Hub router for VPN

Similar Messages

• Check router for VPN Throughput - L2TP VPN

  I am working on setting up a VPN for our office.   I have the PPTP version working but am unable to get L2TP to function.  Through various testing methods (setting up our Mac Yosemite server as a VPN and testing it in and out of the office), I am leaning towards an issue with the router not allowing some of the protocols required by an L2TP through.  The reason being I am able to create a L2TP VPN connection with my Mac server when using the internal IP address, but not when using the outside IP address (which to me means the signal is being blocked at the router.)
  The server is receiving the SCCRQ from the client and trying to send the SCCRP which the client is not receiving when trying to connect from outside the office.
  I have checked all the ports required and they are open (show ip ports), but can not figure out how to check for ESP Protocol 50?  Does anyone know how to check this protocol?  And if this isn't the solution, does any have other methods I can use to find the issue?
  Thank you,
  Chris

  I think 2811 can handle this task
  2811 supports up to 1500 VPN tunnels with the AIM-EPII-PLUS Module
  http://www.cisco.com/en/US/products/ps5881/index.html
  So no problem with 165 VPNs...
  If you speaking about huge traffic volume - you should focus on speed of Internet connectivity in head office - If you have 10 Mbit line for head office you get only 60Kbit per tunnel (10Mbit/165)
  M.
  Hope that helps rate if it does

• Firewall or Router for VPN

  Is it better to use a firewall like a PIX515E or a router like a 1721 for setting up a VPN?

  Hi
  What kinda VPN you are talking about ? is it a point to point vpn between 2 sites or gonna be used by remote vpn clients ?
  If its a simple point to point vpn between 2 clients then you can go ahead with Cisco 1721 which can handle the same..
  But if its gonna be more than one site with that if you are more concerned in your security aspects then go with PIX aplliances.
  Otherwise you can settled down with even a higher end router which can solve your purpose..
  regds

• Replacing the DMVPN hub router

  We are replacing our current 2921 router, Version 15.2(4)M2, with a 3925 Version 15.2(4)M6. It is the DMVPN hub router for 6 spoke routers. We cut and pasted the configuration from the old router to the new. We confirmed internet connectivity from clients on the inside. But none of the DMVPN tunnels will set up. As we were in a very short maintenance window we did not have a lot of time to troubleshoot and had to revert to the old router. Is there some procedure we need to implement to force the tunnels to come up?

  Because you are changing the Hardware and copy past the config. Spokes will not re register themselves at HUB until you reset them again. Then they will register themselves again in the NHRP table at the new HUB..

• Setup VPN on Mac Mini Server running OSX through a BT Hub Router

  Hello everyone,
  I know this question has been posted several times and I have looked at the suggested solutions, trying each of them. I think this is really down to my lack of knowledge hence hoping someone out there could point me to the right direction for more resources / information, please.
  I am trying to setup a Mac Mini Server with VPN access. My server sits behind a BT Hub router. These are the steps that I have been through:
  1. I am using the server app and after registering a free account with no-ip, I got myself a host name <myname>.ddns.net.
  2. Then I setup the server using a domain name
  3. I configured the DNS by first setting up a primary zone - zone: ddns.net. Then added machine record host name: <myname> pointing to my server which I have configured my router to assign a static ip address to it at 192.168.x.x
  4. Then, I configured the VPN setting up for L2TP and PPTP, setup the shared secret, change the ip address range to match that of the DHCP range on my router. My router by default has a DHCP range between 64 - 253.
  5. Then, I also configured my router to port forward 500, 1701, 1723, and 4500 to my server at 192.168.x.x (I selected both TCP and UDP).
  6. Finally, setup a user account with account name test and password abcd12345
  7. Gone on my "client" machine which is basically my Samsung S4 handphone, selected VPN -> PPTP -> server address: <myname>.ddns.net -> entered account name test and password abcd12345.
  This didn't work.
  Then, I read some post about manually configure DHCP on the server app. Went on the server app, turned on DHCP and setup a network named TestDHCP. Assigned ip address range between that of the default DHCP range on my BT Hub router.
  This does not work either.
  Could someone please kindly help me with it? I am completely lost.
  Thank you in advance.

  To run a public VPN server behind an NAT gateway, you need to do the following:
  1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
  2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
  3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
  If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
            Allow incoming IPSec authentication
  if it's not already checked, and save the change.
  With a third-party router, there may be a similar setting.
  4. Configure any firewall in use to pass this traffic.
  5. Each client must have an address on a netblock that doesn't overlap the one assigned by the VPN endpoint. For example, if the endpoint assigns addresses in the 10.0.0.0/24 range, and the client has an address on a local network in the 10.0.1.0/24 range, that's OK, but if the local network is 10.0.1.0/16, there will be a conflict. To lessen the chance of such conflicts, it's best to assign addresses in a random sub-block of 10.0.0.0./0 with a 24-bit netmask.
  6. "Back to My Mac" is incompatible with the VPN service. It must be disabled both on the server and on an AirPort router, if applicable.
  If the server is directly connected to the Internet, see this blog post.

• My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

  My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

  My itunes 11 Home sharing is not working with my windows 7 PC and iPad it shows up on iPad and when I go to share the music app does loading for 3 mins and crashes I am using a virgin super hub router please please please help

• Dynamic Routing for Failover L2L VPN

  Hi,
  Can someone offer me some guidance with this issue please?
  I've attached a simple diagram of our WAN for reference.
  Overview
  Firewall is ASA 5510 running 8.4(9)
  Core network at Head Office uses OSPF
  Static routes on ASA are redistributed into OSPF
  Static routes on ASA for VPN are redistributed into OSPF with Metric of 130 so redistributed BGP routes are preferred
  Core network has a static route of 10.0.0.0/8 to Corporate WAN, which is redistributed into OSPF
  Branch Office WAN uses BGP - Routes are redistributed into OSPF
  The routers at the Branch Office use VRRP for IP redundancy for the local clients default gateway.
  Primary Branch Office router will pass off VRRP IP to backup router when the WAN interface is down
  Backup BO router (.253) only contains a default route to internet
  Under normal operation, traffic to/from BO uses Local Branch Office WAN
  If local BO WAN link fails, traffic to/from BO uses IPSec VPN across public internet
  I'm trying to configure dynamic routing on our network for when a branch office fails over to the IPsec VPN. What I would like to happen (not sure if it's possible) is for the ASA to advertise the subnet at the remote end of the VPN back into OSPF at the Head Office.
  I've managed to get this to work using RRI, but for some reason the VPN stays up all the time when we're not in a failover scenario. This causes the ASA to add the remote subnet into it's routing table as a Static route, and not use the route advertised from OSPF from the core network. This prevents clients at the BO from accessing the Internet. If I remove the RRI setting on the VPN, the ASA learns the route to the subnet via the BO WAN - normal operation is resumed.
  I have configured the metric of the static routes that get redistributed into OSPF by the ASA to be higher than 110. This is so that the routes redistributed by BGP from the BO WAN into OSPF, are preferred. The idea being, that when the WAN link is available again, the routing changes automatically and the site fails back to the BO WAN.
  I suppose what I need to know is; Is this design feasible, and if so where am I going wrong?
  Thanks,
  Paul

  Hi Paul,
  your ASA keeps the tunnel alive only because that route exists on ASA.  Therefore you have to use IP-SLA on ASA to push network taffic "10.10.10.0/24" based on the echo-reply, by using IP-SLA
  Please look at example below, in the example below shows the traffic will flow via the tunnel, only in the event the ASA cannot reach network 10.10.10.0/24 via HQ internal network.
  This config will go on ASA,
  route inside 10.10.10.0 255.255.2550 10.0.0.2 track 10
  (assuming 10.0.0.2 the peering ip of inside ip address of router at HO)
  route outside 10.10.10.0 255.255.255.0 254 xxx.xxx.xxx.xxx
  (value 254 is higher cost of the route to go via IPSec tunnel and x =  to default-gateway of ISP)
  sla monitor 99
  type echo protocol ipIcmpEcho 10.10.10.254 interface inside
  num-packets 3
  frequency 10
  sla monitor schedule 99 life forever start-time now
  track 10 rtr 99 reachability
  Let me know, if this helps.
  thanks
  Rizwan Rafeek

• SonicWall SourceNAT VPN setup as default route for all traffic!

  Hi,OK hope someone can help with this mess.....Our customer has been taken over by a US company who have said all outgoing internet traffic must go via their data centre. They want us to create an IPSEC vpn from our SonicWALL TZ215 to them then route all traffic locally via this VPN.In principle this didn't sound too bad. Then there were some more options:Our local subnet 172.x.x.x has to be NAT'd to a single /32 address. 192.x.x.131They also require our destination network to be set as 0.0.0.0. as they wont specify the range at the datacenter.I have managed to get the VPN up but using the the NAT address as my local subnet and using the option on the SonicWALL "Use this VPN Tunnel as default route for all Internet traffic" on the remote network. Phase 1 and Phase 2 work ok. The problem i now have is i need to route all LAN traffic...
  This topic first appeared in the Spiceworks Community

  Hi Norbert,
  I am sorry to say that configuring routes in Azure Virtual network is not supported. I recommend you to submit your reuqirement on Azure Feedback and hope it would be released soon:
  http://feedback.azure.com/forums/217313-networking-dns-traffic-manager-vpn-vnet
  Best regards,
  Susie
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• How to configure router to use ip pool on the aaa server for vpn clients

  how to configure router to use ip pool on the aaa server for vpn clients . i want to use vpn clients to connect to the router. authenticate using the aaa server username databse and also use the ip pool cretaed on the aaa server. i am not able to find the command on the router pointing to use the pool created on the aaa server. can u some one help me with this command.
  sebastan

  Hello Sebastan,
  what do you use as AAA server (e.g. ACS with TACACS+ or RADIUS) ?
  Regards,
  GNT

• DMVPN HUB router behind NAT

  we are getting new sip trunks put in and in order for the provider to put them in the Providor put in a router to control all web traffic so they can QOS the voice that means our VPN routers will go behind the nat barrier. but when i switched the routers interface to the natted address the DMVPN tunnels would not build. there is a nat translation to the routers so the external(route-able) IP did not change. the IPsec tunnels did come up just fine. just the few DMVPN connected tunnels did not.
  if issue a "sh DMVPN" the Peer NBMA Addr shows up as 0.0.0.0 while the Peer Tunnel addr is what it should be, also the attrb is  "X"
  Tunnel source i have set to the interface, and the key is set to "crypto isakmp key "my key" address 0.0.0.0 0.0.0.0 no-xauth"
  i am at a loss on why this was not working. keep in mind this is the HUB router and not the Spoke.

  Here is some additional infor to help
  hub config:
  interface Tunnel0
   bandwidth 512
   ip address "hubtunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast dynamic
   ip nhrp network-id 1
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1
  crypto isakmp key "My Key" address 0.0.0.0 0.0.0.0 no-xauth
  crypto ipsec transform-set "mytransfromset" esp-des esp-md5-hmac
   mode transport
  crypto ipsec profile net1
   set transform-set "mytransformset"
  Spoke config:
  crypto isakmp key "My Key" address "Remote IP" "remote SM" no-xauth
  crypto ipsec transform-set "mytransformset" esp-des esp-md5-hmac
   mode tunnel
  crypto ipsec nat-transparency spi-matching
  crypto ipsec profile net1
   set transform-set "mytransformset"
  interface Tunnel0
   bandwidth 512
   ip address "spoketunnelIP" 255.255.255.0
   no ip redirects
   ip nhrp authentication "XXX"
   ip nhrp map multicast "Remote IP"
   ip nhrp map "hubtunnelIP" "Remote IP"
   ip nhrp network-id 1
   ip nhrp nhs "hubtunnelIP"
   tunnel source GigabitEthernet0/1
   tunnel mode gre multipoint
   tunnel protection ipsec profile net1 shared

• DMVPN Hub router with static NAT

  Hi everyone,
  I'm trying to setup a lab enviroment to stablish a DMVPN. I have two routers CISCO 2811, IOS version 12.4(3j). I need to configure those routers to stablish a DMVPN. For the spoke router, I have have an ISP that provides dynamic addressing. For the hub router, I have a public static IP address assignde by the ISP. But I have a Watchguard firewall in the middle doing static 1-to-1 NAT for that address. Now the questions are:
  1) Can I stablish the DMVPN between the routers with that firewall in the middle?
  2) In case it is possible, what will the physical hub address be? And is there something I need to change on the firewall configuration?
  3) In case it isn't possible, what other options do I have to stablish a VPN tunnel between the routers in those conditions?
  Is there is anything else you need to know to understand the situation, please ask. I haven't configure neither of the routers yet, because I think I need to be sure of these concepts first. Thanks for any help you could bring.
  Gustavo

  !

• Using ASA 5510 and router for dual WAN Connections.

  Guys, neeed some help here:
  Context:
  1- My company has one ASA 5510 configured with Site-to-site VPN, Ipsec Cisco VPN and AnyConnect VPN.
  2- We use ASA to connect to the single ISP (ISP 1) for internet access. ASA does all the NATing for internal users to go out.
  3- A second link is coming in and we will be using ISP 2 to loadbalance traffic to internet (i.e. business traffic will go via ISP1 and “other” traffic will go via ISP2).
  4- A router will be deployed in front of the ASA to terminate internet links.
  5- No BGP should be used to implement policy (traffic X goes via ISP1, traffic Y goes via ISP2).
  Questions:
  How do I get this done, particularly, how do I tell the router, for traffic X use ISP1 and for traffic Y use ISP2? PBR is my friend?
  Since I will be having 2 public Ip Addresses from the 2 ISPs, how do I NAT internal users to the 2 public Ip addresses ?.
  Finally, which device should be doing the NATing? The ASA just like now or move NATing to the Router?
  Thanks
  Ndaungwe

  Hi,
  Check the below link, it gives information on trasperant fw config and limilations. Based on the doc, you may need to move the VPN /anyconnect to router as well. From the routr end you may be able to set up static routes pointing to diff ISP based on traffic needs but this will be compleicated setup and can break things. Wait for other suggestions or if possible stick to ASA to terminate both links and still route the traffic to diff ISPs (Saves the router cost as well).
  http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
  Thx
  MS

• Power to Hub & router

  Hi,
  Does anyone know if the HH and Router can be connected to an extension lead when the engineers calls. I do have a double socket close to the master socket but one is used for the answerphone and one is already being used by the old Hub.
  I could do with moving the master socket to a location closer to my PC but again are short on sockets. 
  Need to get sorted out before installation day.
  Many Thanks
  Graham
  Solved!
  Go to Solution.

  Back to the original question.
  A good solution in many cases is to keep the modem near the current master socket, and to run an ethernet cable to a hub/router somewhere else.  You may suffer a loss in speed if they add a data extension to place the modem elsewhere (probably not severe), but you won't suffer a loss in speed from a long ethernet modem to router.  
  Not sure it will suit you.  You would need to provide and lay the ethernet cable.

• Port forwarding not working for VPN

  Hi there,
  I am at a loss as to what I am doing wrong with regards to setting up a VPN. I admit this is all completely new territory for me, and I am learning as I go along, so may have overlooked something very obvious.
  I have openned up the VPN ports on the router (500, 1701, 4500 - UDP; 1723 - TCP), and can confirm from the logs that they are letting traffic in ok.
  So that leaves the server itself - testing using an open port checking tool confirms all ports I have open in the router firewall, and active and accessible on the server, except the VPN ports and service, are indeed open and accessible.
  The VPN service is running, and I have ensured the services are available within the firewall service for 'all', and all services available for the 192.168.1.xxx range.
  I have indicated that the VPN should use the range - 10.0.0.1 to 200
  The DNS and DHCP services on the server are running. At the domain resgitsrar, I have indicated that the subdomain I am using to access the server and its services via the web should point to the static IP I have from the ISP.
  I should mention that if I use the local IP address of the server, I can connect ok, it is only when I use the static IP that I am unable to connect.
  Every other port opens up successfully - FTP (21), Web (80/443), etc - just not the ones for the VPN, so I assume there is some sort of conflict between or within the the VPN/DHCP/DNS services or with the VPN service itself.
  Any advice and potential solutions would be greatly appreciated, as I have spent quite a bit of time trying to figure this one out by myself.
  Thanks in advance, and I hope to hear from folk soon.
  Chris

  OK - here's how my router is configured:
  NAT (Type = Destination) Public IP address to VPN Server IP address (I had a problem when I didn't have the NAT Type set properly)
  I have a separate public IP address reserved for VPN traffic, but that's not necessary if you set up the order of the rules on your router properly. It's just easier to have a separate IP address.
  These are the ports I have open:
  UDP - 500
  UDP - 1701
  TCP - 1723
  TCP - 3283
  UDP - 3283
  UDP - 4500
  TCP - 5900
  TCP - 5988
  I have these ports open to accomodate remoting in via Apple Remote Desktop.
  However, since Mavericks, I can't use ARD anymore. But I can use Back to My Mac and Screen Sharing (go figure!) to get to my server and then from the server I can use ARD within the network.
  Don't know if that helps or not, but it works for me.

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.