Saturday, January 1, 2011

Remote Access SSL VPN and DDNS setup

My environment:  IOS 15.1(3)T on ISR 892

I have been spending quite a lot of time on the road and it is much convenient if I have a way to remote access back to my home network.  In my home network I have setup the SSL VPN for remote access, as well as DDNS as I don’t have a fixed IP address for my home internet access.

1. You can register an account in dyndns.org to get your own DDNS entry

2.  Then you can configure DDNS update on the router, whenever there is an address change, it will update dyndns.org dynamically.

ip ddns update method DynDNS
HTTP
  add http://pandausername:pandapassword@members.dyndns.org/nic/update?system=dyndns&hostname=panda.dyndns.org&myip=<a>
  remove http://pandausername:pandapassword@members.dyndns.org/nic/update?system=dyndns&hostname=panda.dyndns.org&myip=<a>
interval maximum 1 0 0 0

3. Under your internet facing interface, configure the following command:

ip ddns update hostname panda.dyndns.org
ip ddns update DynDNS host members.dyndns.org

4. These are the webvpn configuration of my router, you can modify it for your own setup:

ip local pool vpn-pool 192.168.20.205 192.168.20.215

webvpn gateway panda.dyndns.org
ip address 1.2.3.4 port 443 
ssl trustpoint TP-self-signed-3650870944
logging enable
inservice
!
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.3.2016-k9.pkg.zip sequence 2
!
webvpn context panda-context
ssl authenticate verify all
!
login-message "Welcome to Panda's home"
!
policy group panda-group
   functions svc-enabled
   banner "Login Successful"
   svc address-pool "vpn-pool"
   svc default-domain "panda.com"
   svc keep-client-installed
   svc rekey method new-tunnel
   svc split include 192.168.20.0 255.255.252.0
   svc dns-server primary 3.4.5.6
default-group-policy panda-group
gateway panda.dyndns.org
inservice

svc split is the split tunnel configuration that allows inserting a specific route to the client’s routing table.  svc split include means that only this route will be inserted to the host, other routes including default route will be based on the client’s own routing table.

5. Then you can use the AnyConnect client to remote access in full tunnel mode.

No comments: