VPN Client on router
If you want aaa authentication to be done <otherwise you can skip this part and directly start from phase 1 config>
aaa new-model ! !--- In order to enable Xauth for user authentication, !--- enable the aaa authentication commands. aaa authentication login userauthen<THis is just a name> local !--- In order to enable group authorization, enable !--- the aaa authorization commands. aaa authorization network groupauthor local!
Phase 1 config: Define policies <The HAGLE items>
!--- Create an Internet Security Association and !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations. crypto isakmp policy 3 encr 3des authentication pre-share group 2
Create an access list for your split ACL. The traffic that you define in this ACL will only be allowed on your VPN tunnel, rest of the traffic will not be tunneled and work solely based on your routing table.
So here 10.10.10.0/24 is my internal network. 192.168.1.0/24 is the pool that I have created for my VPN users that I want them to get IP from.
Now, lets say I haven't defined any split traffic rules yet, so what happens.
A remote client connects to VPN and gets an IP address 192.168.1.1. He tries to access my internal network, say 10.10.10.10, traffic hits the tunnel and gets encrypted and comes through the tunnel, and thats what I needed.
Now that same client opens google.com but that traffic is also getting routed to my VPN tunnel instead it should have gone directly to internet. In order to make that happen we define a split ACL that will inject a route in your remote host once he connects to VPN.
When we look at it from client side:
The route should say when there is any traffic from 192.168.1.0/24 to 10.10.10.0/24 please send it via VPN tunnel.
remaining traffic will go to whatever routing/NAT you have done in your box.
When we look at it from Router side:
The route should say when there is any traffic from 10.10.10.0/24 to 192.168.1.0/24 please send it via VPN tunnel.
so the point to take away from the above example is , this ACL gets reverse implemented on client side.
Phase 2 Policies:
Now, lets say I haven't defined any split traffic rules yet, so what happens.
A remote client connects to VPN and gets an IP address 192.168.1.1. He tries to access my internal network, say 10.10.10.10, traffic hits the tunnel and gets encrypted and comes through the tunnel, and thats what I needed.
Now that same client opens google.com but that traffic is also getting routed to my VPN tunnel instead it should have gone directly to internet. In order to make that happen we define a split ACL that will inject a route in your remote host once he connects to VPN.
When we look at it from client side:
The route should say when there is any traffic from 192.168.1.0/24 to 10.10.10.0/24 please send it via VPN tunnel.
remaining traffic will go to whatever routing/NAT you have done in your box.
When we look at it from Router side:
The route should say when there is any traffic from 10.10.10.0/24 to 192.168.1.0/24 please send it via VPN tunnel.
so the point to take away from the above example is , this ACL gets reverse implemented on client side.
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!--- Create a pool of addresses to be !--- assigned to the VPN Clients.
ip local pool ippool 192.168.1.1 192.168.1.2
Apply the ACL on the group properties.
crypto isakmp client configuration grouptestgroup <this is the name which will be used to connect your client>key cisco123 dns 10.10.10.10 wins 10.10.10.20 domain cisco.com pool ippool acl 101
Phase 2 Policies:
!--- Create the Phase 2 Policy for actual data encryption.
!--- Create a dynamic map and apply !--- the transform set that was created earlier.... There is one more way this can be achieved: Using ISAKMP profile:Click herecrypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset <Calling the trasnform set in dynamic map>
reverse-route
!--- Create the actual crypto map, !--- and apply the AAA lists that were created earlier.
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap <binding the dynamic map with our crypto map>
!--- Apply the crypto map on the outbound interface.
crypto map clientmap
Example of we do NAT how can we do NAT exemption:
!--- Enables Network Address Translation (NAT) !--- of the inside source address that matches access list 111 !--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic !--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
============================
We can do it in one more way,create ISAKMP profile and then associate that profile with dynamic map, then call the dynamic map into crypto map on last line:
Create ISAKMP profile:
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
Associate this profile with Dynamic map:crypto ipsec transform-set myset esp-3des esp-sha-hmac <Create a transform set if you dont already have it>
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
Now apply the dynamic map to crypto map:crypto map mymap 10 ipsec-isakmp dynamic dynmap
go back to where you were
Source:
http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46242-lan-to-lan-vpn-client.html
1 comments:
this blog was really great, never seen a great blog like this before. i think im gonna share this to my friends.. antimalware service executable high memory
Post a Comment