среда, 21 мая 2014 г.

How to configure Remote Access IPsec on Cisco Router

How to configure Remote Access IPsec on Cisco Router

How to configure Remote Access IPsec on Cisco Router

Today one of our customer asked me to configure VPN for his small office, they just installed the equipment and needed in  secured remote connection for their office. I thought that  there is nothing hard to configure RA VPN on theirs router, also this router is Cisco, but every time when I starting to configure something what I'm configuring once a year =)) I'm starting to open documentation etc. That's why I want to create this small note for myself, but if this will help to somebody,  always welcome.

Let's start, what we have,

there is a small office, with one cisco 2821 and cisco 2960. Also they have stable Ethernet connection directly to router. We have some networks in which we are going to grant access through the vpn.

Cust-Router(config)#do sh ip int br                   
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         Cus.Rea.IP.Ad   YES DHCP   up                    up      
GigabitEthernet0/1         unassigned      YES NVRAM  up                    up      
GigabitEthernet0/1.1       192.168.81.254  YES NVRAM  up                    up      
GigabitEthernet0/1.3       192.168.82.254  YES NVRAM  up                    up      
GigabitEthernet0/1.7       192.168.83.254  YES NVRAM  up                    up      
GigabitEthernet0/1.84      192.168.84.254  YES manual up                    up      
GigabitEthernet0/1.150     192.168.85.254  YES NVRAM  up                    up      
GigabitEthernet0/0/0       unassigned      YES unset  administratively down down    
GigabitEthernet1/0         10.10.0.2       YES NVRAM  administratively down down    
Loopback0                  192.168.88.254  YES manual up                    up      
NVI0                       Cus.Rea.IP.Ad   YES unset  up                    up    
First of all we should configure special accounts which customer would use for accessing their network. When customer will implement some centralized system (ex. RADIUS) when can slightly move there.
Let's configure it:

Cust-Router(config)# username maxim secret c0mein12345

After we should activate AAA new model, create Xuath (users will be logged in using local database) and we'll create named authorization list

Cust-Router(config)#aaa new-model

Cust-Router(config)#aaa authentication login VPN_CLIENTS local

Cust-Router(config)#aaa authorization network VPN_GROUP local

Also our VPN clients should have specail IP addresses (VPN pool) to access our network


Cust-Router(config)#ip local pool VPN_POOL 192.168.200.200 192.168.200.230

After this small preparations first things wich we'll configure in VPN section will be ISAKMP policy. ISAKMP or IKE is the Internet Security Association  and Key Management Protocol it consists from two phases. Phase 1 - sets up the tunnel to secure future management traffic. Phase 2 - creates tunnel for data.
Here we'll describe authentication and encryption methods wich should match on both sides of the connection.

Cust-Router(config)#crypto isakmp enable

Cust-Router(config)#crypto isakmp policy 10

Cust-Router(config-isakmp)#authentication pre-share

Cust-Router(config-isakmp)#encryption 3des

Cust-Router(config-isakmp)#hash sha

Cust-Router(config-isakmp)#group 2

Cust-Router(config-isakmp)#lifetime 3600

Cust-Router(config-isakmp)#exit


Here described, that we're going to use isakmp policy №10, with preshared key, 3 des encryption, SHA hashing algorithm, Diffie-Hellman group 2 as method for establishing communications

In next session we're creating VPN group which we'll use in our vpn software, defining pre-shared key, pool with IP address wich we described earlier, and access list in which we describe allowed internal subnets


Cust-Router(config)#crypto isakmp client configuration group VPN_USERS

Cust-Router(config-isakmp-group)#key YourVPNKey

Cust-Router(config-isakmp-group)#domain example.local

Cust-Router(config-isakmp-group)#pool VPN_POOL

Cust-Router(config-isakmp-group)#acl 100

Cust-Router(config-isakmp-group)#exit

We should populate our subnets in defined acl 100

Cust-Router(config)#access-list 100 permit ip 192.168.81.0 0.0.0.255 85.168.200.0 0.0.0.255

Cust-Router(config)#access-list 100 permit ip 192.168.82.0 0.0.0.255 85.168.200.0 0.0.0.255

Cust-Router(config)#access-list 100 permit ip 192.168.83.0 0.0.0.255 85.168.200.0 0.0.0.255

Cust-Router(config)#access-list 100 permit ip 192.168.84.0 0.0.0.255 85.168.200.0 0.0.0.255

Cust-Router(config)#access-list 100 permit ip 192.168.85.0 0.0.0.255 85.168.200.0 0.0.0.255

For phase 2 in ISAKMP process we should configure transform set, and create dynamic crypto map entry. This is just empty shell of a map, real map we'll create it later

Cust-Router(config)#crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

Cust-Router(cfg-crypto-trans)#exit

Cust-Router(config)#crypto dynamic-map EXT_DYNAMIC_MAP 10

Cust-Router(config-crypto-map)#set transform-set TRANS_3DES_SHA

Cust-Router(config-crypto-map)#exit

In next section we should apply our dynamic map to real map and enable server responeses


Cust-Router(config)#crypto map EXT_MAP client configuration address respond

Cust-Router(config)#crypto map EXT_MAP client authentication list VPN_CLIENTS

Cust-Router(config)#crypto map EXT_MAP isakmp authorization list VPN_GROUP

Cust-Router(config)#crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP

Last action in our configuration is addind real map to out interface in our case Gig0/0

Cust-Router(config)#int gig0/0

Cust-Router(config-if)#crypto map EXT_MAP

Cust-Router(config-if)#exit

Also don't forget to unconfigure NAT rule from VPN subnets

Cust-Router(config-ext-nacl)#do sh ip access-lists                                    
Extended IP access list 100
    10 permit ip 192.168.81.0 0.0.0.255 85.168.200.0 0.0.0.255
    20 permit ip 192.168.82.0 0.0.0.255 85.168.200.0 0.0.0.255
    30 permit ip 192.168.83.0 0.0.0.255 85.168.200.0 0.0.0.255
    40 permit ip 192.168.84.0 0.0.0.255 85.168.200.0 0.0.0.255
    50 permit ip 192.168.85.0 0.0.0.255 85.168.200.0 0.0.0.255
Extended IP access list aquafon-voice
    10 permit ip host 192.168.88.254 host 172.24.41.127 (1988 matches)
Extended IP access list nat-users
    10 deny ip host 192.168.88.254 host 172.24.41.127 (1005 matches)
    30 deny ip 192.168.81.0 0.0.0.255 85.168.200.0 0.0.0.255
    40 deny ip 192.168.82.0 0.0.0.255 85.168.200.0 0.0.0.255
    50 deny ip 192.168.83.0 0.0.0.255 85.168.200.0 0.0.0.255
    60 deny ip 192.168.84.0 0.0.0.255 85.168.200.0 0.0.0.255
    70 deny ip 192.168.85.0 0.0.0.255 85.168.200.0 0.0.0.255
    80 permit ip 192.168.83.0 0.0.0.255 any
Cust-Router(config-ext-nacl)#end
Cust-Router#copy r s
Destination filename [startup-config]?
Building configuration...
[OK]

On client side you should install Cisco VPN client, click New, and place external IP address of your router.
In Group Auth, Name will be VPN_USERS (in our example we describe this name for group) and password (this will be the key, here was YourVPNKey )