Connecting a Linksys WRV200 with a Cisco PIX 506e

My company uses a VOIP phone system, and has for about 2 years now.  Recently, we hired someone who will work out of her home in Minnesota.  Although we already have two full-time remote workers, I never had the time to explore exploiting our VOIP system by putting in a router-to-router (or, in this case, router-to-firewall) VPN and putting a VOIP phone at the remote office.
 
That’s recently changed.
 
So, armed with the knowledge that this experiment has a lot of potential pitfalls, I began looking for an inexpensive wireless SOHO router that could VPN back to my PIX.  And, amazingly, there is one – the Linksys WRV200.  More info on that device here:
 
 
So I drove over to Best Buy, and picked one up for $99.99 plus tax.  Definitely affordable.
 
Now came the challenge – could the WRV200 negotiate an IPSec tunnel with my PIX?  I started scouring the web to see what other folks had done – and although I found lots of references to Linksys to PIX VPNs, not one was using the WRV200.
 
I gave it a shot anyway.
 
And, amazingly, it worked – both the VPN AND the VOIP phone.  Flawlessly.
So, if you’re in a similar situation, let me tell you what you need to do.
 
Assumptions:
  • You’re not using Cisco’s EasyVPN on your PIX as a client.  If you do so, you cannot also have your PIX be a IPSec VPN server.  I don’t know if you can have your PIX as an EasyVPN server and a standard IPSec VPN server, but I doubt it.  I’d avoid the EasyVPN technology altogether.  YMMV.
  • Remote internal IP address range: 192.168.0.0/24
  • Remote external IP address: dynamic
  • Home office internal IP address range:  10.0.0.0/24
  • Home office external IP address: static

General instructions:

On the PIX, create an access list to allow trafic from the remote router’s internal IP range (or from a specific host address, if you want to get that detailed) access to your internal network (or to a specific host).  Using our assumptions, that would be:
 
access-list (insert a descriptive name here, like external_vpns) permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.255.255.0
 
Now associate your access list with an interface:
nat (inside) 0 access-list external_vpns
 
Permit IPSec connections:
sysopt connnection permit-ipsec
 
Setup your IPSec tunnel parameters:
Setup your transform set (how traffic will be encrypted and authenticated over the tunnel):
crypto ipsec transform-set (name your transform set here) esp-3des esp-md5-hmac
 
Associate your transform set with a dynamic map, because you have a dynamic IP on the remote end:
crypto dynamic-map (name your dynamic map here) 1 set transform set (name of transform set from previous line)
 
Setup your crypto map to map to your dynamic map:
crypto map (name your crypto map here) 10 ipsec-isakmp dynamic (name of your dynamic map here)
 
Associate your crypto map to the outside interface, so traffic going to the remote peer will be encrypted:
crypto map (name of crypto map from the previous line) interface outside
Next, you’ll set up how the tunnel will get negotiated:
Enable IPSec tunnel negotiation on the outside interface:
isakmp enable outside
 
Setup your shared secret to start the tunnel with any remote address (remember, the remote address is dynamic):
isakmp key (put in a complex shared secret here) address 0.0.0.0 netmask 0.0.0.0
 
Setup the PIX to send its outside IP as its identifier to the remote router.  This is necessary for the tunnel to negotiate with the WRV200:
isakmp identity address
 
Setup how the security associations are negotiated (encryption and authentication).  This must match the VPN configuration on the WRV200:
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
That should be all that’s necessary on the Cisco PIX side.
 
So, on to the Linksys WRV200.
 
Login to the web interface, and set up the DHCP server to be the remote office’s IP range:

Under the Setup section, go to the Basic Setup tab and configure the Lan Setup section to use the IP range – 192.168.0.0/24

[Optional – I wanted my remote clients to be able to see my home office computers by name – so I added the home office DNS server as DNS IP Address 1 (i.e. 10.0.0.2), and the Linksys itself as DNS IP Address 2 (i.e. 192.168.0.1)]

Configure the VPN tunnel:
On the VPN tab, go to the IPSec VPN tab and configure a Tunnel Entry:
  • Select a tunnel (the first tunnel is Tunnel A
  • Set the VPN Tunnel to be Enabled
  • Give the tunnel a name (i.e. ToHomeOffice)
  • If your home office PIX is NATted on the outside interface, you’ll need to enable NAT-Traversal – provided the device in front of your PIX will allow NAT-Traversal.  I didn’t have the problem, so you’ll need more info from elsewhere if you need to do this.
  • Setup the Local Secure Group to be your WRV200 router’s subnet (i.e. 192.168.0.0, 255.255.255.0), or the static address of the one remote host you want to traverse the tunnel.  If you choose a single host, make sure you assign that IP outside of the router’s DHCP scope!
  • Setup the Remote Secure Group to be your home office’s subnet (i.e. 10.0.0.0, 255.255.255.0).
  • Setup the Remote Secure Gateway to be the outside IP address of your PIX.
  • Setup Key Management to use the same methods as the PIX.  For the example above, that would be:
    • Key Exchange Method: Auto (IKE)
    • Operation Mode: Main
    • ISAKMP Encryption Method: 3DES
    • ISAKMP Authentication Method: SHA1
    • ISAKMP DH Group: Group 2: 1024-bits
    • ISAKMP Key Lifetime(s): 86400
    • PFS (Perfect Forward Secrecy): Enabled
    • IPSec Encryption Method: 3DES
    • IPSec Authentication: MD5
    • IPSec DH Group: Same as the ISAKMP
    • IPSec Key Lifetime(s): 3600
    • Pre-Shared Key: (Same as the complex shared secret in the PIX line that starts with isakmp key)
  • I enabled Dead Peer Detection to Recover Connection when it drops, as well as If IKE failed more than 5 times block this unauthorized IP for 60 seconds, and Anti-replay.

That’s it!  Now there are two ways to see what’s happening with your tunnel, and both are useful for troubleshooting:

On the PIX, at the console (or an SSH connection), do:

debug crypto ipsec
debug crypto isakmp

and watch the messages scroll by.

On the Linksys, under the VPN section, you can go to the VPN Summary tab and see the status of the tunnel.  You can dive deeper into the tunnel there as well, and see the errors in the VPN log.

Also, some commands to check the status of the tunnel on the PIX:
show crypto isakmp sa—View all current IKE security associations (SAs) at a peer.
show crypto ipsec sa—View the settings used by current security associations.
clear crypto isakmp sa—(from configuration mode) Clear all active IKE connections.
clear crypto ipsec sa—(from configuration mode) Delete all IPSec security associations.

Before deploying your remote router, I’d recommend going into the Administration section, under the Management tab, and setting up Remote Management of the router from the home office – i.e. the external IP address of the PIX.

Also, if you use a VOIP phone on this router, you can set the port that the phone is plugged into to have higher priority than the rest of the ports.  Go to the QoS section, and to the Port-based QoS tab, and enable QoS.  Then set the port to have High Priority.

Hopefully this set of instructions help at least one other person with the pain of setting up this type of VPN!

Once the tunnel is created, if everything is set up properly, traffic – including VOIP traffic – should flow fine.  You may need to setup your phone to communicate directly with the VOIP server, as typically the phone gets this info from the DHCP server – but it won’t in this case.
 

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s