Task 3—Create ISAKMP Policy for Remote VPN Client Access Authen: Pre-shared keys Encryption: 3-DES Diffie-Hellman: Group 2 Other settings: Default Policy 1 Remote client vpngate1 vpngate
Trang 1Cisco VPN Partner Technical Development
Module 4 : IOS Router VPN Configuration
APAC Channels Technical Operations
Trang 2Easy VPN Server General
Configuration Tasks
The following general tasks are used to
configure Easy VPN Server on a Cisco router:
Trang 3Task 1—Create IP Address Pool
remote-pool 10.0.1.100 to 10.0.1.150
• Creating a local address pool is optional if you are using an external DHCP server.
Trang 4Task 2—Configure Group Policy Lookup
router(config)#
aaa authorization network group-name local
group radius vpngate1(config)# aaa new-model
vpngate1(config)# aaa authorization network
Trang 5Task 3—Create ISAKMP Policy for
Remote VPN Client Access
Authen: Pre-shared keys Encryption: 3-DES
Diffie-Hellman: Group 2 Other settings: Default
Policy 1 Remote client
vpngate1
vpngate1(config)# crypto isakmp enable
vpngate1(config)# crypto isakmp policy 1
vpngate1(config-isakmp)# authen pre-share
vpngate1(config-isakmp)# encryption 3des
vpngate1(config-isakmp)# group 2
vpngate1(config-isakmp)# exit
• Use standard ISAKMP configuration commands.
• The crypto isakmp policy command puts you into the config-isakmp mode.
Trang 6Task 4—Define Group Policy for
Mode Configuration Push
• Users belong to one group per connection.
– They may belong to specific groups with different
policy requirements
– Users may decide to connect to the client using a
different group by changing their client profile on the VPN device
• Task 4 contains the following steps to define the group policy:
– Step 1—Add the group profile to be defined.
– Step 2—Configure the IKE pre-shared key.
– Step 3—Specify the DNS servers (Optional)
– Step 4—Specify the WINS servers (Optional)
– Step 5—Specify the DNS domain (Optional)
– Step 6—Specify the local IP address pool.
Trang 7Step 1—Add the Group Profile to be Defined
Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150
Group: vpn-remote-access
vpngate1 Remote client
router(config)#
crypto isakmp client configuration group
{group-name | default}
vpngate1(config)# crypto isakmp client
configuration group vpn-remote-access vpngate1(config-isakmp-group)#
• Specifies which group's policy profile will be defined and enters
ISAKMP group configuration mode
Trang 8Step 2—Configure the IKE Pre-shared Key
Key: myvpnkey
DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150
Group: vpn-remote-access
vpngate1 Remote client
router(config-isakmp-group)#
key name
router(config-isakmp-group)#
vpngate1(config-isakmp-group)# key myvpnkey
• Specify pre-shared key when defining group policy for the Mode Configuration Push.
• Must use this command if VPN client identifies itself to router with pre-shared key.
Trang 9Step 3—Specify the DNS Servers (Optional)
Key: myvpnkey
DNS: DNS1 & DNS2
WINS: WINS1 & WINS2 Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150
Group: vpn-remote-access
vpngate1 Remote client
Trang 10Step 4—Specify the WINS Servers
Key: myvpnkey DNS: DNS1 & DNS2
WINS: WINS1 & WINS2
Domain: cisco.com Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150
Group: vpn-remote-access
vpngate1 Remote client
router(config-isakmp-group)#
wins primary-server secondary-server
vpngate1(config-isakmp-group)# wins WINS1 WINS2 vpngate1(config-isakmp-group)# wins
172.26.26.160 172.26.26.170
• Specifies the primary and secondary WINS servers for the group.
Trang 11Step 5—Specify the DNS Domain
Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2
router(config-isakmp-group)#
domain name
vpngate1(config-isakmp-group)# domain cisco.com
• Specifies the domain to which this group belongs.
Trang 12Step 6—Specify the Local IP Address Pool
Key: myvpnkey DNS: DNS1 & DNS2 WINS: WINS1 & WINS2 Domain: cisco.com
Pool name: remote-pool Pool: 10.0.1.100 to 10.0.1.150
Group: vpn-remote-access
vpngate1 Remote client
router(config-isakmp-group)#
pool name
vpngate1(config-isakmp-group)# pool remote-pool
• Defines a local pool address for this group Although at least one pool name must be defined, a separate pool may be defined for each group policy
• This command must be defined and refer to a valid IP local pool
address or the client connection will fail.
Trang 13Task 5—Create Transform Set
crypto ipsec transform-set transform-set-name
transform1 [transform2 [transform3]]
vpngate1(config)# crypto ipsec transform-set
vpntransform esp-3des esp-sha-hmac
vpngate1(cfg-crypto-trans)# exit
• A transform set represents a certain combination of security
protocols and algorithms that enact a security policy for traffic
• During the IPSec SA negotiation, the peers agree to use a
particular transform set for protecting a particular data flow
• Up to three transform sets can be configured Sets are limited up to one AH and up to two ESP transforms.
Trang 14Editing a Transform Set
Follow these steps if you need to change a
transform set:
• Delete the transform set from the crypto map using the
• Delete the transform set form global configuration using
command.
• Reenter the transform set with corrections.
• Assign the transform set in the crypto map.
• Clear the SA database using the clear crypto sa
command.
• Observe the SA negotiation and ensure it works properly using the show crypto isakmp sa command.
Trang 15Task 6—Create Crypto Map with RRI
• This task creates a dynamic crypto map to be used when building IPSec tunnels for Easy VPN clients.
• In this example, Reverse Route Injection (RRI) is used to ensure that returning data destined for a particular IPSec tunnel can find it.
• Task 6 contains the following steps:
– Step 1—Create a dynamic crypto map.
– Step 2—Assign a transform set.
– Step 3—Enable RRI.
Trang 16Step 1— Create a Dynamic Crypto Map
dynmap 1
Crypto map name/sequence #
vpngate1 Remote client
• It acts as a policy template where missing parameters are later
dynamically configured as the result of the IPSec negotiation to
match the peer.
Trang 17Step 2— Assign Transform Set to Dynamic
Crypto Map
vpntransform
Transform set name
vpngate1 Remote client
• Specify the transform sets for the crypto map.
• Multiple transform sets are listed by priority Make sure the highest priority is listed first.
• This is the only configuration statement required for dynamic crypto maps.
Trang 18Step 3—Enable Reverse Route Injection (RRI)
on tunnel 18
File server
1) Request from 10.0.1.100
on tunnel 18
2) Request from 10.0.1.100
3) Response to 10.0.1.100
• RRI works with both dynamic and static crypto maps
• RRI is relevant to the server side of the connection It may be used for traffic destined to remote VPN devices that must be routed to the VPN head-end device
Trang 19Task 7—Apply Mode Configuration
to Dynamic Crypto Map
• Mode Configuration and Xauth must be applied
to a crypto map to be enforced
• Task 7 contains the following steps:
– Step 1—Configure the router to respond
to Mode Configuration (MC) requests.
– Step 2—Enable IKE querying for a group
policy.
– Step 3—Apply changes to the dynamic crypto map.
Trang 20Step 1—Configure Router to Respond
to Mode Configuration Requests
vpngate1 Remote client
router(config)#
crypto map map-name client configuration
address {initiate | respond}
vpngate1(config)# crypto map dynmap client
configuration address respond
• Configures the router to initiate or reply to Mode Configuration
requests
• Cisco VPN Clients require the respond keyword to be used The initiate keyword was used with older VPN Clients and is no longer used with 3.X version of Cisco VPN clients.
Trang 21Step 2—Enable IKE Querying for Group Policy
vpngate1(config)# crypto map dynmap isakmp
authorization list vpn-remote-access
• Enables IKE querying for group policy when requested by the client.
• The list-name argument is used by AAA to determine which storage source is used to find the policy (local or RADIUS) as defined in the aaa authorization network command.
Trang 22Step 3—Apply Changes to Dynamic
Crypto Map
dynmap 1
Crypto map name/sequence #
vpngate1 Remote client
router(config)#
crypto map map-name seq-num ipsec-isakmp
dynamic dynamic-map-name
vpngate1(config)# crypto map dynmap 1
ipsec-isakmp dynamic dynmap
• Apply the changes to the dynamic crypto map using the map-name and dynamic crypto map name.
• A sequence number specifies the map entry.
Trang 23Task 8— Apply Dynamic Crypto Map to
Router Outside Interface
dynmap 1
Crypto map name
Remote client
vpngate1 e0/1
vpngate1(config)# interface ethernet0/1
vpngate1(config-if)# crypto map dynmap
Trang 24Task 9— Enable IKE DPD
crypto isakmp keepalive secs retries
• Used to allow the Cisco IOS VPN gateway to send IKE dead peer detection (DPD) messages.
• secs – time between DPD messages Range is 10-3600 seconds.
• retries -time between retries if DPD message fails Range is 2-60
seconds.
vpngate1(config)# crypto isakmp keepalive 20 10
• Use the no form of this command to return the setting to the default
Trang 25Verify the Configuration
Trang 26Show Commands
router(config)#
show crypto map
• Displays the parameters for each crypto map
router(config)#
show crypto isakmp policy
• Displays the parameters for each IKE policy
router(config)#
show crypto isakmp sa
• Displays all current IKE SAs at a peer Included is the source and destination IP addresses, the state and connection id
router(config)#
show crypto engine connections active
• Displays IPSec connections included are the interface, IP address, state algorithm, the number of packets encrypted and decrypted
Trang 27Clear and Debug Commands
router(config)#
clear crypto isakmp [connection-id]
• Clears all (or specified connection) active IKE connections
router(config)#
debug crypto isakmp
• Displays the full ISAKMP exchange as is occurs in the router
Trang 28Summary