Oh, Cisco.

I had the pleasure recently of configuring a VPN between two Cisco 800-series ADSL routers. No problem, I thought – I’m an experienced Network Engineer and I eat VPNs for breakfast; I’ve set up GRE tunnels for BGP mesh, L2TP/IPSec gateways, the lot. So, site-to-site VPN, crappy little Cisco routers, no problem; stand back everyone and watch how a pro does it, etc etc.

As it turns out, my VPN-configuration-skills-on-Cisco are a bit rusty. Three days later – having traded the outdated, incomplete and frankly wrong documentation on Cisco.com for the Whirlpool forums – I managed to get the following configuration-from-the-depths-of-hell working:

crypto keyring ipsec_tunnel
  pre-shared-key address 0.0.0.0 0.0.0.0 key ihavethesamecombinationonmyluggage
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp profile 1
   keyring ipsec_tunnel
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set 1 esp-aes esp-sha-hmac
!
crypto map 1 6000 ipsec-isakmp
 set peer 203.123.123.123
 set nat demux
 set transform-set 1
 match address 100
!
interface Dialer0
!! Dialer things here
 ip address 203.123.123.122 255.255.255.255
 crypto map 1
!
ip nat inside source list nat interface Dialer0 overload
!
ip access-list extended nat
 deny   ip any 10.2.0.0 0.0.255.255
 deny   ip any host 203.206.188.85
 deny   ip 10.2.0.0 0.0.255.255 any
 permit ip 192.168.0.0 0.0.255.255 any
 permit ip 10.0.0.0 0.255.255.255 any
 deny   ip any any log
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 192.168.0.0 0.0.255.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 172.20.0.0 0.0.255.255 10.2.0.0 0.0.255.255

The other side of the link is basically a mirror image of this, with the peer and access-list 100 entries adjusted appropriately.

I should mention that this is IOS 12.4(15)T9, because it matters for IPSec. In 2013. I’d like to use IOS 15, because hey it’s new and awesome or some crap but nope: there’s a bug with the ADSL implementation in 15.1T so it won’t work with various Australian ADSL2+ connections. I’d start trying 15.1M, 15.0T until I found one that worked but at that point I decided this was getting ridiculous and rolled back to 12.4.

Just for comparison, here’s the same IPSec configuration on OpenBSD, which I’ve dealt with a few times. I haven’t bothered to test this example, but I’m fairly confident it’ll work:

ike esp from 203.123.123.122 to 203.123.123.123 psk ihavethesamecombinationonmyluggage
ike esp from {10.0.0.0/8, 192.168.0.0/16, 172.20.0.0/16 } to 10.2.0.0/16 peer 203.123.123.123 psk ihavethesamecombinationonmyluggage

That’s right folks, two lines. No keyrings, manual definition of isakmp policies, stupid access lists definitions that were a great idea 20 years ago, just the necessary configuration to get things working. Sure, if you want to you can write manual SA definitions, manual flows, set up some funky crypto transform sets if you’re trying to interface with Windows 2000 but if you’re just linking two OpenBSD-based routers together it’s a couple of lines of config.

I guess all I have to say here is Cisco: the 90s called and they want their routers back. Sure, sometimes I might want to manually adjust things to deal with some broken implementation, but 99% of the time I really don’t care. Get some sane defaults happening! Sheesh ;)

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s