Hi,
Can someone give me a setup how to for enabling a remote user to VPN to the 3448 that I have specific VLAN's set up for manangement of thier systems.
I need to use Shrewsoft for the VPN client and haven't had any success setting it up in test, I was using the how to on the shrew soft site but couldn't get negotiation to complete.
I have 3 VLANS setup now:
VLAN1 - Default data
VLAN2 - Voice (not used as of yet)
VLAN3 - PLC control <<this is the one that I would like for the mobile VPN user to access.
Will be setting up
VLAN4 - PLC control
VLAN5 - PLC control
I need to set up separate VPN connection for each of the PLC VLANs as they are different vendors for equipment at the site.
Hi rdw, I've put together example configurations you can try out on your Netvanta and on the shrewsoft VPN client. You haven't provided any details of IP addresses and credentials, so I will assume the following settings which you will need to adapt to your circumstances:
The public IP address of the 3448 is: AAA.BB.CCC.DD
The default subnet of VLAN 1 is: 10.10.10.0/24
The subnet of VLAN 3 is: 10.10.3.0/24
The virtual IP for the VPN client is: 172.16.3.1/24
The 3448 peer's ID is its public IP address: AAA.BB.CCC.DD
The remote client's ID is some User FQDN: remote@remote_client.com
The remote client's XAuth username is: admin_VPN_client
The remote client's XAuth password is: my_secret_admin_VPN_client_passwd
The PSK is: Very_Long_Secret_Passwd
The configuration of the Netvanta 3448 would look like this.
! Setup users for Netvanta's admin account and for the remote VPN client's XAuth:
! =========================
service password-encryption
!
username "admin" password encrypted "my_secret_admin_passwd"
username "admin_VPN_client" password encrypted "my_secret_admin_VPN_client_passwd"
!
[snip ...]
! Enable AAA Authentication:
! ======================
aaa on
!
!
aaa authentication login LoginUseLocalUsers local
aaa authentication login LoginUseLinePass line
!
aaa authentication enable default enable
!
aaa authentication port-auth default local
!
[snip ...]
! Enable the VPN service:
! ===================
ip crypto
!
! Setup the ISAKMP mode configuration the 3448 will push to the remote clients:
! ======================================================
crypto ike client configuration pool admin_VPN_modconfig
ip-range 172.16.3.1 172.16.3.254
dns-server 10.10.3.1 ! This may or may not be needed
!
! Set up an IKE policy for the remote client:
! =================================
crypto ike policy 300
no initiate
respond any
local-id address AAA.BB.CCC.DD
peer any
client authentication server list LoginUseLocalUsers
client configuration pool admin_VPN_modconfig
attribute 1
encryption aes-256-cbc
authentication pre-share
group 5
lifetime 7080
!
! Specify the IKE configuration for remote client:
! =====================================
crypto ike remote-id user-fqdn remote@remote_client.com preshared-key Very_Long_Secret_Passwd ike-policy 300 crypto map VPN 3
!
! Specify strong IPSec Transform set:
! ==================================
ip crypto ipsec transform-set strong_crypto esp-aes-256-cbc esp-sha-hmac
mode tunnel
!
! Specify a crypto map to combine IKE-IPSec settings and VPN packet selectors:
! ===========================
ip crypto map VPN 3 ipsec-ike
description admin_VPN_Access
match address ip VPN-3-selectors
set transform-set strong_crypto
set security-association lifetime seconds 3600
set pfs group5
ike-policy 300
mobile
!
[snip ...]
! Map the VPN service to your public facing interface, e.g. eth 0/1, or ppp 1, as appropriate:
! ========================
interface eth 0/1
description WAN
ip address AAA.BB.CCC.DD
ip access-policy Public
ip crypto map VPN !This line enables VPN on this interface
no shutdown
no lldp send-and-receive
!
[snip ...]
! Set up selectors to filter VPN packets:
! ==============================
ip access-list extended VPN-3-selectors
permit ip 10.10.3.0 0.0.0.255 172.16.3.0 0.0.0.255
deny ip any any log
!
[snip ...]
! Set up a policies to allow filtered VPN packets in and out:
! ==============================================
ip policy-class Private
allow list VPN-3-selectors stateless
allow list self self
nat source list wizard-ics interface eth 0/1 overload
!
ip policy-class Public
allow reverse list VPN-3-selectors stateless
!
This is the configuration for the Shrew remote client which in MSWindows PC can be found in:
C:\Users\<user_name>\AppData\Local\ShrewSoftVPN\sites\
would look like this:
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:1
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:1
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:1
n:client-dns-suffix-auto:1
n:client-splitdns-used:1
n:client-splitdns-auto:1
n:client-wins-used:0
n:client-wins-auto:1
n:phase1-dhgroup:5
n:phase1-life-secs:7080
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:3600
n:phase2-life-kbytes:0
n:policy-nailed:0
n:policy-list-auto:0
n:phase1-keylen:256
n:phase2-keylen:256
s:network-host:AAA.BB.CCC.DD #Set the public IP address of 3448 here
s:client-auto-mode:pull
s:client-iface:virtual
s:network-natt-mode:enable
s:network-frag-mode:enable
s:auth-method:mutual-psk-xauth
s:ident-client-type:ufqdn
s:ident-server-type:address
s:ident-client-data:remote@remote_client.com
s:ident-server-data:AAA.BB.CCC.DD #Set the public IP address of 3448 here
b:auth-mutual-psk: #Leave this blank, then add the PSK using the GUI
s:phase1-exchange:aggressive
s:phase1-cipher:aes
s:phase1-hash:sha1
s:phase2-transform:esp-aes
s:phase2-hmac:sha1
s:ipcomp-transform:deflate
n:phase2-pfsgroup:5
s:policy-level:unique
s:policy-list-include:10.10.3.0 / 255.255.255.0
When you try to initiate a connection Shrew will ask you to enter the XAuth username and password, which in the above example is admin_VPN_client and my_secret_admin_VPN_client_passwd respectively. These examples should get your connection going, but if not post back logs of shrewsoft and a debug session of the Netvanta, after you obfuscate public IP addresses and usernames/passwords.
NOTE: Using Aggressive mode to initiate an IKE exchange with PSK authentication is not secure because a hash of the PSK is sent out unencrypted and if the connection is evesdropped can be brute forced offline. So, in critical production environments it is advised to use SSL certificates instead of PSK, or use Main mode, or both.
--
Regards,
Mick
Thanks Mick, will give it a go and let you know!