OPLE IT Blog

If you are unfortunate enough (like me) to live in an area where you get absolutely no phone signal on any network, enter the Vodafone Gateway.  This uses your existing broadband connection as a VOIP gateway.  however this is not without its problems.  Usually if you live in a ‘no signal’ area then you live in an area with low internet bandwidth speeds and no cable (yes I live in the dark ages).  I believe that Vodafone run their own QOS protocol from the box, however internet downloading can reduce the quality of the incoming voice signal.  and if you are uploading, you will be able to hear people fine, but they will complain that your voice is very jerky.

As I am also running a hardware firewall I struggled to see that the device should just ‘plug and work’ as stated in the gateway documentation.  Through research and a lots of calls to the helpdesk I managed to weedle from them a list of ports that the gateway needed DMZ or port forward access to.. After I had added these to my firewall runtime, up it comes all bells and whistles.  HOWEVER they still have not ironed out the HSDPA access over the gateway, as this crashes my gateway every time, requiring a hard reset of the device.

Here is a list of port forwards to IP addresses that you need to allow access to

NTP on UDP-123 to 212.183.133.181

NTP on UDP-123 to 212.183.133.182

Ping on ICMP-8 to 212.183.133.181

Ping on ICMP-8 to 212.183.133.182

ESP on IP-50 to 212.183.133.177

IPSEC NAT Traversal on UDP-4500 to 212.183.133.177

ISAKMP on UDP-500 to 212.183.133.177

Comments welcome

For the Cisco 2600 series, this requires 128Mb DRAM and I would reccomend the 12.4 IOS also

To begin with, you will need to set up Active Directory to accept password reversed encryption for the password policy.

You must also have IAS configured correctly and registered with AD.

!
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname yourroutername
!
enable secret 5 [encryption hashed password shown here]
!
aaa new-model
!
aaa authentication login default local enable
aaa authentication ppp default group radius local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
!
resource policy
!
memory-size iomem 15
ip cef
!
ip domain name blah.com
ip ssh authentication-retries 2
ip ssh version 2
vpdn enable
!
vpdn-group VPN
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
l2tp tunnel receive-window 256

!
username testuser password 0 testpassword
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key PutYourPreSharedKeyHere address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set transport esp-3des esp-md5-hmac
mode transport
!
crypto dynamic-map cc 10
set nat demux
set transform-set transport
!
crypto map cisco 10 ipsec-isakmp dynamic cc
!
interface FastEthernet0/0 or ATM0/0 dependant on whether you use a WIC
description External Network
ip address 11.22.33.44 255.255.255.0
ip access-group 100 in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
no cdp enable
crypto map cisco
!
interface FastEthernet0/1
description Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
speed auto
full-duplex
no cdp enable
no mop enabled
!
interface Virtual-Template1
ip unnumbered Loopback0
ip virtual-reassembly
peer default ip address pool VPN
ppp encrypt mppe 128
ppp authentication ms-chap-v2

!
ip local pool vpn_pool 192.168.1.200 192.168.100.250
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
no ip http server
no ip http secure-server
ip nat translation timeout 30
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 remark Permit NAT traffic from 192.168.1.0/24
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Permit SSH traffic for 192.168.1.0/24 and deny everything else
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark Disallow telnet and ssh access from outside
access-list 100 deny tcp any any eq telnet
access-list 100 deny tcp any any eq 22
access-list 100 permit ip any any
!
radius-server host [ip of radius server here] auth-port 1645 acct-port 1646 key HashedKey

!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password generlc
transport input ssh
transport output ssh
!
end

Here is a video that I found to give an example of setting up the client teleworker side without having to use the CISCO VPN Client software