The Home VPN

I have wanted to set up a Virtual Private Network (VPN) to my home for quite a while, but have never gotten around to it. Here are some reasons I wanted one:

• It gives me easier access to files stored on my home machines while I’m away.
• I want to control home devices (like my Insteon thermostat) while I’m away.
• It allows me to use my home IP address. This is important because I control access to some of my outside resources (virtual private servers and the like) by IP address, as an additional layer of security.
• Data I send over open WiFi networks is encrypted.

Since I am using more WiFi in coffee shops and other public places recently, I found the motivation to get this done. I expect that more people will be looking for this kind of capability as the “Internet of Things” becomes more popular and they want secure access to sensors and controls in their homes.

My home firewall is a Cisco 881.  This is way overkill for most people, but even though it is a challenge to configure, it has much more capability and flexibility than the usual home firewall. For example, I am already using it as a termination point for my IPv6 tunnel from Hurricane Electric.  It’s a bit more expensive than most home routers, but my ability to buy it at employee discount while I worked at Cisco helped with that. In any case, my home network is comparable to many small businesses. My clients, initially, are my Mac and iOS devices running the Cisco-compatible VPN code integrated in partnership with Apple.

My usual mode of operation is to search around on the internet for configuration examples.  I ran across many, some of which were several years ago. I studied the examples, made the necessary configuration changes, and…it didn’t work. Nearly all of the configurations seemed to use the “crypto map” mode of operation, where particular IP addresses within a network could be automatically encrypted and sent through a remote access tunnel. This no doubt is successful for many people, but didn’t work for me, perhaps because of either the NAT (network address translation) configuration of my router, or the NAT being done at the client end. It’s possible that I was configuring something wrong, but if so I couldn’t find it.

Returning to the documentation, I ran across IPsec Virtual Tunnel Interfaces. If I remember correctly, these were introduced more recently than the crypto maps, which might explain why they weren’t used in some of the older examples I ran into. Their mode of operation is somewhat different: the tunnel is treated as a separate network to which packets are routed, rather than as an address range within another network.

My router is running IOS version 15.1(3)T2. Here are the relevant portions of my router’s IOS configuration to support the tunnel:

crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group vpngroup
 key <<pre-shared key>>        ! Shared secret entered on client
 dns <<address of DNS server to be used by clients>>
 domain <<my domain name>>
 pool VPNPOOL
crypto isakmp profile VPN1-RA
   match identity group vpngroup             ! vpngroup is the group name on the client
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set MYSET esp-3des esp-md5-hmac
!
crypto ipsec profile TEST-VTI
 set transform-set MYSET
!
interface Virtual-Template1 type tunnel
 ip unnumbered Vlan1     ! Substitute the name of your inside interface
 ip nat inside
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TEST-VTI
!
! This is the range of addresses assigned to VPN clients - change as needed
ip local pool VPNPOOL 10.10.21.2 10.10.21.4    
!

I had to make a couple of other changes too. Since I now have a new subnet that I want to include in Network Address Translation, the ACL I use to regulate the use of NAT needed to be broadened to include that subnet. Other devices that were expecting all local services to be on a particular subnet needed to be adjusted as well. In my case, I needed to change my local name server to treat the new subnet as “friendly” (permitting recursive queries).

To set up a MacOS X client (I’m running 10.8.5), go to System Preferences/Network and click “+” to add a new interface. Specify a VPN, VPN type Cisco IPSec, and give it a Service Name you want to use. Press Create, then specify the address of the server (numeric or DNS name is OK), account name (your username on the router), and leave password blank. Press Authentication Settings, enter the Shared Secret and group name from the configuration. You should then be able to press connect, be prompted for a password (your password on the router), and hopefully you’ll be connected.

On an iOS device (lowercase i) (I’m running 7.0.2), go to the General/VPN screen in Settings, and select “Add VPN Configuration…”. Select IPSec and enter the values as above. Leave proxy off.