2 Replies Latest reply on Aug 22, 2017 2:49 PM by rdw

    Setting up mobile VPN access with restriction to certain VLAN

    rdw New Member

      Hi,

       

      Can someone give me a setup how to for enabling a remote user to VPN to the 3448 that I have specific VLAN's set up for manangement of thier systems.

       

      I need to use Shrewsoft for the VPN client and haven't had any success setting it up in test, I was using the how to on the shrew soft site but couldn't get negotiation to complete.

       

      I have 3 VLANS setup now:

       

      VLAN1 - Default data

       

      VLAN2 - Voice (not used as of yet)

       

      VLAN3 - PLC control   <<this is the one that I would like for the mobile VPN user to access.

       

      Will be setting up

      VLAN4 - PLC control

      VLAN5 - PLC control

       

      I need to set up separate VPN connection for each of the PLC VLANs as they are different vendors for equipment at the site.

        • Re: Setting up mobile VPN access with restriction to certain VLAN
          mick Visitor

          Hi rdw, I've put together example configurations you can try out on your Netvanta and on the shrewsoft VPN client.  You haven't provided any details of IP addresses and credentials, so I will assume the following settings which you will need to adapt to your circumstances:

           

          The public IP address of the 3448 is: AAA.BB.CCC.DD

          The default subnet of VLAN 1 is:  10.10.10.0/24

          The subnet of VLAN 3 is:  10.10.3.0/24

          The virtual IP for the VPN client is:  172.16.3.1/24

          The 3448 peer's ID is its public IP address:  AAA.BB.CCC.DD

          The remote client's ID is some User FQDN:  remote@remote_client.com

          The remote client's XAuth username is:  admin_VPN_client

          The remote client's XAuth password is:  my_secret_admin_VPN_client_passwd

          The PSK is:  Very_Long_Secret_Passwd

           

          The configuration of the Netvanta 3448 would look like this.

           

          ! Setup users for Netvanta's admin account and for the remote VPN client's XAuth:

          ! =========================

          service password-encryption

          !

          username "admin" password encrypted "my_secret_admin_passwd"

          username "admin_VPN_client" password encrypted "my_secret_admin_VPN_client_passwd"

          !

          [snip ...]

           

           

          ! Enable AAA Authentication:

          ! ======================

          aaa on

          !

          !

          aaa authentication login LoginUseLocalUsers local

          aaa authentication login LoginUseLinePass line

          !

          aaa authentication enable default enable

          !

          aaa authentication port-auth default local

          !

          [snip ...]

           

           

          ! Enable the VPN service:

          ! ===================

          ip crypto

          !

          ! Setup the ISAKMP mode configuration the 3448 will push to the remote clients:

          ! ======================================================

          crypto ike client configuration pool admin_VPN_modconfig

            ip-range            172.16.3.1        172.16.3.254  

            dns-server          10.10.3.1       ! This may or may not be needed

          !

          ! Set up an IKE policy for the remote client:

          ! =================================

          crypto ike policy 300

            no initiate

            respond any

            local-id address AAA.BB.CCC.DD

            peer any

            client authentication server list LoginUseLocalUsers

            client configuration pool admin_VPN_modconfig

            attribute 1

              encryption aes-256-cbc

              authentication pre-share

              group 5

              lifetime 7080

          !

          ! Specify the IKE configuration for remote client:

          ! =====================================

          crypto ike remote-id user-fqdn remote@remote_client.com preshared-key Very_Long_Secret_Passwd ike-policy 300 crypto map VPN 3

          !

          ! Specify strong IPSec Transform set:

          ! ==================================

          ip crypto ipsec transform-set strong_crypto esp-aes-256-cbc esp-sha-hmac

            mode tunnel

          !

          ! Specify a crypto map to combine IKE-IPSec settings and VPN packet selectors:

          ! ===========================

          ip crypto map VPN 3 ipsec-ike

            description admin_VPN_Access

            match address ip VPN-3-selectors

            set transform-set strong_crypto

            set security-association lifetime seconds 3600

            set pfs group5

            ike-policy 300

            mobile

          !

          [snip ...]

           

           

          ! Map the VPN service to your public facing interface, e.g. eth 0/1, or ppp 1, as appropriate:

          ! ========================

          interface eth 0/1

            description WAN

            ip address AAA.BB.CCC.DD

            ip access-policy Public

            ip crypto map VPN               !This line enables VPN on this interface

            no shutdown

            no lldp send-and-receive

          !

          [snip ...]

           

           

          ! Set up selectors to filter VPN packets:

          ! ==============================

          ip access-list extended VPN-3-selectors

            permit ip 10.10.3.0 0.0.0.255  172.16.3.0 0.0.0.255 

            deny   ip any  any     log

          !

          [snip ...]

           

           

          ! Set up a policies to allow filtered VPN packets in and out:

          ! ==============================================

          ip policy-class Private

            allow list VPN-3-selectors stateless

            allow list self self

            nat source list wizard-ics interface eth 0/1 overload

          !

          ip policy-class Public

            allow reverse list VPN-3-selectors stateless

          !

           

           

          This is the configuration for the Shrew remote client which in MSWindows PC can be found in:

           

          C:\Users\<user_name>\AppData\Local\ShrewSoftVPN\sites\

           

          would look like this:

           

          n:version:4

          n:network-ike-port:500

          n:network-mtu-size:1380

          n:client-addr-auto:1

          n:network-natt-port:4500

          n:network-natt-rate:15

          n:network-frag-size:540

          n:network-dpd-enable:1

          n:client-banner-enable:1

          n:network-notify-enable:1

          n:client-dns-used:1

          n:client-dns-auto:1

          n:client-dns-suffix-auto:1

          n:client-splitdns-used:1

          n:client-splitdns-auto:1

          n:client-wins-used:0

          n:client-wins-auto:1

          n:phase1-dhgroup:5

          n:phase1-life-secs:7080

          n:phase1-life-kbytes:0

          n:vendor-chkpt-enable:0

          n:phase2-life-secs:3600

          n:phase2-life-kbytes:0

          n:policy-nailed:0

          n:policy-list-auto:0

          n:phase1-keylen:256

          n:phase2-keylen:256

          s:network-host:AAA.BB.CCC.DD  #Set the public IP address of 3448 here

          s:client-auto-mode:pull

          s:client-iface:virtual

          s:network-natt-mode:enable

          s:network-frag-mode:enable

          s:auth-method:mutual-psk-xauth

          s:ident-client-type:ufqdn

          s:ident-server-type:address

          s:ident-client-data:remote@remote_client.com

          s:ident-server-data:AAA.BB.CCC.DD  #Set the public IP address of 3448 here

          b:auth-mutual-psk:                 #Leave this blank, then add the PSK using the GUI

          s:phase1-exchange:aggressive

          s:phase1-cipher:aes

          s:phase1-hash:sha1

          s:phase2-transform:esp-aes

          s:phase2-hmac:sha1

          s:ipcomp-transform:deflate

          n:phase2-pfsgroup:5

          s:policy-level:unique

          s:policy-list-include:10.10.3.0 / 255.255.255.0

           

          When you try to initiate a connection Shrew will ask you to enter the XAuth username and password, which in the above example is admin_VPN_client and my_secret_admin_VPN_client_passwd respectively.  These examples should get your connection going, but if not post back logs of shrewsoft and a debug session of the Netvanta, after you obfuscate public IP addresses and usernames/passwords.

           

          NOTE:  Using Aggressive mode to initiate an IKE exchange with PSK authentication is not secure because a hash of the PSK is sent out unencrypted and if the connection is evesdropped can be brute forced offline.  So, in critical production environments it is advised to use SSL certificates instead of PSK, or use Main mode, or both.

          --

          Regards,

          Mick