PIX Change PDF

8/5/2014 Configure Cisco Router for Remote Access IPsec VPN Connections | Aaron Walrath - Another IT Guy' s Meanderings
http://aaronwalrath.wordpress.com/2008/07/27/configure-cisco-router-for-remote-access-ipsec-vpn-connections/ 1/13
Aaron Walrath Another IT Guy's Meanderings
Various ramblings about stuff I'm working on
Home
About
Type text to search here...
Home > Cisco, VPN > Configure Cisco Router for Remote Access IPsec VPN Connections
Configure Cisco Router for Remote Access IPsec VPN Connections
July 27, 2008 awalrath Leave a comment Go to comments
In this article Ill walk through the configuration of the IOS on a Cisco router to support remote access IPsec VPN connections. IPsec is a suite of
protocols that provides for authentication and encryption of packets. Traditionally PPTP has been extensively used as a VPN because of its
simplicity of configuration, especially on the client side. However, the security vulnerabilities of the PPTP protocol have been well documented. Cisco
now has a feature called EasyVPN that allows us to specify client configuration on the server and minimize direct configuration of the VPN on the
client.
In this example I will make use of the fantastic GNS3/Dynamips software for router emulation. Ive had some difficulties with IPsec and the Dynamips
emulator, the VPN connection will start and work for a short time but then the connection will freeze. I have tested this configuration and it does work
on a physical router, however.
I have set up my Cisco router with two interfaces, FastEthernet0/0 and FastEthernet0/1. The router is also configured with NAT overload for the
internal network. Here is my network diagram, pretty basic configuration with an external and an internal network:
Here is my starting configuration of the router. Basically Ive assigned IP addresses to the interfaces, configured the default route, and activated
NAT. Im using an extended access list to permit NAT traffic, this will be important later because well need disable NAT between the internal
interface and the IP address pool that our VPN clients will use.
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
no aaa new-model
memory-size iomem 5
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.10.254
!
ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
permit ip any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end
Initially well start by setting up a local account on the Cisco router itself to use for VPN client authentication. Later once weve confirmed that this
configuration works we can move on to modifying it to authenticate users against a central user data via the RADIUS protocol to ease our
administrative burdens.
Lets begin by adding a user to the local router database. Well use the secret command modifier instead of password to specify a type 5 password
that uses the MD5 hashing algorithm. This is more secure and will make decryption tougher:
R1(config)# conf t
R1(config)# username aaron secret p@ssw0rd
Now we need to activate the AAA new model to expose the new command set:
R1(config)# aaa new-model
We need to set up extended authentication (Xauth). Users will be logged in using the local user database.
R1(config)# aaa authentication login VPN_CLIENT_LOGIN local
We must set up AAA to authorize the clients to use the network. In this example Ill set up a named authorization list.
R1(config)# aaa authorization network VPN_CLIENT_GROUP local
We need to set up an address pool to assign VPN clients with IP addresses. The clients will be on a virtual subnet distinct from the subnets of the
existing interfaces on the Cisco router.
R1(config)# ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210
Configuring ISAKMP Policy
ISAKMP is the Internet Security Association and Key Management Protocol. For short called IKE it is the protocol that negotiates to allow two
hosts to decide on how to build an IPsec security association (SA). There are two phases to the negotiation. The phase 1 negotiation sets up the
tunnel to secure future management traffic. Phase 2 creates a tunnel to protect the actual data crossing the connection.
Now we will create the ISAKMP policies for clients. Here we will define the authentication and encryption methods that the hosts will use. All of the
parameters of the policy must match and be agreed upon between the hosts or the secure connection will not be established.
First well ensure that ISAKMP is turned on.
R1(config)# crypto isakmp enable
Now well define a policy number. The lower policy numbers have preference and will be used first if the parameters match. If not the next policy will
be tested.
R1(config)# crypto isakmp policy 10
We will use a preshared key that well type into both the router and the VPN client. Optionally we can use certificates which is more complex to set
up but will simplify management later.
R1(config-isakmp)# authentication pre-share
Well use triple DES for the encryption level to generate our symmetric shared secret key.
R1(config-isakmp)# encryption 3des
We will use the SHA hashing algorithm which is used to check the integrity of the data transmitted in our secure tunnel.
R1(config-isakmp)# hash sha
We will specify Diffie-Hellman group 2 for our method of establishing secure communication. The groups specify different levels of encryption of DH
asymmetric key set, I believe group 2 is 1024 bit.
R1(config-isakmp)# group 2
Optionally we can specify a lifetime when our symmetric key is regenerated, I believe the default is 86400.
R1(config-isakmp)# lifetime 3600
R1(config-isakmp)# exit
We need to specify the VPN client group settings. Here is where we specify what settings will by assigned to the VPN client group, we will need to
specify this VPN group name later in the VPN client software.
R1(config)# crypto isakmp client configuration group VPN_CLIENTS
In this config we will identify the preshared key for this group. We will also specify the DNS server to use, the default domain name, and the pool
from which the VPN client will receive an IP address.
R1(config-isakmp-group)# key ClientVpnKey
R1(config-isakmp-group)# dns 192.168.2.4
R1(config-isakmp-group)# domain test.local
R1(config-isakmp-group)# pool VPN_CLIENT_POOL
We also need to have this group use an access list that will allow us to implement a split tunnel. This will allow encryption of traffic sent between the
VPN clients and the internal network but not encrypt everything else. Traffic to the internet will not utilize the VPN tunnel.
R1(config-isakmp-group)# acl 110
R1(config-isakmp-group)# exit
We must now create the access control list where we define the subnets for the internal network and the VPN client pool.
R1(config)# access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0
0.0.0.255
It is time to specify the IPSec transform set which will use the ISAKMP Phase 2 policy parameters we set earlier.
R1(config)# crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
R1(config)# exit
Now it is time to create a dynamic crypto map entry. This is an empty shell of a map so we must also create a real map later.
R1(config)# crypto dynamic-map EXT_DYNAMIC_MAP 10
R1(config-crypto-map)# set transform-set TRANS_3DES_SHA
R1(config-crypto-map)# exit
This will turn on server response to client configuration requests, such as when then client requests the DNS settings specified in the client configuration
group earlier. We must include the dynamic crypto map name as well.
R1(config)# crypto map EXT_MAP client configuration address respond
We need to apply the AAA authentication and authorization methods to the crypto ISAKMP policy. Again we are using the local database of users.
R1(config)# crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
R1(config)# crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
Now we need to attach the dynamic crypto map template to the real crypto map. Our real crypto map may have other connections like site to site
VPN included as well.
R1(config)# crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
Now we need to attach the real crypto map to our external interface.
R1(config)# int f0/0
R1(config-if)# crypto map EXT_MAP
R1(config-if)# exit
Now we will tell NAT to not translate traffic from the internal subnet destined for our VPN client pool. We have to insert the deny statement before
the existing permit, so well specify 5 for the sequence number (the default for the permit should be 10):
R1(config)# ip access-list extended NAT
R1(config-ext-nacl)# 5 deny ip 192.168.2.0 0.0.0.255 192.168.20.0
0.0.0.255
Whew! Okay we should finally be done. Exit and write to memory:
R1(config-ext-nacl)# exit
R1(config)# wr
IPsec EasyVPN Client Configuration
Now well configure the client side of things. As youll see the IPsec EasyVPN makes this as the name suggests easy! Install the Cisco VPN Client
and reboot. Once completed launch the application:
Click New.
Enter a connection entry name and type the external interface name of the router. Enter the VPN group name that you entered in the Cisco IOS
earlier along with the key for the group (ClientVpnKey) as the password. Click Save. Thats it for the client configuration!
Follow
Follow Aaron Walrath
- Another IT Guy's
Meanderings
Get every new post delivered
to your Inbox.
Join 68 other followers
Enter your email address
Sign me up
Powered by WordPress.com
Highlight the connection you created and click Connect. If all goes well it will prompt you for a username/password. Enter the information that you
specified for the user in the Cisco IOS local database (aaron/p@ssw0rd). Hopefully you will now be connected!
You May Like
1. Mike Tyson
and UFC President Dana White on 'The
Jim Norton Show 2 weeks ago
vice.com VICE VICE Campaign
(sponsored) stuff
2.
About these ads
Like
Be the first to like this.
Powered by WordPress.com
Categories: Cisco, VPN Tags: Cisco, VPN
Comments (3) Trackbacks (0) Leave a comment Trackback
1.
zamurei
August 3, 2012 at 8:26 am
Reply
Hi,
thanks for the nice guide but i got a error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at x.x.x.x
Can you help me with this error?
Thank and have a nice day.
2.
Zolee
January 7, 2013 at 6:26 pm
Reply
Hi!
Be the first to like this.
Related
Configure Cisco Router for Remote Access
PPTP VPN Connections
RADIUS Authentication Using Windows 2003
IAS for Cisco Router Remote Access IPsec
VPN
Set Up Windows 2003 IAS Server with
RADIUS Authentication for Cisco Router
Logins In "Cisco"
In "Cisco" In "Cisco"
Thank for the guide, very useful. I have a question, is it possible to send udp broadcast (helper-address) in this vpn? Thanks
3.
Rohit Shrivastava
May 27, 2013 at 11:27 pm
Reply
very nice explanationthanks heaps
1. No trackbacks yet.
Leave a Reply
CiscoSecure ACS 4.2 RADIUS Server and Add AAA Client Errors Message Configure Cisco Router for Remote Access PPTP
VPN Connections
RSS feed
Recent Posts
Updating VMware Tools on Red Hat Enterprise/Scientific/CentOS Linux 6 for VMware ESXi 5
Enter your comment here...
Configure HAProxy and Keepalived for Load Balancing and Reverse Proxy on Red Hat/Scientific/CentOS Linux 5/6
Compiz Fusion and Dell Inspiron 700m with Intel 855GM Video Chipset
Configure OpenSSH Public Key Encryption with Keychain for Passwordless SSH Logins
Installing Windows Remote Management (WinRM) and PowerShell 2.0 on Windows Server 2003 / XP
Install Samba Server on Red Hat Enterprise Linux/CentOS/Scientific Linux 6
Install Open Source VMware Tools on Red Hat Enterprise/CentOS/Scientific Linux 6
Tags
Apache Cacti Cisco Citrix Email ESXi Exchange IIS IPsec Linux Monitoring NFS PHP Remote Desktop Samba SNMP SSL syslog Terminal
Services Ubuntu VDI VMware VPN vSphere Windows XenApp XenDeskt op
Recent Comments
Andy on Fix for Citrix XenApp Published Apps Disabling Windows Visual Effects
Melvin on Set Up Rsyslog and LogAnalyzer on CentOS Linux 5.5 for Centralized Logging
Cmoney - SLC on Cloned Red Hat/CentOS/Scientific Linux Virtual Machines and Device eth0 does not seem to be present Message
sema on Installing and Configuring Remote Desktop Services (Terminal Services) on Windows Server 2008 R2
Rod on Cloned Red Hat/CentOS/Scientific Linux Virtual Machines and Device eth0 does not seem to be present Message
Rohit Shrivastava on Configure Cisco Router for Remote Access IPsec VPN Connections
Arthur Blackmouth on Configure Cisco Router for Remote Access PPTP VPN Connections
Top Posts
Installing and Configuring Remote Desktop Services (Terminal Services) on Windows Server 2008 R2
Install Windows 2008 R2 NPS for RADIUS Authentication for Cisco Router Logins
Configuring Windows 2008 R2 Remote Desktop Farm with Connection Broker
Installing Citrix Secure Gateway and Web Interface (XenApp 6)
Monitoring Windows Server 2008 R2 with SNMP and Cacti
Install an Enterprise Certificate Authority in Windows 2008 R2
Set Up Windows 2003 IAS Server with RADIUS Authentication for Cisco Router Logins
Configure Cisco Router for Remote Access IPsec VPN Connections
Monitor Cisco Routers with Cacti and SNMP
Install Samba Server on Red Hat Enterprise Linux/CentOS/Scientific Linux 6
Top
Blog at WordPress.com. The INove Theme.

PIX Change PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

PIX Change PDF

Transféré par

Droits d'auteur :

Formats disponibles

8/5/2014 Configure Cisco Router for Remote Access IPsec VPN Connections | Aaron Walrath - Another IT Guy' s Meanderings

Vous aimerez peut-être aussi