SunRay’s over Cisco VPN
One of the projects I have been working on lately (actually for a while, but I am finally going to get to test it over the internet this week) is using a SunRay over a VPN back to my office. Currently my SunRay’s at the house connect to the office over a dedicated 768K DSL link to my office. This is ok for the 2 SunRay’s I have now, but I am trying to get the other staff in my group to get SunRay’s at their houses and they don’t all have a dedicated DSL link. So I got a couple of Cisco 831 routers and am setting up a test vpn with them. If it works, everyone gets SunRay’s and the VPN devices for their house. For others who are trying to do the same thing, here is a very basic config for the server and client. In these two files we will take the following forgranted:
- The isakmp key is “cisco123″
- The Public IP address of the VPN server is going to be 192.168.100.1
- The Private IP address of the VPN server is going to be 10.145.1.2
- The IP address of the SunRay server is going to be 10.145.1.10
- The Pubic IP address of the VPN Client will be obtained from DHCP
- The Private IP address of the VPN Client will be 10.145.2.2
- Only traffic between the sunray and the sunray server is going to be permitted on the VPN
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 192.168.100.1
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 192.168.100.1
set transform-set rtpset
match address 115
!
interface Ethernet0
ip address 10.145.2.2 255.255.255.0
ip helper-address 10.145.1.10
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
description Wan Side
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
duplex half
no cdp enable
crypto map rtp
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
ip nat inside source route-map nonat interface Ethernet1 overload
!
access-list 115 permit ip 10.145.2.0 0.0.0.255 10.145.1.0 0.0.0.255
access-list 115 deny ip 10.145.2.0 0.0.0.255 any
access-list 120 deny ip 10.145.2.0 0.0.0.255 10.145.1.0 0.0.0.255
access-list 120 permit ip 10.145.2.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
Some notes about the client config:
- We set the ip helper-address to the IP address of the SunRay server. This means we also need to add a the remote network as a SunRay network on the SunRay server. The /etc/networks needs to have the network defined and then run:
/opt/SUNWut/sbin/utadm -A 10.145.2.0
- The other thing that needs done is the MTU for the above network needs to be lowered from 1500. I had mine at 1356 or so and it seems to work fine there. If you leave it at 1500, you will never see the login screen on the SunRay, just a bunch of little broken boxes. This is caused by the VPN encryption overhead. (For changing this I usually run the gui dhcp manager, /usr/sadm/admin/bin/dhcpmgr, and go change the info for that network
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key 0 cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
interface Ethernet0
description PrivateSide
ip address 10.145.1.2 255.255.255.0
ip nat inside
!
interface Ethernet1
description PublicSide
ip address 192.168.100.1 255.255.255.248
ip nat outside
duplex half
crypto map rtptrans
!
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
!
access-list 115 permit ip 10.145.1.0 0.0.0.255 10.145.2.0 0.0.0.255
access-list 115 deny ip 10.145.1.0 0.0.0.255 any
access-list 120 deny ip 10.145.1.0 0.0.0.255 10.145.2.0 0.0.0.255
access-list 120 permit ip 10.145.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
!
Hopefully this helps some people who are intrested in doing this. I will update later this week after I test it and will post any changes I had to make.
Keep us up to date. I would really enjoy hearing about the “user experience”.