Oh, Cisco.

I had the pleasure recently of configuring a VPN between two Cisco 800-series ADSL routers. No problem, I thought – I’m an experienced Network Engineer and I eat VPNs for breakfast; I’ve set up GRE tunnels for BGP mesh, L2TP/IPSec gateways, the lot. So, site-to-site VPN, crappy little Cisco routers, no problem; stand back everyone and watch how a pro does it, etc etc.

As it turns out, my VPN-configuration-skills-on-Cisco are a bit rusty. Three days later – having traded the outdated, incomplete and frankly wrong documentation on Cisco.com for the Whirlpool forums – I managed to get the following configuration-from-the-depths-of-hell working:

crypto keyring ipsec_tunnel
  pre-shared-key address key ihavethesamecombinationonmyluggage
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
 lifetime 3600
crypto isakmp profile 1
   keyring ipsec_tunnel
   match identity address
crypto ipsec transform-set 1 esp-aes esp-sha-hmac
crypto map 1 6000 ipsec-isakmp
 set peer
 set nat demux
 set transform-set 1
 match address 100
interface Dialer0
!! Dialer things here
 ip address
 crypto map 1
ip nat inside source list nat interface Dialer0 overload
ip access-list extended nat
 deny   ip any
 deny   ip any host
 deny   ip any
 permit ip any
 permit ip any
 deny   ip any any log
access-list 100 permit ip
access-list 100 permit ip
access-list 100 permit ip

The other side of the link is basically a mirror image of this, with the peer and access-list 100 entries adjusted appropriately.

I should mention that this is IOS 12.4(15)T9, because it matters for IPSec. In 2013. I’d like to use IOS 15, because hey it’s new and awesome or some crap but nope: there’s a bug with the ADSL implementation in 15.1T so it won’t work with various Australian ADSL2+ connections. I’d start trying 15.1M, 15.0T until I found one that worked but at that point I decided this was getting ridiculous and rolled back to 12.4.

Just for comparison, here’s the same IPSec configuration on OpenBSD, which I’ve dealt with a few times. I haven’t bothered to test this example, but I’m fairly confident it’ll work:

ike esp from to psk ihavethesamecombinationonmyluggage
ike esp from {,, } to peer psk ihavethesamecombinationonmyluggage

That’s right folks, two lines. No keyrings, manual definition of isakmp policies, stupid access lists definitions that were a great idea 20 years ago, just the necessary configuration to get things working. Sure, if you want to you can write manual SA definitions, manual flows, set up some funky crypto transform sets if you’re trying to interface with Windows 2000 but if you’re just linking two OpenBSD-based routers together it’s a couple of lines of config.

I guess all I have to say here is Cisco: the 90s called and they want their routers back. Sure, sometimes I might want to manually adjust things to deal with some broken implementation, but 99% of the time I really don’t care. Get some sane defaults happening! Sheesh ;)


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s