Easy VPN config:
Configuring Easy VPN from the CLI:
1. Setup up an IP POOL
(config)# ip local pool REMOTE_VPN_Clients 10.0.0.20 10.0.0.30
2.Configure AAA method for VPN clients
(config)aaa new-model
(config)aaa authorization network VPN_CLIENTS local
3. Create ISAKMP policies for VPN clients
(config)crypto isakmp enable
(config)crypto isakmp policy 100
(config-isakmp)authentication pre-share
(config-isakmp) encryption aes 128
(config-isakmp) group 2
(config)crypto isakmp policy 150
(config-isakmp)authentication pre-share
(config-isakmp) encryption aes 128
(config-isakmp) group 2
(config)crypto isakmp policy 160
(config-isakmp)authentication pre-share
(config-isakmp) encryption 3des
(config-isakmp) group 2
4. Specify the VPN client group settings
(config) crypto isakmp client configuration group VPN_CLIENTS
(config-isakmp-group)key securekey100cr
(config-isakmp-group)dns 4.2.2.1
(config-isakmp-group)dns 8.8.8.8
(config-isakmp-group)wins 10.0.0.12
(config-isakmp-group)domain lab.net
(config-isakmp-group)pool REMOTE_VPN_Clients
5. Specify the IPSEC transform-set
(config)crypto ipsec transform-set VPN_CLIENT esp-3des esp-sha-hmac
6. Create a dynamic crypto map entry with RRI (Remote Route Injection)
(config)crypto dynamic-map VPN_CLIENT 100
(config-crypto-map)set transform-set VPN_CLIENT
(config-crypto-map)reverse-route
7.Turn on server response to client configuration request
(config)crypto map VPN_CLIENT configuration address respond
8. Apply AAA method to ISAKMP policy
(config)crypto map VPN_CLIENT isakmp authorization list VPN_CLIENTS
####create Crypto map for dynamic-map###
(config)crypto mapLAB 10 ipsec-isakmp
(config-crypto-map)set peer 10.0.0.x
9(config)crypto map SAMPLE 200 ipsec-isakmp dynamic VPN_CLIENT
10. Apply crypto map to interface
(config)int fa0/0
(config-if)crypto map SAMPLE
11. Turn on dead peer detection
(config)crypto isakmp keepalive 30 5
12. Activate extended authentication-OPTIONAL but highly recommended
(config)aaa authentication login XAUTH local
(config)crypto isakmp xauth 15
(config)crypto map LAB client authentication list XAUTH
(config)username test password test
__________________________________________________________________________________
Site-to-Site VPN:
SITE-TO-SITE
1. Router sees "interesting" traffic to bring up the VPN- defined through access list
2. IKE Phase 1 negotiated security association (SA) established
3. IKE Phase 2 negotiated security associatoin (SA) established
4. Data trasmitted through IPSec tunnel
5. IPSec tunnel is torn down after data transmisson is completed
Configuring Site-to-Site
1. Setup ISAKMP policy (for IKE phase 1)
2. Setup IPSEC transform-set (for IKE phase 2)
3. Define interesting traffic (access list)
4. Setup a crypto map
5. Assign crypto map to interface
Router 1
Step 1: IKE phase 1
(config) crypto isakmp POLICY 100
(config-isakmp)authentication pre-share
(config-isakmp)encryption aes 128
(config-isakmp)group 2
(config-isakmp)hash sha
(config-isakmp)lifetime 86400
(config)crypto isakmp key 0 secruemytraffic4@@$$5 address 192.168.1.1 no-xauth
Step 2: IKE phase 2
(config)crypto ipsec transform-set MYVPN esp-aes esp-sha-hmac
Step 3: Configure interesting traffic
(config) ip access extended TRAFFIC
(config-ext-nacl)permit 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Setp 4: Setup crypto map
(config)crypto map VPN_MAP 10 ipsec-isakmp
(config-crypto-map)set peer 192.168.1.2
(config-crypto-map)match address TRAFFIC
(config-crypto-map)set trasform-set MYVPN
Setup 4: Apply crypto map to the interface
(config)int s0/0
(config-if)crypto map VPN_MAP
(config) ip access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
________________________________________________________________________________
Router 2
Step 1: IKE phase 1
(config) crypto isakmp POLICY 100
(config-isakmp)authentication pre-share
(config-isakmp)encryption aes 128
(config-isakmp)group 2
(config-isakmp)hash sha
(config-isakmp)lifetime 86400
(config)crypto isakmp key 0 secruemytraffic4@@$$5 address 192.168.1.1 no-xauth
Step 2: IKE phase 2
(config)crypto ipsec transform-set MYVPN esp-aes esp-sha-hmac
Step 3: Configure interesting traffic
(config) ip access extended TRAFFIC
(config-ext-nacl)permit 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Setp 4: Setup crypto map
(config)crypto map VPN_MAP 10 ipsec-isakmp
(config-crypto-map)set peer 192.168.1.1
(config-crypto-map)match address TRAFFIC
(config-crypto-map)set trasform-set MYVPN
Setup 4: Apply crypto map to the interface
(config)int s0/0
(config-if)crypto map VPN_MAP
(config) ip access-list 101 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
Note:
________________________________________________________________________________
Verification: to follow ....