Monday, April 9, 2012

Cisco IOS Easy VPN configuration

Server


o   Configure an IKE policy
crypto isakmp policy 10
 authentication pre-share

crypto isakmp policy 20
 authentication pre-share
 group 2

o   Configure IPsec transform sets and IPsec Profile

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
crypto ipsec profile PROFILE-IPSEC
   set transform-set TRANSFORM-IPSEC
 ! the following settings has to be done after isakmp profile creation
   set isakmp-profile PROFILE-ISAKMP



ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250

crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL
o   Configure a client configuration group

o   Configure a dynamic VTI template interface which the Router will use to create tunnel interfaces for each remote user
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !

o   Configure a local AAA authentication method and add user accounts to the router local database
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local

username cisco privilege 15 password 0 cisco



o   Configure an ISAKMP profile that will bind the remote user group to the client configuration group
      crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1





Client

o   Configure EZVPN Remote Profile
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local

Designate EZVPN interface Roles

crypto ipsec client ezvpn EZVPN-CLIENT inside  

crypto ipsec client ezvpn EZVPN-CLIENT outside

Configuration Scenario Example


E-R3 is acting a VPN server router which will be located at central head office, while E-R4 is the remote client site sub-office router which is the router dial-in to head office. I will use E-R2 simulate the internet, which has only basic interfaces setting without any routing setup to E-R3 and E-R4 routers.
The head office has NAT/PAT set up at the E-R3 router to support DMZ and internal users with internet connection, the same to the sub-office at E-R4 routers. E-R4 will need directly send traffic to internet, rather than go through head office router E-R3, so Split Tunnel is necessary.
The topology is as the follow:
.


E-R3

!
hostname E-R3
   !Authentication and authorization setup and local account setup for VPN
aaa new-model
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local
username cisco privilege 15 password 0 cisco

!DHCP setup for local machines
ip dhcp pool LOCAL-POOL-172.16.30
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1
!ISAKMP Policies
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 20
 authentication pre-share
 group 2

!Client group setup, acl VPN-SPLIT-TUNNEL will enable Split Tunnel for VPN clients
crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL
 acl VPN-SPLIT-TUNNEL

crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1
!
crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE-IPSEC
 set transform-set TRANSFORM-IPSEC
 set isakmp-profile PROFILE-ISAKMP

!Loopback0 is used for sub-offices which will route internet traffic through the head office, L0 ip address + 1 will be the next hop of packets from the remote office.
interface Loopback0
 ip address 172.16.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface FastEthernet0/0
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
 !
!
interface Serial1/0
 ip address 10.100.23.2 255.255.255.0
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 !
!VT is the place has the route-map policy added NOT the physical interface, in this case interface Serial1/0, as the VPN is through tunnel.
!
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 ip policy route-map VPN_CLIENT_INTERNET
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !
! Addresses for VPN clients can be separated subnets
ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250
!
ip nat pool INTERNET-ADDRESSES 10.100.23.3 10.100.23.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.255
 permit ip 172.16.30.0 0.0.0.255 any
 permit ip 172.16.31.0 0.0.0.255 any
ip access-list extended VPN-SPLIT-TUNNEL
 permit ip 172.16.30.0 0.0.0.255 any
ip access-list extended VPN_CLIENTS
 permit ip 172.16.39.0 0.0.0.255 any
!Route-map for redirecting sub-office internet requesting traffic
route-map VPN_CLIENT_INTERNET permit 10
 match ip address VPN_CLIENTS
 set ip next-hop 172.16.31.2
!

E-R4

!
hostname E-R4
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
ip dhcp pool DHCP-172.16.40
   network 172.16.40.0 255.255.255.0
   default-router 172.16.40.1
!
username cisco privilege 15 password 0 cisco
!
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local
!
interface FastEthernet0/0
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 crypto ipsec client ezvpn EZVPN-CLIENT inside
!
interface Serial0/0
 ip address 10.100.24.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 serial restart-delay 0
 clock rate 2000000
 crypto ipsec client ezvpn EZVPN-CLIENT
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip nat pool INTERNET-ADDRESSES 10.100.24.3 10.100.24.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.40.0 0.0.0.255 172.16.30.0 0.0.0.255
 permit ip 172.16.40.0 0.0.0.255 any


at
Labels: ,

S3 replication cross region to another account

preparation create the above buckets in two AWS accounts source: leo-functions destination: leo-functions-rep Create IAM role in source acco...

  • S3 replication cross region to another account
    preparation create the above buckets in two AWS accounts source: leo-functions destination: leo-functions-rep Create IAM role in source acco...
  • Implementing an NDES server
    CA requirments Two certificates templates have to be made available for enrolment at the designated CA , they will be enrolled and issued t...
  • AWS Storage Gateway
    What is AWS Storage Gateway? AWS Storage Gateway is a hybrid cloud storage service that gives you on-premises access to virtually unlimited ...