Monday, April 9, 2012

Cisco IOS Easy VPN configuration

Server


o   Configure an IKE policy
crypto isakmp policy 10
 authentication pre-share

crypto isakmp policy 20
 authentication pre-share
 group 2

o   Configure IPsec transform sets and IPsec Profile

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
crypto ipsec profile PROFILE-IPSEC
   set transform-set TRANSFORM-IPSEC
 ! the following settings has to be done after isakmp profile creation
   set isakmp-profile PROFILE-ISAKMP




ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250

crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL

o   Configure a client configuration group

o   Configure a dynamic VTI template interface which the Router will use to create tunnel interfaces for each remote user
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !

o   Configure a local AAA authentication method and add user accounts to the router local database
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local

username cisco privilege 15 password 0 cisco




o   Configure an ISAKMP profile that will bind the remote user group to the client configuration group
      crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1






Client

o   Configure EZVPN Remote Profile
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local


Designate EZVPN interface Roles

crypto ipsec client ezvpn EZVPN-CLIENT inside  

crypto ipsec client ezvpn EZVPN-CLIENT outside


Configuration Scenario Example


E-R3 is acting a VPN server router which will be located at central head office, while E-R4 is the remote client site sub-office router which is the router dial-in to head office. I will use E-R2 simulate the internet, which has only basic interfaces setting without any routing setup to E-R3 and E-R4 routers.
The head office has NAT/PAT set up at the E-R3 router to support DMZ and internal users with internet connection, the same to the sub-office at E-R4 routers. E-R4 will need directly send traffic to internet, rather than go through head office router E-R3, so Split Tunnel is necessary.
The topology is as the follow:
.


E-R3

!
hostname E-R3
   !Authentication and authorization setup and local account setup for VPN
aaa new-model
aaa authentication login default local
aaa authorization network LOCAL-AUTHOR local
username cisco privilege 15 password 0 cisco

!DHCP setup for local machines
ip dhcp pool LOCAL-POOL-172.16.30
   network 172.16.30.0 255.255.255.0
   default-router 172.16.30.1
!ISAKMP Policies
crypto isakmp policy 10
 authentication pre-share
!
crypto isakmp policy 20
 authentication pre-share
 group 2

!Client group setup, acl VPN-SPLIT-TUNNEL will enable Split Tunnel for VPN clients
crypto isakmp client configuration group VPN-CLIENT-GROUP
 key vpnclientcisco
 dns 192.168.117.1
 domain leo-li.com
 pool VPN-LOCAL-POOL
 acl VPN-SPLIT-TUNNEL

crypto isakmp profile PROFILE-ISAKMP
   match identity group VPN-CLIENT-GROUP
   isakmp authorization list LOCAL-AUTHOR
   client configuration address respond
   client configuration group VPN-CLIENT-GROUP
   virtual-template 1
!
crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac
!
crypto ipsec profile PROFILE-IPSEC
 set transform-set TRANSFORM-IPSEC
 set isakmp-profile PROFILE-ISAKMP

!Loopback0 is used for sub-offices which will route internet traffic through the head office, L0 ip address + 1 will be the next hop of packets from the remote office.
interface Loopback0
 ip address 172.16.31.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 !
!
interface FastEthernet0/0
 ip address 172.16.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
 !
!
interface Serial1/0
 ip address 10.100.23.2 255.255.255.0
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 serial restart-delay 0
 !
!VT is the place has the route-map policy added NOT the physical interface, in this case interface Serial1/0, as the VPN is through tunnel.
!
interface Virtual-Template1 type tunnel
 ip unnumbered Serial1/0
 ip policy route-map VPN_CLIENT_INTERNET
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PROFILE-IPSEC
 !
! Addresses for VPN clients can be separated subnets
ip local pool VPN-LOCAL-POOL 172.16.39.200 172.16.39.250
!
ip nat pool INTERNET-ADDRESSES 10.100.23.3 10.100.23.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.30.0 0.0.0.255 172.16.40.0 0.0.0.255
 permit ip 172.16.30.0 0.0.0.255 any
 permit ip 172.16.31.0 0.0.0.255 any
ip access-list extended VPN-SPLIT-TUNNEL
 permit ip 172.16.30.0 0.0.0.255 any
ip access-list extended VPN_CLIENTS
 permit ip 172.16.39.0 0.0.0.255 any
!Route-map for redirecting sub-office internet requesting traffic
route-map VPN_CLIENT_INTERNET permit 10
 match ip address VPN_CLIENTS
 set ip next-hop 172.16.31.2
!


E-R4

!
hostname E-R4
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local
!
ip dhcp pool DHCP-172.16.40
   network 172.16.40.0 255.255.255.0
   default-router 172.16.40.1
!
username cisco privilege 15 password 0 cisco
!
crypto ipsec client ezvpn EZVPN-CLIENT
 connect auto
 group VPN-CLIENT-GROUP key vpnclientcisco
 mode client
 peer 10.100.23.2
 username cisco password cisco
 xauth userid mode local
!
interface FastEthernet0/0
 ip address 172.16.40.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
 crypto ipsec client ezvpn EZVPN-CLIENT inside
!
interface Serial0/0
 ip address 10.100.24.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 no fair-queue
 serial restart-delay 0
 clock rate 2000000
 crypto ipsec client ezvpn EZVPN-CLIENT
!
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip nat pool INTERNET-ADDRESSES 10.100.24.3 10.100.24.200 prefix-length 24
ip nat inside source list NAT-ADDRESSES pool INTERNET-ADDRESSES
!
ip access-list extended NAT-ADDRESSES
 deny   ip 172.16.40.0 0.0.0.255 172.16.30.0 0.0.0.255
 permit ip 172.16.40.0 0.0.0.255 any



11 comments:

  1. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. best vpn services

    ReplyDelete
  2. It is indeed a good approach to go for the your vpn config idea dear but I am a newbie and not much in to technical stuff and that is why I am looking for best vpn china service that I can get for free and in mean time I also can learn more about VPN services.

    ReplyDelete
  3. Do you know that you have no privacy when you go online? It doesn't matter what anti-virus you have, whether free or paid, or if you have your firewall protection on, the data you send when you are using the internet can be accessed by third party individuals. What you need to have is the protection of a virtual private network or VPN. Best Cheap VPN

    ReplyDelete
  4. I have perused your online journal it is exceptionally useful for me. I need to express profound gratitude to you. I have bookmark your site for future redesigns.  allertaprivacy

    ReplyDelete
  5. Your post has those facts which are not accessible from anywhere else. It’s my humble request to u please keep writing such remarkable articles privacyenbescherming

    ReplyDelete
  6. one thing that i like about the blog could be that the information is very helpful and keeps one informed on issues related to politics.  privatnostonline

    ReplyDelete
  7. I am all that much satisfied with the substance you have specified. I needed to thank you for this awesome article.  https://internetprivatsphare.ch

    ReplyDelete
  8. I truly awed after read this in light of some quality work and educational contemplations . I just wanna express profound gratitude for the essayist and want you to enjoy all that life has to offer for coming!. visit site

    ReplyDelete
  9. I might want to thank you for the endeavors you have made in composing this article. I am trusting the same best work from you later on too.. diebestenvpn.ch

    ReplyDelete
  10. Thankyou for sharing the data which is beneficial for me and others likewise to see. privacyonline

    ReplyDelete