote you can set this to Remote Endpoint IP Address.
– I didn’t use DNS as I used a split tunnel and didn’t run a DNS server in my network. If you don’t run a split-tunnel or if you specified dns servers in your client configuration you can tick this box. VPN tracker will warn you if you made the wrong choice here so feel free to experiment.

Now it’s time for the advanced settings.

advanced_settings

Copy the general settings as displaed in the picture. In my example I used the following:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

This means that the phase 1 negotiations will be using a 3des encryption and a sha1 hash. For phase 2 you can use the crypto isakmp policy. I didn’t use NAT-Transversal but you can set it to automatic so you don’t have to worry about the different types of routers you’ll be connecting through. This is how my policy looked:

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

In case you want to migrate a Cisco VPN Client profile you can look here for a good guide on how to do this. If you’re interested in building your own DMVPN and/or Easy VPN Server you can read my other tutorial here. Any feedback is appreciated.

EasyVPN Server and DMVPN Hub on 1 Cisco router tutorial

The Cisco Dynamic Multipoint VPN is a great technique to easily deploy a multi-site VPN in a fully meshed setup. This means that all locations can see and talk to each other directly without any extra configuration and since you can set it up with the SDM tool from Cisco it’s the fastest way to get things working.

However when you want to extend your network with let’s say simple IPSec (Easy) VPN access for remote users you’ll find yourself stuck. The SDM will just mess up your configuration and although there’s lots of documentation available online, most of it is either not tailored to your needs, incomplete or contains errors.

I wanted to extend my SDM-designed DMVPN network with an Easy VPN Server so mobile clients could dial into the network and connect to servers located at different active DMVPN spokes. The Easy VPN server would ideally serve a split-tunnel to prevent it from overloading and be based on pre-skared keys as my network was too small to justify a complex PKI setup. This is how it would look:

dmvpn_setup

The dotted line indicates a connection over the internet to the DMVPN Hub that should act as an Easy VPN server and grant access to the entire network. In my case the client would use the rather excellent VPN tracker from Equinux but the normal Cisco VPN Client software will work as well as it is built into the iPhone since software version 2.0.

I started with this deployment guide from Cisco that illustrates quite well how such a network must be built. While the example needlessly complicates things by mixing a PKI and PSK infrastructure it does expose the required solution to make this work. By using crypto profiles for the DMVPN part and using so-called dynamic crypto maps for the Easy VPN part it’s possible to run both services on 1 interface.

I started with the simple Easy VPN server setup to get a feel for how it’s supposed to work. In the example there’s a Access Control Server for Extended Authentication (this is the username/password part in addition to the normal group name and password) but you can also use local authentication if you omit the group parameter from the aaa lines like this:

aaa new-model
!!! The ACS stuff used to be here
aaa authentication login easyVPN local
aaa authorization network easyVPN local
!!! notice the omitted ‘group EzVPN’ part from both lines

The next part includes the keyring for the preshared key used in the Easy VPN Server. Keyrings are nice because you can create multiple of them and connect them to different crypto profiles, effectively assigning different PSK’s to the Easy VPN Server and the DMVPN Hub. Note that in the SDM -built DMVPN there’s a line that starts with ‘crypto isakmp key ‘ that overrides that so make sure that you remove it from your configuration.

After the keyring the example declares a isakmp (phase 2) policy as shown here and a profile for the Easy VPN group that will be used. I’ll be creating only one group as all users will be stored locally and there’s no point in dividing them up into groups anyway.

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101
save-password
crypto isakmp profile easyvpn-group
keyring ezvpn-spokes
match identity group easyvpn-group
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond

We then set the transform-set for the phase 1 negotiation (3des and sha1) and build the dynamic crypto map that will be assigned to the interface so it will not conflict with the DMVPN part. There’s a type in this part, the name of the isakmp-profile should say easyvpn-group instead of easyvpn as shown here:

crypto ipsec transform-set ts1 esp-3des esp-sha-hmac

crypto dynamic-map dmap 10
set transform-set ts1
!!! We associate the ezvpn isakmp profile to a dynamic crypto map.
set isakmp-profile easyvpn (you should replace easyvpn with easyvpn-group here)
!!! Reverse-route is used to allow the ezvpn assigned ip address to be injected into the corporate network. This used when a remote device will be visible from the corporate, which is needed for IP telephony, etc.
reverse-route

We’re almost done, declare the dynamic map as a crypto map and assign it to the correct (outside) interface as shown here:

interface FastEthernet0
ip address 217.115.195.99 255.255.255.0
duplex auto
speed auto
crypto map ezvpn-map !!! Here it is

Please make sure that you also assign a local ip pool with IP addresses that do NOT overlap an existing subnet, otherwise it’s impossible to route it! Mine looks like this:

ip local pool easyvpn-pool 192.168.24.24 192.168.24.48

You now have a working Easy VPN Server, test it and congratulate yourself with your copy-paste skills so we can move on.

Adding the DMVPN hub to the example

We can now add the DMVPN Hub functionality to the configuration without disturbing the Easy VPN Server. I skipped the explanations in the deployment guide that talk about the different modes to connect to the VPN (you can use either client mode or network mode if you use a Cisco router) since there’s no real point in adding a router over Easy VPN while you already have a fully meshed DMVPN running. I also chose a split-tunnel to prevent any unwanted traffic from passing through the Easy VPN tunnel, this means you’ll have to make an access-list that holds all the subnets of the networks you want the Easy VPN client to connect to. This is no biggie, we’ll get to it later. You can choose to omit this access-list from your configuration which will ensure all client traffic will flow through the tunnel. This can be a good thing if you want to use this setup to ensure you always have a safe connection from wherever you connect but in this case also make sure you pass along working dns servers or else your clients won’t be able to resolve any domain names.

The first lines of the example are all the same, skip the part with the crypto pki stuff, you won’t be needing it. We’ll be adding a second crypto policy for the DMVPN tunnel that also indicates the requirement for a pre-shared key. I chose to use AES here instead of 3des, it’s more robust and unless you have very slow routers there’s no reason not to use it.

If you did’t already add the split-tunnel acl to your crypto isakmp client configuration this is the time to do it, mine looks like this:

crypto isakmp client configuration group easyvpn-group
key
pool easyvpn-pool
acl 101 !!! This is the access-list we’ll be using to identify the subnets that the Easy VPN tunnel should accept.
save-password

The example makes note of a second crypto ipsec transform set that comes with the mode transport require setting enabled. I found that I had to disable it to get my current DMVPN setup working again. I have no clue what it does, Cisco’s own CLI explanation tool (found here) left me in the dark on this one.

The crypto ipsec profile for our DMVPN is incomplete, if you want to use PSK you’ll need to add another keyring and extend this profile with a isakmp profile. This is how I did it (inspired by this other example from Cisco):

crypto keyring dmvpnspokes
pre-shared-key address 0.0.0.0 0.0.0.0 key

crypto isakmp profile DMVPN
keyring dmvpnspokes
match identity address 0.0.0.0
!!! This will ensure the correct key is used and it can be used by all addresses. This makes it work like the way SDM does it with ‘crypto isakmp key address 0.0.0.0 0.0.0.0’ which you should remove from your config.

crypto ipsec profile dmvpn-profile
set security-association lifetime seconds 120
set transform-set ts2
set isakmp-profile DMVPN
!!! Note the extra isakmp-profile that’s not in the example (since they’re using PKI I presume).

Next the example lists an extra dynamic crypto map for the PKI part, you can omit it.

Now look at your DMVPN tunnel, the last line should be set to the correct ploicly like this:

tunnel protection ipsec profile dmvpn-profile

Finally we get to create that acl list. Just add the subnets to the access-list you chose (I used 101) like this:

access-list 100 permit ip 192.168.24.0 0.0.0.255 any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
access-list 101 permit ip 192.168.13.0 0.0.0.255 any

In the example other interesting stuff like metrics and split-tunnels for DMVPN spokes are covered. I did not require them in my setup and you cal safely omit them form your configuration if you do no have such requirements in your network.

That’s it! If you did everything correctly you can now see your DMVPN spokes reconnect and fire up your VPN client to connect. However if you want to connect to servers that are directly connected to the DMVPN Hub and they have a NAT policy applied you’re in for a treat.

Fixing the NAT configuration to allow Easy VPN traffic from a local subnet attached to the DMVPN Hub.

Credit goes to Rik Bain for this solution, I found it here. If you look at the access-list for your NAT configuration you’ll notice that all traffic is being directed to it. Create an exception for traffic that’s destined to flow back to the Easy VPN tunnel like this:

access-list 102 deny ip 192.168.13.0 0.0.0.255 192.168.24.0 0.0.0.255
access-list 102 permit ip 192.168.13.0 0.0.0.255 any

That’s it really. If you’re interested in the full config file you can drop a comment line that tells me how to get in touch with you. Any feedback is appreciated.