cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Setting up mobile VPN access with restriction to certain VLAN

Hi,

Can someone give me a setup how to for enabling a remote user to VPN to the 3448 that I have specific VLAN's set up for manangement of thier systems.

I need to use Shrewsoft for the VPN client and haven't had any success setting it up in test, I was using the how to on the shrew soft site but couldn't get negotiation to complete.

I have 3 VLANS setup now:

VLAN1 - Default data

VLAN2 - Voice (not used as of yet)

VLAN3 - PLC control   <<this is the one that I would like for the mobile VPN user to access.

Will be setting up

VLAN4 - PLC control

VLAN5 - PLC control

I need to set up separate VPN connection for each of the PLC VLANs as they are different vendors for equipment at the site.

Labels (1)
0 Kudos
2 Replies

Re: Setting up mobile VPN access with restriction to certain VLAN

Hi rdw, I've put together example configurations you can try out on your Netvanta and on the shrewsoft VPN client.  You haven't provided any details of IP addresses and credentials, so I will assume the following settings which you will need to adapt to your circumstances:

The public IP address of the 3448 is: AAA.BB.CCC.DD

The default subnet of VLAN 1 is:  10.10.10.0/24

The subnet of VLAN 3 is:  10.10.3.0/24

The virtual IP for the VPN client is:  172.16.3.1/24

The 3448 peer's ID is its public IP address:  AAA.BB.CCC.DD

The remote client's ID is some User FQDN:  remote@remote_client.com

The remote client's XAuth username is:  admin_VPN_client

The remote client's XAuth password is:  my_secret_admin_VPN_client_passwd

The PSK is:  Very_Long_Secret_Passwd

The configuration of the Netvanta 3448 would look like this.

! Setup users for Netvanta's admin account and for the remote VPN client's XAuth:

! =========================

service password-encryption

!

username "admin" password encrypted "my_secret_admin_passwd"

username "admin_VPN_client" password encrypted "my_secret_admin_VPN_client_passwd"

!

[snip ...]

! Enable AAA Authentication:

! ======================

aaa on

!

!

aaa authentication login LoginUseLocalUsers local

aaa authentication login LoginUseLinePass line

!

aaa authentication enable default enable

!

aaa authentication port-auth default local

!

[snip ...]

! Enable the VPN service:

! ===================

ip crypto

!

! Setup the ISAKMP mode configuration the 3448 will push to the remote clients:

! ======================================================

crypto ike client configuration pool admin_VPN_modconfig

  ip-range            172.16.3.1        172.16.3.254  

  dns-server          10.10.3.1       ! This may or may not be needed

!

! Set up an IKE policy for the remote client:

! =================================

crypto ike policy 300

  no initiate

  respond any

  local-id address AAA.BB.CCC.DD

  peer any

  client authentication server list LoginUseLocalUsers

  client configuration pool admin_VPN_modconfig

  attribute 1

    encryption aes-256-cbc

    authentication pre-share

    group 5

    lifetime 7080

!

! Specify the IKE configuration for remote client:

! =====================================

crypto ike remote-id user-fqdn remote@remote_client.com preshared-key Very_Long_Secret_Passwd ike-policy 300 crypto map VPN 3

!

! Specify strong IPSec Transform set:

! ==================================

ip crypto ipsec transform-set strong_crypto esp-aes-256-cbc esp-sha-hmac

  mode tunnel

!

! Specify a crypto map to combine IKE-IPSec settings and VPN packet selectors:

! ===========================

ip crypto map VPN 3 ipsec-ike

  description admin_VPN_Access

  match address ip VPN-3-selectors

  set transform-set strong_crypto

  set security-association lifetime seconds 3600

  set pfs group5

  ike-policy 300

  mobile

!

[snip ...]

! Map the VPN service to your public facing interface, e.g. eth 0/1, or ppp 1, as appropriate:

! ========================

interface eth 0/1

  description WAN

  ip address AAA.BB.CCC.DD

  ip access-policy Public

  ip crypto map VPN               !This line enables VPN on this interface

  no shutdown

  no lldp send-and-receive

!

[snip ...]

! Set up selectors to filter VPN packets:

! ==============================

ip access-list extended VPN-3-selectors

  permit ip 10.10.3.0 0.0.0.255  172.16.3.0 0.0.0.255 

  deny   ip any  any     log

!

[snip ...]

! Set up a policies to allow filtered VPN packets in and out:

! ==============================================

ip policy-class Private

  allow list VPN-3-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

!

ip policy-class Public

  allow reverse list VPN-3-selectors stateless

!

This is the configuration for the Shrew remote client which in MSWindows PC can be found in:

C:\Users\<user_name>\AppData\Local\ShrewSoftVPN\sites\

would look like this:

n:version:4

n:network-ike-port:500

n:network-mtu-size:1380

n:client-addr-auto:1

n:network-natt-port:4500

n:network-natt-rate:15

n:network-frag-size:540

n:network-dpd-enable:1

n:client-banner-enable:1

n:network-notify-enable:1

n:client-dns-used:1

n:client-dns-auto:1

n:client-dns-suffix-auto:1

n:client-splitdns-used:1

n:client-splitdns-auto:1

n:client-wins-used:0

n:client-wins-auto:1

n:phase1-dhgroup:5

n:phase1-life-secs:7080

n:phase1-life-kbytes:0

n:vendor-chkpt-enable:0

n:phase2-life-secs:3600

n:phase2-life-kbytes:0

n:policy-nailed:0

n:policy-list-auto:0

n:phase1-keylen:256

n:phase2-keylen:256

s:network-host:AAA.BB.CCC.DD  #Set the public IP address of 3448 here

s:client-auto-mode:pull

s:client-iface:virtual

s:network-natt-mode:enable

s:network-frag-mode:enable

s:auth-method:mutual-psk-xauth

s:ident-client-type:ufqdn

s:ident-server-type:address

s:ident-client-data:remote@remote_client.com

s:ident-server-data:AAA.BB.CCC.DD  #Set the public IP address of 3448 here

b:auth-mutual-psk:                 #Leave this blank, then add the PSK using the GUI

s:phase1-exchange:aggressive

s:phase1-cipher:aes

s:phase1-hash:sha1

s:phase2-transform:esp-aes

s:phase2-hmac:sha1

s:ipcomp-transform:deflate

n:phase2-pfsgroup:5

s:policy-level:unique

s:policy-list-include:10.10.3.0 / 255.255.255.0

When you try to initiate a connection Shrew will ask you to enter the XAuth username and password, which in the above example is admin_VPN_client and my_secret_admin_VPN_client_passwd respectively.  These examples should get your connection going, but if not post back logs of shrewsoft and a debug session of the Netvanta, after you obfuscate public IP addresses and usernames/passwords.

NOTE:  Using Aggressive mode to initiate an IKE exchange with PSK authentication is not secure because a hash of the PSK is sent out unencrypted and if the connection is evesdropped can be brute forced offline.  So, in critical production environments it is advised to use SSL certificates instead of PSK, or use Main mode, or both.

--

Regards,

Mick

Anonymous
Not applicable

Re: Setting up mobile VPN access with restriction to certain VLAN

Thanks Mick, will give it a go and let you know!