1. Trang chủ
  2. » Kỹ Thuật - Công Nghệ

vpn roadshow module 4 ios

29 214 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 29
Dung lượng 343,52 KB

Nội dung

© 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 4 : IOS Router VPN Configuration APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Easy VPN Server General Configuration Tasks The following general tasks are used to configure Easy VPN Server on a Cisco router: • Task 1—Create IP address pool. • Task 2—Configure group policy lookup. • Task 3—Create ISAKMP policy for remote VPN client access. • Task 4—Define group policy for mode configuration push. • Task 5—Create a transform set. • Task 6—Create a dynamic crypto map with RRI. • Task 7—Apply mode configuration to the dynamic crypto map. • Task 8—Apply a dynamic crypto map to router interface. • Task 9—Enable IKE DPD . • Task 10—Verify the configuration. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Task 1—Create IP Address Pool remote-pool 10.0.1.100 to 10.0.1.150 Pool Remote client vpngate1 router(config)# ip local pool {default | pool-name low-ip-address [high-ip-address]} vpngate1(config)# ip local pool remote-pool 10.0.1.100 10.0.1.150 • IKE Mode Configuration allows a gateway to download an IP address (and other network level configuration) to the client as part of an IKE negotiation. The gateway gives IP addresses to the IKE client to be used as an "inner" IP address encapsulated under IPSec. • Creating a local address pool is optional if you are using an external DHCP server. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Task 2—Configure Group Policy Lookup router(config)# aaa authorization network group-name local group radius vpngate1(config)# aaa new-model vpngate1(config)# aaa authorization network vpn-remote-access local • Creates a user group for local AAA policy lookup vpngate1 vpn-remote-access Group Remote client router(config)# aaa new-model © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Task 3—Create ISAKMP Policy for Remote VPN Client Access Authen: Pre-shared keys Encryption: 3-DES Diffie-Hellman: Group 2 Other settings: Default Policy 1 Remote client vpngate1 vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)# group 2 vpngate1(config-isakmp)# exit • Use standard ISAKMP configuration commands. • The crypto isakmp policy command puts you into the config-isakmp mode. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Task 4—Define Group Policy for Mode Configuration Push • Users belong to one group per connection. – They may belong to specific groups with different policy requirements. – Users may decide to connect to the client using a different group by changing their client profile on the VPN device. • Task 4 contains the following steps to define the group policy: – Step 1—Add the group profile to be defined. – Step 2—Configure the IKE pre-shared key. – Step 3—Specify the DNS servers (Optional). – Step 4—Specify the WINS servers (Optional). – Step 5—Specify the DNS domain (Optional). – Step 6—Specify the local IP address pool. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Step 1—Add the Group Profile to be Defined Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 Group: vpn-remote-access vpngate1 Remote client router(config)# crypto isakmp client configuration group {group-name | default} vpngate1(config)# crypto isakmp client configuration group vpn-remote-access vpngate1(config-isakmp-group)# • Specifies which group's policy profile will be defined and enters ISAKMP group configuration mode . © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Step 2—Configure the IKE Pre-shared Key Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 Group: vpn-remote-access vpngate1 Remote client router(config-isakmp-group)# key name router(config-isakmp-group)# vpngate1(config-isakmp-group)# key myvpnkey • Specify pre-shared key when defining group policy for the Mode Configuration Push. • Must use this command if VPN client identifies itself to router with pre-shared key. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Step 3—Specify the DNS Servers (Optional) Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 Group: vpn-remote-access vpngate1 Remote client router(config-isakmp-group)# dns primary-server secondary-server vpngate1(config-isakmp-group)# dns DNS1 DNS2 vpngate1(config-isakmp-group)# dns 172.26.26.120 172.26.26.130 • Specifies the primary and secondary DNS servers for the group. © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Step 4—Specify the WINS Servers Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 Group: vpn-remote-access vpngate1 Remote client router(config-isakmp-group)# wins primary-server secondary-server vpngate1(config-isakmp-group)# wins WINS1 WINS2 vpngate1(config-isakmp-group)# wins 172.26.26.160 172.26.26.170 • Specifies the primary and secondary WINS servers for the group. [...]... keyword was used with older VPN Clients and is no longer used with 3.X version of Cisco VPN clients © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 2—Enable IKE Querying for Group Policy Remote client Group vpn- remote-access vpngate1 router(config)# crypto map map-name isakmp authorization list list-name vpngate1(config)# crypto map dynmap isakmp authorization list vpn- remote-access • Enables... match the peer © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 2—Assign Transform Set to Dynamic Crypto Map Transform set name Remote client vpntransform vpngate1 router(config-crypto-map)# set transform-set transform-set-name [transform-set-name2…transform-set-name6] vpngate1(config-crypto-map)# set transform-set vpntransform vpngate1(config-crypto-map)# • Specify the transform sets for... connection will fail © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Task 5—Create Transform Set Remote client Transform set name vpngate1 vpntransform router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] vpngate1(config)# crypto ipsec transform-set vpntransform esp-3des esp-sha-hmac vpngate1(cfg-crypto-trans)# exit • A transform set represents a... Cisco Systems, Inc All rights reserved VPN Roadshow Step 3—Enable Reverse Route Injection (RRI) Remote client 10.0.1.100 1) Request from 10.0.1.100 on tunnel 18 2) Request from 10.0.1.100 File server Tunnel 18 4) Respond to 10.0.1.100 on tunnel 18 vpngate1 3) Response to 10.0.1.100 router(config-crypto-map)# reverse route vpngate1(config-crypto-map)# reverse route vpngate1(config-crypto-map)# exit • RRI... 5—Specify the DNS Domain Group: vpn- remote-access Remote client Key: myvpnkey DNS: DNS1 & DNS2 vpngate1 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 router(config-isakmp-group)# domain name vpngate1(config-isakmp-group)# domain cisco.com • Specifies the domain to which this group belongs © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 6—Specify... map name • A sequence number specifies the map entry © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Task 8—Apply Dynamic Crypto Map to Router Outside Interface Crypto map name Remote client dynmap 1 e0/1 vpngate1 vpngate1(config)# interface ethernet0/1 vpngate1(config-if)# crypto map dynmap vpngate1(config-if)# exit • Apply the crypto map to the IPSec router’s interface connected to the... reserved VPN Roadshow Task 9—Enable IKE DPD 1) DPD Send: Are you there? Remote client vpngate1 2) DPD Reply: Yes I am here router(config)# crypto isakmp keepalive secs retries • Used to allow the Cisco IOS VPN gateway to send IKE dead peer detection (DPD) messages • secs – time between DPD messages Range is 10-3600 seconds • retries -time between retries if DPD message fails Range is 2-60 seconds vpngate1(config)#... Inc All rights reserved VPN Roadshow Clear and Debug Commands router(config)# clear crypto isakmp [connection-id] • Clears all (or specified connection) active IKE connections router(config)# debug crypto isakmp • Displays the full ISAKMP exchange as is occurs in the router © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Summary • How the Cisco Easy VPN Works • Easy VPN Server General Configuration... 2—Assign a transform set – Step 3—Enable RRI © 2003, Cisco Systems, Inc All rights reserved VPN Roadshow Step 1—Create a Dynamic Crypto Map Crypto map name/sequence # Remote client dynmap 1 vpngate1 router(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num vpngate1(config)# crypto dynamic-map dynmap 1 vpngate1(config-crypto-map)# • A dynamic crypto map is essentially a crypto map entry without... Systems, Inc All rights reserved VPN Roadshow Step 1—Configure Router to Respond to Mode Configuration Requests Remote client vpngate1 router(config)# crypto map map-name client configuration address {initiate | respond} vpngate1(config)# crypto map dynmap client configuration address respond • Configures the router to initiate or reply to Mode Configuration requests • Cisco VPN Clients require the respond . reserved. VPN Roadshow Cisco VPN Partner Technical Development Module 4 : IOS Router VPN Configuration APAC Channels Technical Operations © 2003, Cisco Systems, Inc. All rights reserved. VPN Roadshow Easy. client vpngate1 vpngate1(config)# crypto isakmp enable vpngate1(config)# crypto isakmp policy 1 vpngate1(config-isakmp)# authen pre-share vpngate1(config-isakmp)# encryption 3des vpngate1(config-isakmp)#. reserved. VPN Roadshow Step 4 Specify the WINS Servers Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150 Group: vpn- remote-access vpngate1 Remote

Ngày đăng: 16/11/2014, 19:51