A customer has a router dedicated to a site-to-site IPSec VPN , the users of that VPN are a small group that are not directly responsible for the router. They want a way to check the status of the WAN connection, the IPSec tunnel and also to force a clear crypto sa.
This could be solved with a looking glass but that would require a web server. An alternative solution could be a special user with a menu auto command:
menu VPN title @ VPN VERIFICATION / RESET MENU @
menu VPN text 1 ping Internet (OpenDNS)
menu VPN command 1 ping 208.67.222.222
menu VPN text 2 ping VPN (192.168.0.1)
menu VPN command 2 ping 192.168.0.1 source gi0/1/0
menu VPN text 3 sh crypto isakmp sa
menu VPN command 3 sh crypto isakmp sa
menu VPN text 4 sh crypto ipsec sa
menu VPN command 4 sh crypto ipsec sa
menu VPN text 5 Reset VPN (clear crypto ipsec sa)
menu VPN command 5 clear crypto sa
menu VPN text 6 Exit
menu VPN command 6 exit
menu VPN clear-screen
menu VPN status-line
menu VPN line-mode
menu VPN single-space
My environment uses AAA with a Cisco ACS, so the special user has to be created in the Internal ACS database, restricted to only that router (Per User Defined Network Access Restrictions), allowing shell (exec) access and the auto command menu VPN (TACACS+ Settings)
The router has to refer to the authorization for exec to the ACS:
aaa authorization exec default group tacacs+ local
Of course, if you don’t use ACS and only use AAA with the local database, Ivan @ Cisco IOS Hints has a great example.
Testing:
Server "VPN-Router" Line 6 Terminal-type xterm
VPN VERIFICATION / RESET MENU
1 ping Internet (OpenDNS)
2 ping VPN (192.168.0.1)
3 sh crypto isakmp sa
4 sh crypto ipsec sa
5 Reset VPN (clear crypto ipsec sa)
6 Exit
Selection: 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.67.222.222, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 84/95/140 ms
More info:
No comments:
Post a Comment