[vpn-help] Working configuration with Cisco IOS
Jean-François
jfs at chryseis.be
Fri Mar 4 07:17:09 CST 2011
This one is missing from Shrew's cookbooks, and definitely is not well
documented on Cisco web site.
This set-up has been tested with a device running Cisco IOS Software,
ADVIPSERVICESK9-M, Version 12.4(15)T13
Configuring the Cisco is tricky to say the least ...
Gateway Configuration
This example assumes you have knowledge of the Cisco IOS command line
configuration interface. For more information, please consult your Cisco
product documentation.
User Authentication
User authentication must be configured to support IKE extended
authentication ( XAuth ). In this example, we use define user accounts
locally on the router. It is possible to pass this authentication to a
radius or an LDAP account server using the Cisco AAA authentication
mechanism. For more information, please consult your cisco product
documentation.
aaa new-model
aaa authentication login vpn_xauth local
aaa authorization network vpn_group local
username vpnuser secret vpnpassword
Group Policy
A group policy must be configured to provide the client with dynamic
configuration information.
crypto isakmp client configuration group vpngroup
key vpntunnelkey
dns<your internal DNS server(s)>
domain<your domain name>
pool vpnclientspool
netmask 255.255.255.0
ISAKMP Profile
An ISAKMP profile must be configured as well.
crypto isakmp profile ike-profile-1
match identity group vpngroup
client authentication list vpn_xauth
isakmp authorization list vpn_group
client configuration address respond
virtual-template 1
Now the config above contains some forward looking stuff
- vpngroup is the name of our group, which will be used in the Shrew
VPN client config
- the virtual-template 1 refers to a virtual interface template
defined below
IPsec Parameters
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile Profile1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA1
set isakmp-profile ike-profile-1
Address Pool
The IP address pool must be configured. Clients will be assigned private
network addresses from a pool of 192.168.21.33-192.168.21.126.
ip local pool vpnclientspool 192.168.21.33 192.168.21.126
Virtual interface template
One solution to implement the tunnels is with a static local endpoint (a
Loopback address) and interfaces that are instanciated from a template
for each VPN connection.
Start with the loopback interface :
interface Loopback0
ip address 192.168.21.1 255.255.255.0
And now, the virtual template, note that it is refered-to by the ike
profile above, and that it refers to the ipsec profile. Actually, it
glues everything together :
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile Profile1
That's all. Remember that if you are doing NAT from the router, you'll
need to add "ip nat inside" to the virtual interface template and add
the IPSEC IP range to your NAT access-list.
Client Configuration
The client configuration in this example is straight forward. Open the
Access Manager application and create a new site configuration.
Configure the settings listed below in the following tabs.
General Tab
The Remote Host section must be configured. The /Host Name or IP
Address/ is defined as the router outside ( public ) interface address.
The /Auto Configuration/ mode should be set to /ike config pull/.
Phase 1 Tab
The Proposal section must be configured. The /Exchange Type/ is set to
/aggressive/ and the /DH Exchange/ is set to /group 2/ to match the
Router ISAKMP policy definition.
Authentication Tab
The client authentication settings must be configured. The
Authentication Method is defined as /Mutual PSK + XAuth/.
Local Identity Tab
The Local Identity parameters are defined as /Key Identifier/ with a
/Key ID String/ of "vpngroup" to match the router tunnel group name
defined in the "match identity" configuration line.
Remote Identity Tab
The Remote Identity parameters are set to /IP Address/ with the /Use a
discovered remote host address/ option checked.
Credentials Tab
The Credentials /Pre Shared Key/ is defined as "vpntunnelkey" to match
the router tunnel group pre-shared-key defined in the "key ..."
configuration line.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shrew.net/pipermail/vpn-help/attachments/20110304/53fead5c/attachment.html>
More information about the vpn-help
mailing list