Friday, 17 January 2014

[Lab] Setup and Configure Cisco 1841 Router VPN Remote Client Access with PPTP



In this exercise, we are going to setup and configure VPN tunnel for client machine to remote into private network KSN over the internet.

What we will be using during the exercise:
  • Cisco Router 1841
  • IOS c1841-adventerprisek9-mz Release 15.0
  • Home broadband router
  • Remote machine
  • Local machine (optional)
  • Some CAT5e cables
  • Your basic knowledge of networking (IP address, Cisco command line, Windows)
What we will be learning in this exercise:
  • AAA (Authentication, Authorization and Accounting)
  • VPN Tunneling
  • Encryption Security
  • Virtual session interface for remote clients
  • VPN pool address
  • Packets routing (small)
  • Port Forwarding
  • VPN setup on Remote machine

What we will be testing before put it on to a live network:
  • Basic ping tests - Interface link status.
  • Local traffic tests - Routing between broadband router and Cisco router.
  • Local VPN - Test machine with a  different network IP address and VPN to Cisco router.
  • Internet connection and VPN - Remote machine's internet connection once it's in the VPN.
  • Double check the router's configuration (look for duplicate if you planning to setup VPN on your existing Cisco router).
Final step, it's time to plug your setup to your live network!
  • Setup port forwarding for PPTP VPN port number 1723 TCP on the broadband router (BT Home hub)
  • Change Cisco router's interface IP address for the same network. 
  • Configure default route on Cisco router.
  • Ensure all the nodes can ping each on the network.
  • Find out your broadband router external IP address given by ISP. 
Little bit more explanation before we diving into the fun part ;) so we know what we are doing!

Before all entering all the configurations on Cisco router, we need to know what are those commands are atcually going to perform on the network from the router, its no good that if I just give you out the Cisco Configuration file and copy it to your environment. Yes, it may work but if anything goes wrong and you would not have a clue what is causing it!

Like I said, my plan is to build a VPN network within the LAN first and then once we have successed then it's pretty much plug-and-play after! The biggest reason of building a LAN first is because it is much easier to troubleshoot if connections occured, for example: On a real live network if VPN connection cannot be established, there are many things you need to look at and it can be overwhelming because you pretty much need to know how your network works, and basically more troubleshooting steps you will need to take in order to diagnosed the problem.

I will try cut out the junks and explain the important things when going through the setup. Let's start!

Physically connect the devices up with appropriate media:
PC1 -> Router 1 Console port via Console cable
PC2 -> Router 1 Fa0/1 port via Straight-through CAT5e cable
DSL Modem -> Router 1 Fa0/0 port via Straight-through CAT5e cable

VPN Local Area Network Lab
Your lab now should look like above diagram.

Go to PC1 and use console port to open a session to access Cisco router. (If the router protected by Cisco and you do not know it, then I will suggest you to read this article to reset the router back to factory default state)

Perform interface's IP address configuration to your devices according to the IP Address table below:



Device
Interface
IP Address
Subnet
Default Gateway
BT Broadband Router
Dailer1
109.152.115.101
-


Fa0/0
192.168.1.254
255.255.255.0
109.152.115.101
Cisco 1841 Router
Fa0/0
192.168.1.253
255.255.255.0


Fa0/1
10.10.10.1
255.255.255.0
-
PC1
Console & Fa
10.10.10.2
255.255.255.0
10.10.10.1
PC2
Fa
192.168.1.2
255.255.255.0
192.168.1.253

VPN - Test 1


Now perform a basic ping test to check if interfaces on each devices are up and working. From Cisco router to PC2 (10.10.10.2) and BT Broadband router (192.168.1.254).

Ping test PC2


Ping test BT Broadband Router



Once all the device's interface have connectivity to each other, now it's time to implement the magic commands to the Cisco router!

hostname Router
!
!
ip cef
no ipv6 cef
!
vpdn enable
!
vpdn-group KNS-VPN
 ! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel timeout no-session 15
!
crypto pki token default removal timeout 0
!
!
username ket password 0 cisco123
!
!
controller E1 0/0/0
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface FastEthernet0/1
 duplex auto
 speed auto
 Shutdown
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool defaultpool
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap
!
ip local pool defaultpool 192.168.1.10 192.168.1.20
!
ip route 0.0.0.0 0.0.0.0 192.168.1.254

Setting up Cisco Router's VPN and Explain some boring stuff:

Enabling the VPDN (Virtual Private Dialup Network) Layer 2 Tunneling Protocol (L2TP) for ISDN and analog dialin calls. There is no AAA (Authentication, Authorisation, and Accounting) involved in this setup.

As we will be using L2TP and PPTP for our basic VPN setup.

L2TP is created by the two best  protocol:
  • L2F - Cisco Layer 2 Forwarding
  • PPTP - Microsoft Point-to-Point Tunneling Protocol
So to enable VPDN we type the following statement in global configuration mode:
vpdn enable
Once you have enabled, now we need to create a group and defines the paramaters for the various aspects of PPTP connection:
vpdn-group KNS-VPN
 -accept-dialin
  -protocol pptp
  -virtual-template 1
  -l2tp tunnel timeout no-session 15
vpdn-group KNS-VPN command is to setup a group with a group name called "KNS-VPN".
accept-dialin command is to tell the router is accepting dialin connection from external network.
Now you can specify what protocol you want to use, in this case is "protocol pptp" command is specified.

Virtual-template 1 command is for creating a virtual interface, what I remember I think you can create up to 200 virtual interfaces.

Next up, we will need to bind the virtual interface to a real interface, this means the pptp effectively get binds to the real interface as well.

We will need to bind an ip pool which contains IP addresses that will be distributed to VPN users. We will create the IP pool later on.

For PPP (Point-to-Point) encryption we will use MPPE (Microsoft Point-to-Point Encryption) for end to end security data encryption instead of just authenticate the link. Setting it auto allow the device to choose 40-bit or 128-bit key size to have a better comparability. It uses RC4 cipher for encryption if your curious.

In this case we need to specify an authentication method, I would recommend to use ms-chap, ms-chap-v2 over pap as we know that PAP uses plan-text authentication and while CHAPs uses MD5
For more info about PAP, CHAP, CHAP and MPPE look at this website.

interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool defaultpool
 no keepalive
 ppp encrypt mppe auto
 ppp authentication chap ms-chap
We know need to create a pool and assign a range of IP address to it. Make sure this part you have the same network address as the interface's, as with the appropriate range.
ip local pool defaultpool 192.168.1.10 192.168.1.15
Last step is to create a user account for remote client to use it to authenticate them-self with the Cisco router VPN server.
username ket password 0 cisco123
Finally, the user will need to setup a VPN connection with the details mentioned above to successfully connect to the VPN. So how do you do this?

Windows Remote Client Machine Setup

For Windows 7/8 users:

Go to Control Panel, Network and Sharing Center and click on "Set up a new connection or network".


Select "Connect to a workplace" and Next.


Select "Use my Internet connection (VPN)" and Next.


Now type in the R1 interface's IP address 10.10.10.1 and give it a name, then click create.




Now you should have an extra icon on your "Network Connections" window along with the computer's network adapters.


One more step to finish the setup is to configure it with the right settings.

Right click the connection and click properties.

Go to Security tap, and we need to change the "Type of VPN" to Point to Point Tunneling Protocol (PPTP).

Select Allow these protocols, and tick CHAP and CHAP Version 2.


Those settings will then match the VPN connection what we have set in the Cisco router and grant us the access to internal network and resources.

NOTE: Somethings you might want to check on the remote client machine's side such as, IP addressing to your broadband gateway, and the broadband router's ports opening. For example: If PPTP port weren't open then the remote client's machine PPTP trafffic would not get pass outside the broadband router.

VPN - Test 2 

Back in Test 1, we only briefly tested the local network with some ping tests. Now on Test 2, we will be testing a VPN internally, yes I know it sounds bit of crazy and what is the point of doing it?

My reasons are:
  • Testing locally allows me to get a feedback of how traffic flows. If everything were fine, then I know I am one step closer to finish my setup.
  • If you have troubles VPN in a internal network then something has gone wrong, e.g. client machines PC VPN setting and IP address, Cisco router configuration from interface's IP address, IP Pool address, Authentication details, VPN settings or even physical like cabling.

Testing time:

On PC1 (10.10.10.2) use the VPN connection we have just setup and try dial in to R1's Fa0/1 interface (10.10.10.1).

Type in the username "ket" and password "cisco123" then OK to connect.


Finger crossed, the VPN connection should say "Connected" if not! Please look through go through the Lab again and check if you have missed anything out.


You should now have a additional IP address (192.168.1.x) for your VPN connection.

To check the details see they are right, by right clicking the VPN connection, status and details.

The details window should provide you some good info e.g. internal IP address distrbuted by the Cisco Router's IP Pool address, what protocol has been used and authentication.


Final test you want to do is if you can ping the internal network devices or gateway, in this example I have done a simple ping test to the Cisco Internal IP address Fa0/0 (you could also try to ping PC2), this can proof that the remote client machine have connectivity to the internal device.


VPN Test 2 Completed.

Final Stage

What we need do now is to setup our lab to look like below topology.


In order to finish this lab, what we need to do is:
  • Access to BT HomeHub router
  • Set up port forwarding on BT HomeHub router
  • PPTP's Port number 1723
  • Assign the port forwarding to R1 Fa0/0 interface's IP address (192.168.1.253)
  • Configure VPN connection's IP address on PC2 
  • Ensure PC2 firewall is off or open PPTP's port 1723.
  • Set IP route on R1
Configure VPN connection's IP address on PC2
Getting the external IP address of BT HomeHub router 109.152.115.101. Go to PC1's internet explorer use "Whatsmyip.org" then webpage will return the IP address on top of the page. The otherway to do it is, connect or login to the broadband router's admin page and check the broadband information.

Once you have got the external IP address, write it down and go to PC2, change the VPN connection's IP Address from 10.10.10.1 to what ever the external IP address of your router is, and in my case 109.152.115.101.


If you have followed the guide until here, you should now be able to VPN in to the network!

I would recommend you to do ping tests to internal network device ensure that PC2 have connectivity to internal resources, as having access in internal resource is the whole point of having a VPN connection.

IP Route
You will need to issue this command IP route to tell all the packets to return back to the broadband router when packets gained access to the internal network. Without this command the packets does not know where to go, so 0.0.0.0 IP address and 0.0.0.0 subnet or quad zero's means that all data have unknown destination will be forwarded to 192.168.1.254 which is the BT homehub local IP address and then the BT HomeHub will handle the rest.
ip route 0.0.0.0 0.0.0.0 192.168.1.254
Source

Good and have fun!
Post a Comment

Ads Inside Post