Welcome to Scribd. Sign in or start your free trial to enjoy unlimited e-books, audiobooks & documents.Find out more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Cisco IOS VPN Configuration

Cisco IOS VPN Configuration

Ratings: (0)|Views: 15|Likes:
Published by Irfee
Scenario: Gateway-to-gateway with preshared secrets

The typical gateway-to-gateway VPN that uses a preshared secret for authentication.
Scenario: Gateway-to-gateway with preshared secrets

The typical gateway-to-gateway VPN that uses a preshared secret for authentication.

More info:

Published by: Irfee on Mar 25, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Cisco IOS VPN Configuration
Scenario 1
: Gateway-to-gateway with preshared secretsThe following is a typical gateway-to-gateway VPN that uses a presharedsecret for authentication.| |--| |--| +-----------+ /-^-^-^-^--\ +-----------+ ||-----| Gateway A |=====| Internet |=====| Gateway B |-----|| AL+-----------+AW \--v-v-v-v-/ BW+-----------+BL |--| |--| |Gateway A connects the internal LAN to the Internet. Gateway A'sLAN interface has the address, and its WAN (Internet) interface hasthe address B connects the internal LAN to the Internet. GatewayB's WAN (Internet) interface has the address Gateway B's LANinterface address,, can be used for testing IPsec but is notneeded for configuring Gateway A.The IKE Phase 1 parameters used in Scenario 1 are:* Main mode* TripleDES* SHA-1* MODP group 2 (1024 bits)* pre-shared secret of "hr5xb84l6aa9r6"* SA lifetime of 28800 seconds (eight hours) with no kbytes rekeyingThe IKE Phase 2 parameters used in Scenario 1 are:* TripleDES* SHA-1* ESP tunnel mode* MODP group 2 (1024 bits)* Perfect forward secrecy for rekeying* SA lifetime of 3600 seconds (one hour) with no kbytes rekeying* Selectors for all IP protocols, all ports, between and172.23.9.0/24, using IPv4 subnetsTo set up Gateway A for this scenario, use the following steps:Cisco IOS includes IPSec support, beginning with early versions of IOSVersion 12; however the commands have changed during the evolution of IOSVersion 12 point releases. The following example uses the current releaseversion, Cisco IOS Version 12.2(8)T4.This example uses a Cisco 1700 series router, which has one ethernet portand one serial port. The ethernet port, FastEthernet0, will be the outside,or Internet-facing interface. The serial port, Serial0, will be the insideinterface. (This is just an example. Your interfaces may be different.)
All configuration changes are volatile, and immediate, until the "write"command is executed, when the configuration is saved to flash and will bereloaded after a reboot. At any time, you may examine the runningconfiguration with the command "show running-configuration", or view thesaved configuration with the command "show config". Most commands can beabbreviated. Use a ? at the prompt or in a command to see options.Configure IP on the interfaces:Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# int fa0Router(config-if)# ip address speed autoRouter(config-if)# ^ZRouter# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# int ser0Router(config-if)# ip address no shutdownRouter(config-if)# ^ZRouter#Define the default route:Router# config termRouter(config)# ip route exitCisco supports only one IKE policy per router, so you must design one whichis acceptable to all systems you are going to interoperate with. Assign itan ordering number of 5. If you wanted to have more than one proposal inthe policy, the proposals would be given in order defined by this policyorder number. Configure the IKE Policy:Router# config termRouter(config)# crypto isakmp policy 5Router(config-isakmp)# encryption 3desRouter(config-isakmp)# group 2Router(config-isakmp)# hash shaRouter(config-isakmp)# lifetime 28800Router(config-isakmp)# authentication pre-shareRouter(config-isakmp)# exitSince multiple peers will share the same IKE policy, you must match eachpeer with its pre-shared secret:Router# config termRouter(config)# crypto isakmp key hr5xb84l6aa9r6 address exitThe IPSEC transform will be combined later with the rest of the IPSEC policyin a crypto map command. In this command, "STRONG" is just a label. Labelsare CASE-SENSITIVE. Define the IPSEC transform:Router# config termRouter(config)# crypto ipsec transform-set STRONG esp-3des esp-sha-hmacRouter(config-isakmp)# exit
Cisco IOS uses access lists for SPD entries. Many features of access lists(.e.g. TCP flag checking) don't work in IPSEC. This kind of access listMUST be labelled with a 3-digit number. The netmask in Cisco access listsare inverted. Nobody knows why, they just are. This list says "all trafficfrom to, all ports, all IP protocols". Create theIPSEC access list:Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# access-list 101 permit ip ip route exitBecause IOS is a router first and an IPSEC gateway second, we have to tellIOS which interface to send packets on if the default route is not enough.In this scenario we don't need it, but in other situations you might need todefine a route for the remote protected network:Router# config termEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip route exitA crypto map binds all the assorted crypto parameters with a specific remotegateway. Several crypto maps bound to different remote gateways can begrouped together in one crypto map SET which is then bound to an outgoinginterface. The number following the crypto map set name is the ordering ofthe map in the set. Bind the policy together with a crypto map, and give itthe label CISCO:Router# config termRouter(config)# crypto map CISCO 10 ipsec-isakmp% NOTE: This new crypto map will remain disabled until a peerand a valid access list have been configured.Router(config-crypto-map)# set security-association life seconds 3600Router(config-crypto-map)# set transform-set STRONGRouter(config-crypto-map)# set pfs group2Router(config-crypto-map)# set peer match address 101Router(config-crypto-map)# exitBecause Ciscos could have many interfaces, you have to bind the SPD to theoutgoing interface:Router# config termRouter(config)# interface fa0Router(config-if)# crypto map CISCORouter(config-if)# ^ZIf you had multiple tunnels to multiple gateways, you would need to create adifferent access list for each tunnel, add an isakmp key entry for eachgateway, and possibly create a different ipsec transform if your securitypolicy is different. For example, let's say you have another remote peer at23.23.24.25, for which you have created access-list 102. You could then adda crypto map to the set created above:Router# config termRouter(config)# crypto map CISCO 20 ipsec-isakmp

Activity (3)

You've already reviewed this. Edit your review.
Irfee liked this
1 hundred reads
Irfee liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->