Fan Mail ;)
Posted by Aragoen Celtdra on August 25th, 2008
I was just responding to a latest comment regarding some VPN-related stuff that I was doing and my response got too long that I thought I might as well turn it into a update post. The comment was:
Steve Says:
August 22nd, 2008 at 10:17 am eHave you labbed DMVPN yet? I wonder what would the requirements be to choose DMVPN design over ipsec\gre tunnels in an HA state. I am faced with a work related scenario (up to 100 remote sites and two data centers) and ponder which would be best solution and keeping it simple at the same time.
As far as labbing up DMVPN, I have not had the chance to do so. I have read a lot about it, though 
We have four sites (stark contrast to your 100 remote sites) that are currently configured for DMVPN right now. Three other sites are using IPsec/GRE tunneling.
I wish I could speak a lot more intelligibly about the subject, but I am still learning. The past 3 weeks have been so much more educational for me as I’ve gotten so much more exposure to the network here at my workplace. I’ve been given complete access to all our routers to do all show commands I wish - almost a voyeuristic peek at someone’s network configuration and setup. As such I was able to relate everything I’ve learned so far by seeing how things are put together under the hood (i.e. routing tables, config syntax, etc.) It is pretty exciting to finally be given that opportunity.
Last week, my boss gave me a project to try to figure out how to set up a Client VPN on a Cisco Pix. I’m excited to report that I have been successful with configuring the ISAKMP/Ipsec settings so that I am now able to create a tunnel between a host computer from anywhere on the internet to our pix located in out main office. I was also successfully able to configure split-tunneling where I can now connect to the VPN and get internet access at the same time (whereas before, internet was inaccessible when I connect through the VPN.) Now if I can only figure out what is wrong with the routing so that I can access the internal LAN then that would be awesome
Learning how to configure all these stuff on my own takes a lot of perseverance and dedication - just like studying for a cert. Often times, I find myself still reading documentations and trying out different configs until 2 in the morning. I did find, however, that the kind of perseverance required to get these things done is fueled by ones desire to really learn this stuff. As a result, i didn’t have to force myself to be up so late in the evening, configuring a device. I genuinely enjoy it, and as such, it doesn’t feel like a burden. Sometimes you just want to see things work that you don’t even notice how long you’ve been at it. And I think, that’s what I love about this profession. There is a certain element about it that you know, when you get it going, gives you a certain pleasure of knowing that you built that, or you configured that. Whatever it is that makes things work and make them communicate underneath has your footprints embedded in them.
I’m really excited for more. After this Client VPN project is done. My boss wants me to configure all the routers in our remote offices to connect to our pix and setup a site-to-site VPN. I will not be using DMVPN solution and I will not be using a Cisco (router) IOS-based solution that I’ve read all about in the past weeks. But whatever solution I use, it is going to be a worthwhile experience because this will only help me towards becoming a real network engineer that I’ve been wanting to be.
August 26th, 2008 at 11:14 am
Does your internal router behind the firewall know how to get back to your client vpn pool?
August 26th, 2008 at 3:08 pm
Good question, Barry! Your question assumes that our router is behind the firewall, which I think is the typical setup, right?
However, the way ours is setup is that the router is connected to the outside world and traffic is passed to the Pix and the pix is connected to a Catalyst 4500 where the rest of the local network reside.
I’ll try to get a diagram so you get a better picture of the scenario
August 26th, 2008 at 5:03 pm
Hey, that’s awesome. I’m glad your work is letting you do all this. Nothing beats hands on experience, and I’m sure it is providing even more motivation for studying.
I’m actually in the exact opposite situation at work now and I have taken some drastic actions to get things moving in the right direction. I really need to update the blog!
August 27th, 2008 at 7:41 am
I should have stated it as:
Does your internal ‘routing device’ behind the firewall know how to get back to your client vpn pool?
August 27th, 2008 at 10:20 am
Barry: You are a genious! I kid you not, I’ve been on this same problem for 5 days and I’m about to pull my hair from frustration, going over hundreds of pages of documentations trying to figure out if I mis-configured something on the pix, left out a command or two, or just plainly suck at this thing. It turns out it was the routing on the “inside router”.
As soon as I saw your tip, I looked in and realize that there is nothing on the routing table that tells the rest of the network how to get back to the pool. Once I configured a static (temporary fix) ip route 10.100.196.0 255.255.255.0 10.100.194.4 to test the theory, then Bam! It was like Christmas as soon as I saw the “received” counter on the VPN Client stats start ticking away. And sure enough I was able to browse our internal network. Imagine the joy and elation on my part.
Many thanks to your simple tip. If you’re ever in SoCal, inland empire area, I’ll take you out to a nice meal and discuss technology
Suffah: Yeah, I’m really glad that this opportunity landed on my lap. You’re right, it is an extra motivation to keep studying. And the great thing is that the studying is very interactive in that what I’m actually studying is something I’m able to apply in the real world right away. Sure, I’ve put some of my BSCI studies on the side in favor of learning about VPNs. But I still am using a lot of what I’ve been learning about routing and general IOS concepts.
Funny thing is, for the past 6 months I’ve been trying to find a way to “get things moving in the right direction” as you put it. I’ve been at my present company for 2 years and the most challenging thing I’ve done so far is change the toner on our laser printers - a little bit of a hyperbole but you get the point. I’ve seriously considered finding a job that pays much less if it meant I would get the opportunity to work on any part of a network. This opportunity couldn’t have come in a better time.
And yeah, you need to update!
August 28th, 2008 at 11:11 am
Glad the tip worked, I run into the same problem myself from time-to-time, DOH!
Wow, when you said you were in SoCal I didn’t realize you were out in the Inland Empire area. I was actually going to ask where do you play b-ball. As for me, I live up in the Stevenson Ranch area, work in Burbank, and play ball everywhere (i.e. Santa Monica, West Covina, Calabasas, etc.). I have a client out your way though so if and when they require my physical presence, I’ll be sure to hit you up when I’m in your neck of the woods.
August 28th, 2008 at 10:00 pm
[...] since I’ve posted (not like I had many posts to start with, hehe), but Aragoen’s recent entry spurred me to write [...]
August 29th, 2008 at 4:38 am
Hey buddy, I remember there is great post about DMVPN made by Petr Lapukhov. Hope this add some info…
http://blog.internetworkexpert.com/2008/08/02/dmvpn-explained/
August 29th, 2008 at 11:49 am
Barry: Man! That’s really cool that you’re a SoCal local
Good to know that you’re a baller too. You do get around everywhere! You pretty much got the whole LA area covered from East to West. Definitely let me know when you’re around the IE area. I work in Ontario, CA but mostly hang out from inland down South to Orange County and anything in between. I’m rarely over to the West although I used to live in L.A. proper when I was with my parents. They still live there so I come by from time to time.
Maybe one day we can play ball somewhere. Recently I’ve been playing in the Diamond Bar City league with some long time church friends. We’ve played in Ontario city leagues as well , and other bball leagues around north Orange County (e.g. Anaheim, Yorba Linda, etc.)
Carl: I appreciate the link. I did find that article a while back (in fact I wrote about it on another post
) But I appreciate you lookin’ out.
It’s kind of a bummer though that I might not get to implement it after all. My boss keeps changing his mind. We used to have it configured for our routers and I was fortunate enough to see the configuration and analyzed it. I did learn a pretty good amount - although it’s nothing close to mastery or even familiarity. I think I can recognize the configuration though if I see it again. When time permits, I definitely want to lab it up especially that it has piqued my interest ten fold when I first thought that I would get to help implement it.