VPN Technologies

Easy VPN config:

Configuring Easy VPN from the CLI:

1. Setup up an IP POOL

(config)# ip local pool REMOTE_VPN_Clients 10.0.0.20 10.0.0.30

2.Configure AAA method for VPN clients

(config)aaa new-model
(config)aaa authorization network VPN_CLIENTS local

3. Create ISAKMP policies for VPN clients

(config)crypto isakmp enable
(config)crypto isakmp policy 100
(config-isakmp)authentication pre-share
(config-isakmp) encryption aes 128
(config-isakmp) group 2
(config)crypto isakmp policy 150
(config-isakmp)authentication pre-share
(config-isakmp) encryption aes 128
(config-isakmp) group 2
(config)crypto isakmp policy 160
(config-isakmp)authentication pre-share
(config-isakmp) encryption 3des
(config-isakmp) group 2


4. Specify the VPN client group settings

(config) crypto isakmp client configuration group VPN_CLIENTS
(config-isakmp-group)key securekey100cr
(config-isakmp-group)dns 4.2.2.1
(config-isakmp-group)dns 8.8.8.8
(config-isakmp-group)wins 10.0.0.12
(config-isakmp-group)domain lab.net
(config-isakmp-group)pool REMOTE_VPN_Clients

5. Specify the IPSEC transform-set

(config)crypto ipsec transform-set VPN_CLIENT esp-3des esp-sha-hmac

6. Create a dynamic crypto map entry with RRI (Remote Route Injection)

(config)crypto dynamic-map VPN_CLIENT 100
(config-crypto-map)set transform-set VPN_CLIENT
(config-crypto-map)reverse-route

7.Turn on server response to client configuration request
(config)crypto map VPN_CLIENT configuration address respond

8. Apply AAA method to ISAKMP policy
(config)crypto map VPN_CLIENT isakmp authorization list VPN_CLIENTS

####create Crypto map for dynamic-map###
(config)crypto mapLAB 10 ipsec-isakmp
(config-crypto-map)set peer 10.0.0.x


9(config)crypto map SAMPLE 200 ipsec-isakmp dynamic VPN_CLIENT

10. Apply crypto map to interface
(config)int fa0/0
(config-if)crypto map SAMPLE

11. Turn on dead peer detection
(config)crypto isakmp keepalive 30 5

12. Activate extended authentication-OPTIONAL but highly recommended
(config)aaa authentication login XAUTH local
(config)crypto isakmp xauth 15
(config)crypto map LAB client authentication list XAUTH
(config)username test password test
__________________________________________________________________________________
Site-to-Site VPN:

SITE-TO-SITE


1. Router sees "interesting" traffic to bring up the VPN- defined through access list

2. IKE Phase 1 negotiated security association (SA) established

3. IKE Phase 2 negotiated security associatoin (SA) established

4. Data trasmitted through IPSec tunnel

5. IPSec tunnel is torn down after data transmisson is completed


Configuring Site-to-Site

1. Setup ISAKMP policy (for IKE phase 1)

2. Setup IPSEC transform-set (for IKE phase 2)

3. Define interesting traffic (access list)

4. Setup a crypto map

5. Assign crypto map to interface


Router 1
Step 1: IKE phase 1
(config) crypto isakmp POLICY 100
(config-isakmp)authentication pre-share
(config-isakmp)encryption aes 128
(config-isakmp)group 2
(config-isakmp)hash sha
(config-isakmp)lifetime 86400
(config)crypto isakmp key 0 secruemytraffic4@@$$5 address 192.168.1.1 no-xauth

 Step 2: IKE phase 2
(config)crypto ipsec transform-set MYVPN esp-aes esp-sha-hmac

Step 3: Configure interesting traffic
(config) ip access extended TRAFFIC
(config-ext-nacl)permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Setp 4: Setup crypto map
(config)crypto map VPN_MAP 10 ipsec-isakmp
(config-crypto-map)set peer 192.168.1.2
(config-crypto-map)match address TRAFFIC
(config-crypto-map)set trasform-set MYVPN

Setup 4: Apply crypto map to the interface
 (config)int s0/0
(config-if)crypto map VPN_MAP
(config) ip access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 ________________________________________________________________________________

Router 2
Step 1: IKE phase 1

(config) crypto isakmp POLICY 100
(config-isakmp)authentication pre-share
(config-isakmp)encryption aes 128
(config-isakmp)group 2
(config-isakmp)hash sha
(config-isakmp)lifetime 86400
(config)crypto isakmp key 0 secruemytraffic4@@$$5 address 192.168.1.1 no-xauth


 Step 2: IKE phase 2
(config)crypto ipsec transform-set MYVPN esp-aes esp-sha-hmac

Step 3: Configure interesting traffic
(config) ip access extended TRAFFIC
(config-ext-nacl)permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255



Setp 4: Setup crypto map
(config)crypto map VPN_MAP 10 ipsec-isakmp
(config-crypto-map)set peer 192.168.1.1
(config-crypto-map)match address TRAFFIC
(config-crypto-map)set trasform-set MYVPN


Setup 4: Apply crypto map to the interface

 (config)int s0/0
(config-if)crypto map VPN_MAP
(config) ip access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255


Note:

________________________________________________________________________________
Verification: to follow ....