Multi-Path Room - Connect to a Cisco (IOS) Router
This article explains how to connect a private network that has a Cisco (IOS) router (version IOS 12.4+) sitting on top of it, to a Tehama Multi-Path Room.
Overview
What is a Tehama Multi-Path Room?
A Multi-Path Room is a short way of referring to a Tehama Room that has network access type "Multi-Path". This network access type is capable of securely connecting to networks through IPSec. Multi-Path Rooms support many such connections.
See the Multi-Path Room Connectivity User Guide for more details about Multi-Path Rooms.
Currently, only Standard Rooms support the "Multi-Path" network access type. Domain Join Rooms do not, as yet, support it.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in the Room/Desktop Connectivity - Types, Status and Settings guide for details.
What is a Cisco (IOS) router?
A Cisco (IOS) router, is a Cisco router that runs the proprietary Cisco IOS (Internetwork Operating System) operating system. Cisco IOS manages the router, providing an interface with which to enable communication between the network controlled by the router and other networks. See the Cisco Support page for more information about Cisco products.
Assumptions
- You have a Tehama organization and are an Admin or Org Manager user in that organization.
- You protect the access to your private network, that contains your company resources, data, etc., with a Cisco (IOS) router, and you want to access, securely, these assets from a Tehama Room.
The process to connect a private network that has a Cisco (IOS) router (version IOS 12.4+) is divided into three parts:
- Create a Tehama Multi-Path Room
(optional - you can also make a connection to an existing Multi-Path Room.) - Add and Configure a New Connection
- Check the Status of the Connection
Create a Tehama Multi-Path Room
If you want to connect your private network to one of your existing Tehama Multi-Path Rooms, simply note the Room's name and skip to the next step.
Either:
- Create a new Tehama Multi-Path Room by following the steps found in the Getting Started with Tehama Room Creation guide, under section 'Create and connect a Standard Room', selecting 'Multi-Path' as the Room's Network Access type.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found in the Room/Desktop Connectivity - Types, Status and Settings guide, under section 'Change a Room's Network Access setting'.
Take note of your Multi-Path Room's name, for use in the creation of your connection.
Information gathered in this step:
- The name of your Multi-Path Room.
Add and Configure a New Connection
Add and configure a connection to your private network, through Cisco, from your Tehama Multi-Path Room as follows:
First, gather some information about your private network.
Next, add a connection between your Multi-Path Room and your Cisco Router.
- B) Tehama - Create a New Connection in Your Multi-Path Room
- C) Cisco - Create and Configure a New Connection in Your Cisco (IOS) Router
Finally, update your Multi-Path Room's firewall rules (and optionally its DNS Filtering) to allow access to resources in your private network from your Room's Tehama Desktops.
Let's get started with step A.
A) Find Your Private Network Info
This step looks up your private network in the command line interface (CLI) for your Cisco (IOS) router, to find the information needed to connect your network to your Multi-Path Room, its subnet value and its public IP address. You will need to know how to access your router's CLI. (Ask your IT dept for assistance, if necessary.)
Required information for this step:
- Your Cisco (IOS) Router login info.
- Log in to your Cisco router, via the CLI, in EXEC mode.
See the pdf Using the Command Line Interface which provides information about the Cisco IOS CLI.
- Run the following command to get your private network's subnet value:
show ip route
- Run the following command to get your private network's public IP address (the Cisco router's external IP):
show ip interface
Information gathered/confirmed in this step:
- Your private network's subnet.
- Your private network's public IP address (the Cisco router's external IP).
B) Create a New Connection in Your Multi-Path Room
In this step, we create a new connection in your Multi-Path Room. This generates the pre-shared key for the connection. This key is needed for the next step, in the Cisco interface.
Required information for this step:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- Your private network's subnet, from step A.
- Your private network's public IP address, from step A.
- A meaningful name for your new connection.
- A description for your new connection.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you want to connect to your Cisco router. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Click the ADD CONNECTION button. You will see the form for creating a new connection.
- In the new connection form:
- Name - enter a meaningful name for your new connection.
- Description (optional) - enter a description for your new connection.
- Target Subnet - enter your private network's subnet value, from step A.
The form allows you to enter more than one target subnet. Click on + Add more to bring up additional target subnet fields. - Public IP Address - enter your private network's public IP address (the Cisco router's external IP), from step A.
- Copy the Pre-shared key value.
- Copy the Room IP value.
- Copy the Room subnet value.
- Click CONNECT.
If you forget to copy the values before initiating the connection, you can get to them from the CONNECTION page for the Room:
- Click on the name of your connection in the Connections table. You will see information page for the connection.
- Click the EDIT button. You will see the edit page for the connection.
- Copy the values.
Information gathered in this step:
- Your Multi-Path Room's new connection's pre-shared key.
- Your Multi-Path Room's Room IP.
- Your Multi-Path Room's Room subnet.
- The name of your new connection in your Multi-Path Room.
C) Create and Configure a New Connection in Your Cisco (IOS) Router
In this step, you will create and configure a new VPN connection, using IPSec, in your Cisco (IOS) Router to your Multi-Path Room.
Required information for this step:
- Your Multi-Path Room's Room subnet, from step B.
- Your Multi-Path Room's Room IP value, from step B.
- Your Multi-Path Room's new connection's Pre-shared key, from step B.
- Your private network's subnet, from step A.
- Your private network's public IP address (the Cisco router's external IP), from step A.
- Meaningful names for the Cisco site-to-site VPN configuration elements. (See legend below.)
- Log in to your Cisco (IOS) router, via the CLI, in EXEC mode, then enter "enable" and "configure terminal" to enter global configuration mode.
See the pdf Using the Command Line Interface which provides information about the Cisco IOS CLI.
- Create a site-to-site VPN connection, using IPSec, between your private network and your Multi-Path Room.
See Cisco VPN documentation for Site-to-Site and IPSec for a review of the necessary commands. Here are some relevant links from Cisco's documentation (be sure this documentation is correct for your IOS version):Set up your new site-to-site VPN to have the following configuration:
crypto ikev2 proposal ikve2proposal encryption aes-cbc-256 aes-cbc-192 integrity sha256 group 14 ! crypto ikev2 policy ikev2policy match fvrf any proposal ikve2proposal ! crypto ikev2 keyring keys peer strongswan address BBBBBB pre-shared-key local CCCCCC pre-shared-key remote CCCCCC ! ! ! crypto ikev2 profile ikev2profile match identity remote address BBBBBB 255.255.255.255 identity local address EEEEEE authentication remote pre-share authentication local pre-share keyring local keys nat keepalive 120 ! crypto ikev2 dpd 60 60 periodic ! crypto ipsec transform-set tehama esp-aes 256 esp-sha256-hmac mode tunnel ! ! ! crypto map tmap 10 ipsec-isakmp set peer BBBBBB set transform-set tehama set ikev2-profile iikev2profile match address tehama-room ! interface GigabitEthernet0 ip address dhcp crypto map tmap ! other commands as needed ! ip access-list extended tehama-room permit ip DDDDDD AAAAAA !
Legend:
- AAAAAA: Your Multi-Path Room's Room subnet, in Cisco wildcard notation.*
- BBBBBB: Your Multi-Path Room's Room IP value.
- CCCCCC: Your Multi-Path Room's new connection's Pre-shared key.
- DDDDDD: Your private network's subnet, in Cisco wildcard notation.*
- EEEEEE: Your private network's public IP address (the Cisco router's external IP).
- ikve2proposal: A meaningful name for the ikev2 proposal.
- ikev2policy: A meaningful name for the ikev2 policy.
- ikev2profile: A meaningful name for the ikev2 profile.
- tehama: A meaningful name for the ipsec transform-set.
- keys: A meaningful name for the ikev2 keyring.
- tehama-room: A meaningful name for the ipsec tunnel.
Information gathered/confirmed in this step:
- N/A.
D) Update Firewall Rules/DNS Filtering
Finally, this last step is to update your Multi-Path Room's firewall rules to allow access to resources in your private network from your Room's Tehama Desktops.
If you wish to completely open access to everything in your private network, add custom firewall rules to your Multi-Path Room allowing access to the entire subnet for your private network. Otherwise, add more granular rules.
See instructions on how to add firewall rules in section Add Custom Firewall Rule in the Firewall Rules User Guide.
You can optionally add an extra layer of access control on top of firewall rules through the Room's DNS Filtering feature. See the DNS Filtering guide for more details.
Check the Status of the Connection
Check the Status of the Cisco VPN connection you configured between your private network and your Multi-Path Room.
- Check connection status in the Tehama Web UI
- Troubleshoot the connection status in the Cisco (IOS) Router CLI
Check connection status in Tehama
Required information:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- The name of your new connection in your Multi-Path Room, from step B.
- Your network's public IP address (the Cisco router's external IP) from step A.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you connected to your Cisco (IOS) Router. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Find the connection in the connection table, (identify by name, from step B, or by your private network's public IP address value, from step A).
- Verify that the connection status is green.
Troubleshoot connection status in Router
If the status in the Tehama Web UI is not green, you can view the router's logs for the connection through the Cisco (IOS) CLI:
Required information for this step:
- Your Cisco IOS login info.
- Log in to your Cisco (IOS) router, via the CLI, in EXEC mode, then enter "enable" and "configure terminal" to enter global configuration mode.
- To see the logs, run the following while the remote is initiating:
sudo swanctl --log
- To see logs at a later stage, add the following to the configuration in step C:
crypto logging ikev2
then run:
show log
- Run the following two commands to check the current status of the IPSec tunnel:
show crypto ikev2 stats
show crypto ikev2 session