[vpn-help] Working configuration with Cisco IOS

Jean-François jfs at chryseis.be
Fri Mar 4 07:17:09 CST 2011


This one is missing from Shrew's cookbooks, and definitely is not well 
documented on Cisco web site.

This set-up has been tested with a device running Cisco IOS Software, 
ADVIPSERVICESK9-M, Version 12.4(15)T13

Configuring the Cisco is tricky to say the least ...


    Gateway Configuration

This example assumes you have knowledge of the Cisco IOS command line 
configuration interface. For more information, please consult your Cisco 
product documentation.


      User Authentication

User authentication must be configured to support IKE extended 
authentication ( XAuth ). In this example, we use define user accounts 
locally on the router. It is possible to pass this authentication to a 
radius or an LDAP account server using the Cisco AAA authentication 
mechanism. For more information, please consult your cisco product 
documentation.

aaa new-model
aaa authentication login vpn_xauth local
aaa authorization network vpn_group local
username vpnuser secret vpnpassword


      Group Policy

A group policy must be configured to provide the client with dynamic 
configuration information.

crypto isakmp client configuration group vpngroup
  key vpntunnelkey
  dns<your internal DNS server(s)>
  domain<your domain name>
  pool vpnclientspool
  netmask 255.255.255.0


      ISAKMP Profile

An ISAKMP profile must be configured as well.

crypto isakmp profile ike-profile-1
  match identity group vpngroup
  client authentication list vpn_xauth
  isakmp authorization list vpn_group
  client configuration address respond
  virtual-template 1

Now the config above contains some forward looking stuff
   - vpngroup is the name of our group, which will be used in the Shrew 
VPN client config
   - the virtual-template 1 refers to a virtual interface template 
defined below


      IPsec Parameters

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile Profile1
  set security-association idle-time 1800
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ike-profile-1


      Address Pool

The IP address pool must be configured. Clients will be assigned private 
network addresses from a pool of 192.168.21.33-192.168.21.126.

ip local pool vpnclientspool 192.168.21.33 192.168.21.126


      Virtual interface template

One solution to implement the tunnels is with a static local endpoint (a 
Loopback address) and interfaces that are instanciated from a template 
for each VPN connection.

Start with the loopback interface :

interface Loopback0
  ip address 192.168.21.1 255.255.255.0

And now, the virtual template, note that it is refered-to by the ike 
profile above, and that it refers to the ipsec profile. Actually, it 
glues everything together :

interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  ip virtual-reassembly
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile Profile1

That's all. Remember that if you are doing NAT from the router, you'll 
need to add "ip nat inside" to the virtual interface template and add 
the IPSEC IP range to your NAT access-list.


    Client Configuration

The client configuration in this example is straight forward. Open the 
Access Manager application and create a new site configuration. 
Configure the settings listed below in the following tabs.


      General Tab

The Remote Host section must be configured. The /Host Name or IP 
Address/ is defined as the router outside ( public ) interface address. 
The /Auto Configuration/ mode should be set to /ike config pull/.


      Phase 1 Tab

The Proposal section must be configured. The /Exchange Type/ is set to 
/aggressive/ and the /DH Exchange/ is set to /group 2/ to match the 
Router ISAKMP policy definition.


      Authentication Tab

The client authentication settings must be configured. The 
Authentication Method is defined as /Mutual PSK + XAuth/.


        Local Identity Tab

The Local Identity parameters are defined as /Key Identifier/ with a 
/Key ID String/ of "vpngroup" to match the router tunnel group name 
defined in the "match identity" configuration line.


        Remote Identity Tab

The Remote Identity parameters are set to /IP Address/ with the /Use a 
discovered remote host address/ option checked.


        Credentials Tab

The Credentials /Pre Shared Key/ is defined as "vpntunnelkey" to match 
the router tunnel group pre-shared-key defined in the "key ..." 
configuration line.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110304/53fead5c/attachment.html>


More information about the vpn-help mailing list