Monday 3 August 2015

VPN

1. Remote access

aaa new-model
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
aaa session-id common
!
username Cisco password 0 Cisco
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 480
!
crypto isakmp client configuration group rtr-remote
key secret-password
dns 10.50.10.1 10.60.10.1
domain company.com
pool dynpool
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
crypto ipsec client ezvpn ezvpnclient
connect auto
group 2 key secret-password
mode client
peer 192.168.100.1
!
interface fastethernet 4
crypto ipsec client ezvpn ezvpnclient outside
crypto map static-map
!
interface vlan 1
crypto ipsec client ezvpn ezvpnclient inside
!

2. Site-to-site

Figure 3-8 Site-to-Site VPN Scenario Physical Elements


Headquarters Router Configuration 


hq-sanjose# show running-config


Building configuration...




Current configuration:


!


version 12.0


service timestamps debug uptime


service timestamps log uptime


no service password-encryption


!


hostname hq-sanjose


!


boot system flash bootflash:


boot bootldr bootflash:c7200-jk9o3s-mz.123-3


boot config slot0:hq-sanjose-cfg-small


no logging buffered


!


crypto isakmp policy 1


 authentication pre-share


 lifetime 84600


crypto isakmp key test12345 address 172.24.2.5


!


crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac 


mode transport


!


 !


 crypto map s1first local-address Serial1/0


 crypto map s1first 1 ipsec-isakmp  


 set peer 172.24.2.5


 set transform-set proposal1 


 match address 101


!


interface Tunnel0


 bandwidth 180


 ip address 172.17.3.3 255.255.255.0


 no ip directed-broadcast


 tunnel source 172.17.2.4


 tunnel destination 172.24.2.5


 crypto map s1first


!


interface FastEthernet0/0


 ip address 10.1.3.3 255.255.255.0


 no ip directed-broadcast


 no keepalive


 full-duplex


 no cdp enable


!


interface FastEthernet0/1


 ip address 10.1.6.4 255.255.255.0


 no ip directed-broadcast


 no keepalive


 full-duplex


 no cdp enable


!


interface Serial1/0


 ip address 172.17.2.4 255.255.255.0


 no ip directed-broadcast


 no ip mroute-cache


 no keepalive


 fair-queue 64 256 0    


 framing c-bit


 cablelength 10


 dsu bandwidth 44210


 clock source internal


 no cdp enable


 crypto map s1first


!


ip route 10.1.4.0 255.255.255.0 Tunnel0


!


access-list 101 permit gre host 172.17.2.4 host 172.24.2.5


!


line con 0


 transport input none


line aux 0


line vty 0 4


 login


!


end

Remote Office Router Configuration 


ro-rtp# show running-config


Building configuration...




Current configuration:


!


version 12.0


service timestamps debug uptime


service timestamps log uptime


no service password-encryption


!


hostname ro-rtp


!


boot system flash bootflash:


boot bootldr bootflash:c7200-jk9o3s-mz.123-3


boot config slot0:ro-rtp-cfg-small


no logging buffered


!


crypto isakmp policy 1


 authentication pre-share


 lifetime 84600


crypto isakmp key test12345 address 172.17.2.4


!


crypto ipsec transform-set proposal1 ah-sha-hmac esp-des esp-sha-hmac 


mode transport


!


 !


 crypto map s1first local-address Serial1/0


 crypto map s1first 1 ipsec-isakmp  


 set peer 172.17.2.4


 set transform-set proposal1 


 match address 101


!


interface Tunnel1


 bandwidth 180


 ip address 172.24.3.6 255.255.255.0


 no ip directed-broadcast


 tunnel source 172.24.2.5


 tunnel destination 172.17.2.4


 crypto map s1first


!


interface FastEthernet0/0


 ip address 10.1.4.2 255.255.255.0


 no ip directed-broadcast


 no keepalive


 full-duplex


 no cdp enable


!


interface Serial1/0


 ip address 172.24.2.5 255.255.255.0


 no ip directed-broadcast


 no ip mroute-cache


 no keepalive


 fair-queue 64 256 0    


 framing c-bit


 cablelength 10


 dsu bandwidth 44210


 clock source internal


 no cdp enable


 crypto map s1first


!


ip route 10.1.3.0 255.255.255.0 Tunnel1


ip route 10.1.6.0 255.255.255.0 Tunnel1


!


access-list 101 permit gre host 172.24.2.5 host 172.17.2.4


!


line con 0


 transport input none


line aux 0


line vty 0 4


 login


!


end
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)