Upload File

cisco ios vpn configuration

7
Cisco IOS VPN Configuration Scenario 1: Gateway-to-gateway with preshared secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. 10.5.6.0/24 172.23.9.0/24 | | --| |-- | +-----------+ /-^-^-^-^--\ +-----------+ | |-----| Gateway A |=====| Internet |=====| Gateway B |-----| | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL | --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |-- | | Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. The IKE Phase 1 parameters used in Scenario 1 are: * Main mode * TripleDES * SHA-1 * MODP group 2 (1024 bits) * pre-shared secret of "hr5xb84l6aa9r6" * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: * TripleDES * SHA-1 * ESP tunnel mode * MODP group 2 (1024 bits) * Perfect forward secrecy for rekeying * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets To set up Gateway A for this scenario, use the following steps:

Upload: suley-paterson

Post on 29-Oct-2015

29 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Cisco IOS VPN Configuration

Cisco IOS VPN Configuration

Scenario 1: Gateway-to-gateway with preshared secrets

The following is a typical gateway-to-gateway VPN that uses a presharedsecret for authentication.

10.5.6.0/24 172.23.9.0/24 | | --| |-- | +-----------+ /-^-^-^-^--\ +-----------+ | |-----| Gateway A |=====| Internet |=====| Gateway B |-----| | AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL | --| 10.5.6.1 14.15.16.17 22.23.24.25 172.23.9.1 |-- | |

Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A'sLAN interface has the address 10.5.6.1, and its WAN (Internet) interface hasthe address 14.15.16.17.

Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. GatewayB's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LANinterface address, 172.23.9.1, can be used for testing IPsec but is notneeded for configuring Gateway A.

The IKE Phase 1 parameters used in Scenario 1 are:

* Main mode * TripleDES * SHA-1 * MODP group 2 (1024 bits) * pre-shared secret of "hr5xb84l6aa9r6" * SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying

The IKE Phase 2 parameters used in Scenario 1 are:

* TripleDES * SHA-1 * ESP tunnel mode * MODP group 2 (1024 bits) * Perfect forward secrecy for rekeying * SA lifetime of 3600 seconds (one hour) with no kbytes rekeying * Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets

To set up Gateway A for this scenario, use the following steps:

Cisco IOS includes IPSec support, beginning with early versions of IOSVersion 12; however the commands have changed during the evolution of IOSVersion 12 point releases. The following example uses the current releaseversion, Cisco IOS Version 12.2(8)T4.

This example uses a Cisco 1700 series router, which has one ethernet portand one serial port. The ethernet port, FastEthernet0, will be the outside,or Internet-facing interface. The serial port, Serial0, will be the inside

Page 2: Cisco IOS VPN Configuration

interface. (This is just an example. Your interfaces may be different.)

All configuration changes are volatile, and immediate, until the "write"command is executed, when the configuration is saved to flash and will bereloaded after a reboot. At any time, you may examine the runningconfiguration with the command "show running-configuration", or view thesaved configuration with the command "show config". Most commands can beabbreviated. Use a ? at the prompt or in a command to see options.

Configure IP on the interfaces:

Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# int fa0Router(config-if)# ip address 14.15.16.17 255.255.255.0Router(config-if)# speed autoRouter(config-if)# ^ZRouter# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# int ser0Router(config-if)# ip address 10.5.6.1 255.255.255.0Router(config-if)# no shutdownRouter(config-if)# ^ZRouter#

Define the default route:

Router# config termRouter(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1Router(config)# exit

Cisco supports only one IKE policy per router, so you must design one whichis acceptable to all systems you are going to interoperate with. Assign itan ordering number of 5. If you wanted to have more than one proposal inthe policy, the proposals would be given in order defined by this policyorder number. Configure the IKE Policy:

Router# config termRouter(config)# crypto isakmp policy 5Router(config-isakmp)# encryption 3desRouter(config-isakmp)# group 2Router(config-isakmp)# hash shaRouter(config-isakmp)# lifetime 28800Router(config-isakmp)# authentication pre-shareRouter(config-isakmp)# exit

Since multiple peers will share the same IKE policy, you must match eachpeer with its pre-shared secret:

Router# config termRouter(config)# crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25Router(config-isakmp)# exit

The IPSEC transform will be combined later with the rest of the IPSEC policyin a crypto map command. In this command, "STRONG" is just a label. Labelsare CASE-SENSITIVE. Define the IPSEC transform:

Router# config term

Page 3: Cisco IOS VPN Configuration

Router(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmacRouter(config-isakmp)# exit

Cisco IOS uses access lists for SPD entries. Many features of access lists(.e.g. TCP flag checking) don't work in IPSEC. This kind of access listMUST be labelled with a 3-digit number. The netmask in Cisco access listsare inverted. Nobody knows why, they just are. This list says "all trafficfrom 10.5.6.0/24 to 172.23.9.0/24, all ports, all IP protocols". Create theIPSEC access list:

Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255Router(config)# ip route 0.0.0.0 0.0.0.0 14.15.16.1Router(config)# exit

Because IOS is a router first and an IPSEC gateway second, we have to tellIOS which interface to send packets on if the default route is not enough. In this scenario we don't need it, but in other situations you might need todefine a route for the remote protected network:

Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip route 172.23.9.0 255.255.255.0 14.15.16.17Router(config)# exit

A crypto map binds all the assorted crypto parameters with a specific remotegateway. Several crypto maps bound to different remote gateways can begrouped together in one crypto map SET which is then bound to an outgoinginterface. The number following the crypto map set name is the ordering ofthe map in the set. Bind the policy together with a crypto map, and give itthe label CISCO:

Router# config termRouter(config)# crypto map CISCO 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Router(config-crypto-map)# set security-association life seconds 3600Router(config-crypto-map)# set transform-set STRONGRouter(config-crypto-map)# set pfs group2Router(config-crypto-map)# set peer 22.23.24.25Router(config-crypto-map)# match address 101Router(config-crypto-map)# exit

Because Ciscos could have many interfaces, you have to bind the SPD to theoutgoing interface:

Router# config termRouter(config)# interface fa0Router(config-if)# crypto map CISCORouter(config-if)# ^Z

If you had multiple tunnels to multiple gateways, you would need to create adifferent access list for each tunnel, add an isakmp key entry for each

Page 4: Cisco IOS VPN Configuration

gateway, and possibly create a different ipsec transform if your securitypolicy is different. For example, let's say you have another remote peer at23.23.24.25, for which you have created access-list 102. You could then adda crypto map to the set created above:

Router# config termRouter(config)# crypto map CISCO 20 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured.Router(config-crypto-map)# set security-association life seconds 3600Router(config-crypto-map)# set transform-set STRONGRouter(config-crypto-map)# set pfs group2Router(config-crypto-map)# set peer 23.23.24.25Router(config-crypto-map)# match address 102Router(config-crypto-map)# exit

Now the outgoing interface FastEthernet0 has both crypto maps, and it willcompare traffic to each map in order to determine if the traffic requiresencryption.

Save the configuration:

Router# writeBuilding configuration...[OK]

Here is the completed IPSEC part of the Cisco configuration:

Router# show config!crypto isakmp policy 5 encr 3des authentication pre-share group 2 lifetime 28800crypto isakmp key hr5xb84l6aa9r6 address 22.23.24.25!crypto ipsec transform-set strong esp-3des esp-sha-hmac!crypto map CISCO 101 ipsec-isakmp set peer 22.23.24.25 set transform-set STRONG set pfs group2 match address 101!interface FastEthernet0 ip address 14.15.16.17 255.255.255.0 speed auto crypto map CISCO!interface Serial0 ip address 10.5.6.1 255.255.255.0!access-list 101 permit ip 10.5.6.0 0.0.0.255 172.23.9.0 0.0.0.255!

Now, bring up a tunnel! The IOS ping command extensions will allow you toselect the source interface, and hence IP address, of the ping:

Page 5: Cisco IOS VPN Configuration

Router# pingProtocol [ip]:Target IP address: 172.23.9.10Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address or interface: serial0Type of service [0]:Set DF bit in IP header? [no]:Validate reply data? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.23.9.10, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

Hmmmm ... what could be wrong? Let's check some basics:

Router# show ip int briefInterface IP-Address OK? Method Status ProtocolFastEthernet0 14.15.16.17 YES manual up up

Serial0 10.5.6.1 YES manual down down

Ah, the serial interface is down. I have to actually connect it up to somethingto bring the interface up. Now, the ping works and brings up the SAs.

Show the SAs with these commands:

Router# show crypto isakmp sadst src state conn-id slot14.15.16.17 22.23.24.25 QM_IDLE 1 0

Router# show crypto ipsec sa

interface: FastEthernet0 Crypto map tag: CISCO, local addr. 14.15.16.17

local ident (addr/mask/prot/port): (10.5.6.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.23.9.0/255.255.255.0/0/0) current_peer: 22.23.24.25 PERMIT, flags={origin_is_acl,} # pkts encaps: 12, # pkts encrypt: 12, # pkts digest 12 # pkts decaps: 23, # pkts decrypt: 23, # pkts verify 23 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0 # send errors 0, # recv errors 0

local crypto endpt.: 14.15.16.17, remote crypto endpt.: 22.23.24.25 path mtu 1500, media mtu 1500 current outbound spi: 3C39A800

Page 6: Cisco IOS VPN Configuration

inbound esp sas: spi: 0xD7228E4B(3609366091) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: CISCO sa timing: remaining key lifetime (k/sec): (4607999/3574) IV size: 8 bytes replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas: spi: 0x3C39A800(1010411520) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: CISCO sa timing: remaining key lifetime (k/sec): (4607999/3574) IV size: 8 bytes replay detection support: Y

outbound ah sas:

outbound pcp sas:

The easiest way to clear SAs from a Cisco IOS system varies with version, butone of these two will generally work:

RouterRouter# clear crypto isakmpRouterRouter# clear crypto sa

To enable debugging in IOS, you must turn on the debug as well as turn on thedebug monitor, which is normally the terminal you are logged in on:

Router# debug crypto verboseRouter# debug crypto isakmpRouter# term monitor

To disable debugging:Router# nodebug allRouter# term no monitor


Ssl VPN Ios Routers

TheGreenBow IPSec VPN Client Configuration · PDF fileIPSec VPN Router Configuration Property of TheGreenBow Sistech SA ... TheGreenBow IPSec VPN Client Configuration Guide Netasq

SSL VPN Configuration Guide, Cisco IOS Release 12 · Other SSL VPN Features 31 Platform Support 35 How to Configure SSL VPN Services on a Router 35 Configuring an SSL VPN Gateway

Check Point VPN E75 Installation and Configuration ... · PDF fileCheck Point VPN E75 Installation and Configuration Instructions . ... Point VPN E75 Installation and Configuration

VPN Configuration Guide€¦ · Introduction This configuration guide helps you configure VPN Tracker and your Fortinet VPN gateway to establish a VPN connection between them

GatePRO VPN Gateway & GreenBow IPsec VPN Software Configuration

VPN Configuration Guide€¦ · VPN Configuration Guide DrayTek Vigor / VigorPro Remote Dial-In User Profile

VPN Configuration Guide - VPN Tracker - #1 VPN Client for ... · PDF fileIntroduction This configuration guide helps you configure VPN Tracker and your Cisco VPN gateway to establish

VPN Configuration

VPN Remote Access Installation and Configuration … · VPN Remote Access Installation and Configuration Guide ... enable the native VPN without installing the Cisco VPN client.

configuration of VPN

VPN Quick Configuration Guide - VPN Tracker

Configuration Guide - VPN(V200R001C01_01)

Dynamic Multipoint VPN Configuration Guide, Cisco IOS ... · Example Hub Configuration for DMVPN 32 Example Spoke Configuration for DMVPN 33 Example VRF Aware DMVPN 34 Example 2547oDMVPN

SSL VPN Client (SVC) on IOS with SDM Configuration … · SSL VPN Client (SVC) on IOS with SDM Configuration Example Document ID: 70790 Contents Introduction Prerequisites Requirements

Thin-Client SSL VPN (WebVPN) IOS Configuration Example ... · PDF fileThin−Client SSL VPN (WebVPN) IOS Configuration Example with ... copy of SDM. If your router does ... (WebVPN)

Netgear FVS114 VPN Router & GreenBow IPsec VPN Software Configuration

Exemple de Configuration de Client VPN AnyConnect (SSL) Sur Routeur IOS Avec CCP

VPN Configuration Guide

(VPN Configuration Command).PDF

SDM : Exemple de configuration site à site VPN …...SDM : Exemple de configuration site à site VPN IPSec VPN entre ASA/PIX et un routeur IOS Contenu Introduction Conditions préalables

Opengear VPN gateway & GreenBow IPSec VPN Client Software Configuration

MPLS/VPN Configuration on IOS Platforms - RACF · MPLS/VPN Configuration on IOS Platforms ... Configuring Virtual Routing and Forwarding Tables Configuring a Multi-Protocol BGP Session

EVR100 VPN Tunnel Configuration Guide v1.2 - … VPN Tunnel Configuration...Wireless Gigabit VPN Router EVR100 VPN Configuration Guide Wireless N VPN Router with Gigabit Switch V1.0

Cisco VPN Configuration Guide

Monowall VPN Configuration

Exemple de configuration d'un VPN SSL sans client (WebVPN ...Exemple de configuration d'un VPN SSL sans client (WebVPN) sur Cisco IOS avec SDM Contenu ... Si vous avez l'intention

VPN Availability Configuration Guide, Cisco IOS XE Release 3S · VPN Availability Configuration Guide, Cisco IOS XE Release 3S Americas Headquarters Cisco Systems, Inc. 170 West Tasman

VPN Availability Configuration Guidesec VPN Availability 12 4t Book

TheGreenBow VPN Client · Title: TheGreenBow VPN Client Author: TheGreenBow Engineering Subject: VPN Router Configuration Guide Keywords: roadwarrior, VPN Client, vpn configuration,

NetGear FVS336G VPN Gateway & GreenBow IPsec VPN Software Configuration

IPSec VPN Configuration Guide

Dynamic Multipoint VPN Configuration Guide, Cisco IOS ... · Dynamic Multipoint VPN Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West

Cisco - Clientless SSL VPN (WebVPN) on Cisco IOS Using …cna.mamk.fi/Public/Cisco/Ohjeet/webvpn.pdf · Clientless SSL VPN (WebVPN) on Cisco IOS Using SDM Configuration Example Document

MPLS10S08-MPLS VPN Configuration on IOS Platforms