Virtual Private Network (VPN)



Similar documents
VPN SECURITY POLICIES

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Lab Configure a PIX Firewall VPN

VPN. VPN For BIPAC 741/743GE

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Triple DES Encryption for IPSec

Configuring Remote Access IPSec VPNs

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Configuring Internet Key Exchange Security Protocol

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Chapter 5 Virtual Private Networking Using IPsec

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Case Study for Layer 3 Authentication and Encryption

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Cisco Site-to-Site VPN Lab 3 / GRE over IPSec VPNs by Michael T. Durham

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

IPSec Pass through via Gateway to Gateway VPN Connection

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Network Security 2. Module 6 Configure Remote Access VPN

Industrial Classed H685 H820 Cellular Router User Manual for VPN setting

REMOTE ACCESS VPN NETWORK DIAGRAM

Configure IPSec VPN Tunnels With the Wizard

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

VPN Wizard Default Settings and General Information

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

ISG50 Application Note Version 1.0 June, 2011

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

LAN-Cell to Cisco Tunneling

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Lab a Configure Remote Access Using Cisco Easy VPN

Gateway to Gateway VPN Connection

How To Industrial Networking

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

VPN Configuration Guide. Cisco ASA 5500 Series

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

The BANDIT Products in Virtual Private Networks

Chapter 8 Virtual Private Networking

Configure ISDN Backup and VPN Connection

Chapter 4 Virtual Private Networking

Packet Tracer Configuring VPNs (Optional)

Virtual Private Network and Remote Access Setup

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

How to configure VPN function on TP-LINK Routers

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Windows XP VPN Client Example

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

IPSec Network Security Commands

Lab Configure Remote Access Using Cisco Easy VPN

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Module 6 Configure Remote Access VPN

How to configure VPN function on TP-LINK Routers

Expert Reference Series of White Papers. Integrating Active Directory Users with Remote VPN Clients on a Cisco ASA

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

VPNC Interoperability Profile

Connecting Remote Offices by Setting Up VPN Tunnels

WiNG 5.X How To. Policy Based Routing Cache Redirection. Part No. TME Rev. A

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

IP Office Technical Tip

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Using IPsec VPN to provide communication between offices

Cisco EXAM Implementing Cisco Secure Mobility Solutions (SIMOS) Buy Full Product.

How To Set Up A Netvanta For A Pc Or Ipad (Netvanta) With A Network Card (Netvina) With An Ipa (Net Vanta) And A Ppl (Netvi) (Netva)

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Interconnection between the Windows Azure

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuring a VPN for Dynamic IP Address Connections

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Configuring T1 and E1 WAN Interfaces

Chapter 6 Basic Virtual Private Networking

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CCNA Security 1.1 Instructional Resource

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Setting up D-Link VPN Client to VPN Routers

Scenario: Remote-Access VPN Configuration

OfficeConnect Internet Firewall VPN Upgrade User Guide

Understanding the Cisco VPN Client

GregSowell.com. Mikrotik VPN

FortiOS Handbook IPsec VPN for FortiOS 5.0

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

SingTel VPN as a Service. Quick Start Guide

Amazon Virtual Private Cloud. Network Administrator Guide API Version

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

VPN Configuration of ProSafe VPN Lite software and NETGEAR ProSafe Router:

FortiOS Handbook - IPsec VPN VERSION 5.2.4

Configuring IPsec between a Microsoft Windows XP Professional (1 NIC) and the VPN router

IPsec VPN Application Guide REV:

Using IPSec in Windows 2000 and XP, Part 2

Transcription:

Configuration Guide 5991-2120 April 2005 Virtual Private Network (VPN) VPN Using Preset Keys, Mode Config, and Manual Keys This Configuration Guide is designed to provide you with a basic understanding of the concepts behind configuring your ProCurve Secure Router Operating System (SROS) product for VPN applications. For detailed information regarding specific command syntax, refer to the SROS Command Line Interface Reference Guide on your ProCurve SROS Documentation CD. This guide consists of the following sections: Understanding VPN on page 2 Configuring Your Secure Router on page 3 Verifying Your Configuration Using Show Commands on page 13 61195880L1-29.2B Printed in the USA 1

Understanding VPN VPN Configuration Guide Understanding VPN A truly private network is a network where a single entity (e.g., a company) owns all the wires from point A to point B. In a Virtual Private Network (VPN), some part of the path from A to B is a public network (e.g., the Internet or the public telephone system). VPN software technology creates a private tunnel through the public network system for your sensitive traffic. Using encryption and authentication methods, a VPN provides security over unsecured media. VPN Benefits VPNs provide a very cost-effective means of private communication by using inexpensive local call ISDN or telephone connections (with the Internet as the backbone). VPN Limitations Obviously, when a technology incorporates portions of the network that are physically not in its control, there are Quality of Service (QoS) limitations. With a true private network, users can demand a guaranteed QoS from the telephone company or provider. However, this is not as clear-cut with VPNs. IPSec Encryption and Authentication Sensitive information should not be sent over the Internet without some means of ensuring security. Internet Protocol (IP) was not originally designed to be secure. Due to its method of routing packets, IP-based networks are extremely vulnerable to spoofing, session hijacking, and many other network attacks. IPSec was developed by the Internet Engineering Task Force (IETF) to solve security issues over IP. IPSec encrypts and authenticates the data passing through the VPN tunnel, providing confidentiality and data integrity over the public network. Encryption VPN-provided encryption algorithms (3DES, DES, etc.) are key to data confidentiality, allowing data to pass through the network protected from unauthorized access. Authentication VPN-provided authentication may be used to ensure both data integrity and trusted-source data origination. The use of hash algorithms (such as MD5 or SHA) ensures that data has not changed during transfer. The use of preshared keys or digital certificates ensures that the data is from a trusted/accepted source. 2 5991-2120

VPN Configuration Guide Configuring Your Secure Router Configuring Your Secure Router Note The ProCurve Secure Router 7100/7200 IPSec Module (J8471A) is required for VPN functionality in the Procurve Secure Router 7000dl Series routers. The following are given as examples of common configurations: VPN Using IKE with Preshared Keys (Site-to-Site VPN) on page 4 Step-by-Step Configuration: IKE with Preshared Keys on page 4 Sample Script on page 6 VPN using Mode Config Support (Remote Access VPN) on page 8 Step-by-Step Configuration: Adding Mode Config Support on page 9 Sample Script on page 11 Configuration steps for each example are provided in the tables which follow the configuration descriptions. You can follow the given steps by entering the command text shown in bold (modifying as needed for your application). Note Please note that these examples are given for your study and consideration only. They are to help you reach a better understanding of the fundamental concepts before configuring your own application. It will be necessary for you to modify these examples to match your own network s configuration. Use the sample scripts in this section as a shortcut to configuring your unit. Use the text tool in Adobe Acrobat to select and copy the scripts, paste them into any text editing program, modify as needed, and then paste them directly into your SROS command line. 5991-2120 3

Configuring Your Secure Router VPN Configuration Guide Example 1: VPN Using IKE with Preshared Keys (Site-to-Site VPN) The following example configures an SROS device for VPN using IKE main mode with preshared keys. This is a common configuration used to support site-to-site communication over VPN (see Figure 1). In this setup, the device is configured to initiate and respond in main mode. Network IP: 10.10.10.0 Branch Office Router A Secure Router 7102dl/7203dl eth 0/1 LAN IP: 10.10.10.254 PPP 1 63.97.45.57 Assigned to the corporate_vpn crypto map Router B (Peer) Secure Router 7102dl/7203dl WAN IP: 68.105.15.129 Corporate HQ Network IP: 10.10.20.0 Note: The VPN gateways involved may be connected through multiple routers. Figure 1. Site-to-Site VPN Table 1. Step-by-Step Configuration: IKE with Preshared Keys Step Action Command 1 Enter Enable Security mode. >enable 2 Enter Global Configuration mode. #configure terminal 3 Enable VPN functionality. (config)#ip crypto 4 Set the local ID during IKE negotiation to be the IP address of the interface from which the traffic exits. (config)#crypto ike local-id address Note: You can override this setting on a per-policy basis by using the local-id command in the IKE Policy command set. 5 Create an IKE policy with a priority of 10 and enter the IKE Policy command set. 6 Configure this policy to accept the global local ID setting (as described in step 4, above). 7 Enter the IP address of the peer device. This policy can now initiate or respond to the peer. (config)#crypto ike policy 10 (config-ike)#no local-id Note: Repeat this command for multiple peers, if necessary. 8 Specify to initiate negotiations using main mode. (config-ike)#peer 68.105.15.129 (config-ike)#initiate main Note: Aggressive mode can be used when one end of the VPN tunnel has a dynamically-assigned address. The side with the dynamic address must be the initiator of the traffic and tunnel. The side with the static address must be the responder. Please note that in some situations, using aggressive mode with preshared keys can compromise network security. 4 5991-2120

VPN Configuration Guide Configuring Your Secure Router Table 1. Step-by-Step Configuration: IKE with Preshared Keys (Continued) Step Action Command 9 Allow the IKE policy to respond to IKE negotiations from peers using main mode. 10 Enter the IKE Policy Attribute command mode, assigning this attribute a priority of 10. (config-ike)#respond main (config-ike)#attribute 10 Note: Multiple attributes can be created for a single IKE policy. The attribute s priority number specifies the order in which the resulting VPN proposals get sent to the far-end. 11 Choose the 3DES encryption algorithm for this IKE policy to use to transmit data over the IKE-generated SA. 12 Specify the hash SHA algorithm to be used to authenticate the data transmitted over the IKE SA. 13 Configure this IKE policy to use preshared secrets during IKE negotiation to validate the peer. 14 Specify Diffie-Hellman Group 1 to be used by this IKE policy to generate the keys (which are then used to create the IPSec SA). 15 Specify that the IKE SA is valid for 24 hours (i.e., 86400 seconds). (config-ike-attribute)#encryption 3des (config-ike-attribute)#hash sha (config-ike-attribute)#authentication pre-share (config-ike-attribute)#group 1 (config-ike-attribute)#lifetime 86400 16 Exit to Global Configuration mode. (config-ike-attribute)#exit 17 Specify the remote ID and associate it with a preshared key (mysecret123). 18 Create a transform set (highly_secure) consisting of two security algorithms (up to three algorithms may be defined). 19 Place this transform set in tunnel mode (used almost exclusively in VPN configurations involving multiple subnets). 20 Create an empty access list and enter the extended access list command set. (config)#crypto ike remote-id address 68.105.15.129 preshared-key mysecret123 (config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac (cfg-crypto-trans)#mode tunnel (cfg-crypto-trans)#ip access-list extended corporate_traffic Note: The following message is displayed once you enter this command: Configuring New Extended ACL corporate_traffic. 21 Specify the traffic to be sent through the VPN tunnel (see note, below). (config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log Note: In this example, traffic with a source IP of our LAN network (10.10.10.0) and a destination IP of the peer private network (10.10.20.0) is allowed. 5991-2120 5

Configuring Your Secure Router VPN Configuration Guide Sample Script! Enter the Configure Terminal Mode enable configure terminal! Turn on VPN Support ip crypto Table 1. Step-by-Step Configuration: IKE with Preshared Keys (Continued) Step Action Command 22 Specify that all other traffic (not permitted in the previous step) is denied. 23 Create an IPSec crypto map (corporate_vpn) to define the IPSec tunnel. Assign a map index of 1. (config-ext-nacl)#deny ip any any (config-ext-nacl)#crypto map corporate_vpn 1 ipsec-ike Note: The map index number allows the SROS device to rank crypto maps. When multiple maps are defined, this number determines the order in which they are considered. Maps with the lowest number are evaluated first. 24 Assign the access list corporate_traffic to this crypto map. (config-crypto-map)#match address corporate_traffic 25 Set the IP address of the peer device. (config-crypto-map)#set peer 68.105.15.129 26 Assign the transform set highly_secure to this crypto map. 27 Define the lifetime (in seconds) for the IPSec SAs created by this crypto map. 28 Configure the unit not to use PFS (perfect forward secrecy) when creating new IPSec SAs. 29 Access configuration parameters for the PPP interface. 30 Assign an IP address and subnet mask to the WAN interface. 31 Apply the crypto map corporate_vpn to the WAN interface. (config-crypto-map)#set transform-set highly_secure (config-crypto-map)#set security-association lifetime seconds 28800 (config-crypto-map)#no set pfs (config-crypto-map)#interface ppp 1 (config-ppp 1)#ip address 63.97.45.57 255.255.255.248 (config-ppp 1)#crypto map corporate_vpn 32 Activate the WAN interface. (config-ppp 1)#no shutdown 33 Access configuration parameters for the Ethernet port. 34 Assign an IP address and subnet mask to the Ethernet port. (config-ppp 1)#interface ethernet 0/1 (config-eth 0/1)#ip address 10.10.10.254 255.255.255.0 35 Activate the Ethernet port. (config-eth 0/1)#no shutdown 36 Exit to Global Configuration mode. (config-eth 0/1)#exit 6 5991-2120

VPN Configuration Guide Configuring Your Secure Router! By default, the local ID of the device will be the IPv4 address! of the interface over which the IKE negotiation is occurring crypto ike local-id address! Create an IKE policy with priority of 10! Mode: main! local ID: Do NOT override the system local-id policy! Peer: 68.105.15.129! Can Initiate or Respond to IKE negotiation! One attribute configured - Number: 10! Encryption Algorithm: 3DES! Hash Algorithm: SHA1! Authentication Type: Preshared Keys! Group: Diffie-Hellman Group 1! IKE SA Lifetime: 86400 seconds crypto ike policy 10 no local-id peer 68.105.15.129 initiate main respond main attribute 10 encryption 3des hash sha authentication pre-share group 1 lifetime 86400! Define the remote-id and preshared key for peer 68.105.15.129 crypto ike remote-id address 68.105.15.129 preshared-key mysecret123! Define the transform-set to be used to secure data transmitted! and received over the IPSec tunnel crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac mode tunnel! Specify the traffic to be sent over the VPN tunnel.! With respect to this unit, that traffic would be anything with! a source IP of our LAN network (10.10.10.0) and a destination! IP of the Peer Private network (10.10.20.0).! All other traffic will not be allowed over the tunnel. ip access-list extended corporate_traffic permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 log deny ip any any! Create an IPSec Crypto Map to define the IPSec tunnel! Crypto Map Name: corporate_vpn! Crypto Map Index: 1! Select VPN tunnel traffic using named ACL corporate_traffic! Peer: 68.105.15.129! Use the encryption and authentication transform-set as specified! in highly_secure 5991-2120 7

Configuring Your Secure Router VPN Configuration Guide! IPSec Lifetime: 8000 Kbytes or 28800 seconds, whichever comes first! Do not use Perfect Forward Secrecy when creating new IPSec SAs crypto map corporate_vpn 1 ipsec-ike match address corporate_traffic set peer 68.105.15.129 set transform-set highly_secure set security-association lifetime seconds 28800 no set pfs! Configure the public interface (ppp 1)! Apply the specified crypto map to our public interface, interface ppp 1 ip address 63.97.45.57 255.255.255.248 crypto map corporate_vpn no shutdown! Configure the private interface (ethernet 0/1) interface ethernet 0/1 ip address 10.10.10.254 255.255.255.0 no shutdown Example 2: VPN using Mode Config Support (Remote Access VPN) Note The ProCurve VPN Client (J8758A/J8750A) is available for remote VPN client connectivity. For more information on the ProCurve VPN Client software, go to www.procurve.com. The following example configures an SROS device for VPN using IKE main mode with preshared keys and mode config support (i.e., IPv4 address, primary and secondary DNS, and NBNS addresses). This is a common configuration to support remote access over VPN (see Figure 2). In this configuration, the device is configured to initiate and respond in main mode. Network IP: 10.10.10.0 Corporate HQ Router A Secure Router 7102dl/7203dl eth 0/1 LAN IP: 10.10.10.254 PPP 1 63.97.45.57 Assigned to the corporate_vpn crypto map. Mode Config Setup @ Central Site: (config)#crypto ike client configuration pool vpn_users (config-ike-client-pool)#ip-range 10.30.10.1 10.30.10.12 WAN IP: 68.105.15.129 Remote Client ProCurve VPN Client (J8758A/J8750A) Virtual IP: 10.30.10.x (mode-config assigned) Figure 2. Remote Access VPN 8 5991-2120

VPN Configuration Guide Configuring Your Secure Router Table 2. Step-by-Step Configuration: Adding Mode Config Support Step Action Command 1 Enter Enable Security mode. >enable 2 Enter Global Configuration mode. #configure terminal 3 Enable VPN functionality. (config)#ip crypto 4 Set the local ID during IKE negotiation to be the IP address of the interface from which the traffic exits. (config)#crypto ike local-id address Note: You can override this setting on a per-policy basis by using the local-id command in the IKE Policy command set. 5 Create a client configuration pool (vpn_users) and enter its command set. 6 Specify the range of addresses from which the router draws when assigning an IP address to a client. (config)#crypto ike client configuration pool vpn_users (config-ike-client-pool)#ip-range 10.30.10.1 10.30.10.12 Note: Define the range by entering the first IP address in the range for this pool, followed by the last IP address in the range for this pool. 7 Specify the primary and secondary DNS server addresses to assign to a client. 8 Specify the primary and secondary NetBIOS Windows Internet Naming Service (WINS) name servers to assign to a client. (config-ike-client-pool)#dns-server 10.30.10.250 10.30.10.251 (config-ike-client-pool)#netbios-name-serv er 10.30.10.253 10.30.10.254 9 Exit to Global Configuration mode. (config-ike-client-pool)#exit 10 Create an IKE policy with a priority of 10 and enter the IKE Policy command set. 11 Configure this policy to accept the global local ID setting (as described previously in step 4). 12 Enter the IP address of the peer device. This policy can now initiate or respond to the peer. (config)#crypto ike policy 10 (config-ike)#no local-id Note: Repeat this command for multiple peers, if necessary. 13 Specify to initiate negotiations using aggressive mode. (config-ike)#peer 68.105.15.129 (config-ike)#initiate main Note: Aggressive mode can be used when one end of the VPN tunnel has a dynamically-assigned address. The side with the dynamic address must be the initiator of the traffic and tunnel. The side with the static address must be the responder. Please note that in some situations, using aggressive mode with preshared keys can compromise network security. 14 Allow the IKE policy to respond to IKE negotiations from peers using main mode. (config-ike)#respond main 5991-2120 9

Configuring Your Secure Router VPN Configuration Guide Table 2. Step-by-Step Configuration: Adding Mode Config Support (Continued) Step Action Command 15 Set the client configuration pool for this IKE policy to vpn_users. 16 Enter the IKE Policy Attribute command mode, assigning this attribute a priority of 10. (config-ike)#client configuration pool vpn_users (config-ike)#attribute 10 Note: Multiple attributes can be created for a single IKE policy. The attribute s priority number specifies the order in which the resulting VPN proposals get sent to the far-end. 17 Choose the 3DES encryption algorithm for this IKE policy to use to transmit data over the IKE-generated SA. 18 Specify the hash SHA algorithm to be used to authenticate the data transmitted over the IKE SA. 19 Configure this IKE policy to use preshared secrets during IKE negotiation to validate the peer. 20 Specify Diffie-Hellman group 1 to be used by this IKE policy to generate the keys (which are then used to create the IPSec SA). 21 Specify that the IKE SA is valid for 24 hours (i.e., 86400 seconds). (config-ike-attribute)#encryption 3des (config-ike-attribute)#hash sha (config-ike-attribute)#authentication pre-share (config-ike-attribute)#group 1 (config-ike-attribute)#lifetime 86400 22 Exit to Global Configuration mode. (config-ike-attribute)#exit 23 Specify the remote ID and associate it with a preshared key (mysecret123). 24 Create a transform set (highly_secure) consisting of two security algorithms (up to three algorithms may be defined). 25 Place this transform set in tunnel mode (used almost exclusively in VPN configurations involving multiple subnets). 26 Create an empty access list and enter the extended access list command set. (config)#crypto ike remote-id address 68.105.15.129 preshared-key mysecret123 (config)#crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac (cfg-crypto-trans)#mode tunnel (cfg-crypto-trans)#ip access-list extended corporate_traffic Note: The following message is displayed once you enter this command: Configuring New Extended ACL corporate_traffic. 27 Specify the traffic to be sent through the VPN tunnel (see note, below). (config-ext-nacl)#permit ip 10.10.10.0 0.0.0.255 any log Note: In this example, traffic with a source IP of our LAN network (10.10.10.0) and a destination IP of any private network is allowed. 28 Specify that all other traffic (not permitted in the previous step) is denied. (config-ext-nacl)#deny ip any any 10 5991-2120

VPN Configuration Guide Configuring Your Secure Router Sample Script Table 2. Step-by-Step Configuration: Adding Mode Config Support (Continued) Step Action Command 29 Create an IPSec crypto map (corporate_vpn) to define the IPSec tunnel. Assign a map index of 1.! Enter the Configure Terminal Mode enable configure terminal! Turn on VPN Support ip crypto (config-ext-nacl)#crypto map corporate_vpn 1 ipsec-ike Note: The map index number allows the SROS device to rank crypto maps. When multiple maps are defined, this number determines the order in which they are considered. Maps with the lowest number are evaluated first. 30 Assign the access list corporate_traffic to this crypto map. (config-crypto-map)#match address corporate_traffic 31 Set the IP address of the peer device. (config-crypto-map)#set peer 68.105.15.129 32 Assign the transform set highly_secure to this crypto map. 33 Define the lifetime (in seconds) for the IPSec SAs created by this crypto map. 34 Configure the unit to not use PFS (perfect forward secrecy) when creating new IPSec SAs. 35 Access configuration parameters for the PPP interface. 36 Assign an IP address and subnet mask to the WAN interface. 37 Apply the crypto map corporate_vpn to the WAN interface. (config-crypto-map)#set transform-set highly_secure (config-crypto-map)#set security-association lifetime seconds 28800 (config-crypto-map)#no set pfs (config-crypto-map)#interface ppp 1 (config-ppp 1)#ip address 63.97.45.57 255.255.255.248 (config-ppp 1)#crypto map corporate_vpn 38 Activate the WAN interface. (config-ppp 1)#no shutdown 39 Access configuration parameters for the Ethernet port. 40 Assign an IP address and subnet mask to the Ethernet port. (config-ppp 1)#interface ethernet 0/1 (config-eth 0/1)#ip address 10.10.10.254 255.255.255.0 41 Activate the Ethernet port. (config-eth 0/1)#no shutdown 42 Exit to Global Configuration mode. (config-eth 0/1)#exit 5991-2120 11

Configuring Your Secure Router VPN Configuration Guide! By default, the local ID of the device will be the IPv4 address! of the interface over which the IKE negotiation is occurring crypto ike local-id address! Create a Client Configuration Pool with a name of vpn_users! Address Range: 10.30.10.1 10.30.10.12! DNS Primary Address: 10.30.10.250! DNS Secondary Address: 10.30.10.251! NBNS Primary Address: 10.30.10.253! NBNS Secondary Address: 10.30.10.254 crypto ike client configuration pool vpn_users ip-range 10.30.10.1 10.30.10.12 dns-server 10.30.10.250 10.30.10.251 netbios-name-server 10.30.10.253 10.30.10.254! Create an IKE policy with priority of 10! Mode: main! local ID: Do NOT override the system local-id policy! Peer: 68.105.15.129! Can Initiate or Respond to IKE negotiation! Set the client configuration pool to vpn_users! One attribute configured - Number: 10! Encryption Algorithm: 3DES! Hash Algorithm: SHA1! Authentication Type: Preshared Keys! Group: Diffie-Hellman Group 1! IKE SA Lifetime: 86400 seconds crypto ike policy 10 no local-id peer 68.105.15.129 initiate main respond main client configuration pool vpn_users attribute 10 encryption 3des hash sha authentication pre-share group 1 lifetime 86400! Define the remote-id and preshared key for peer 68.105.15.129 crypto ike remote-id address 68.105.15.129 preshared-key mysecret123! Define the transform-set to be used to secure data transmitted! and received over the IPSec tunnel crypto ipsec transform-set highly_secure esp-3des esp-sha-hmac mode tunnel 12 5991-2120

VPN Configuration Guide Verifying Your Configuration Using Show Commands! Specify the traffic to be sent over the VPN tunnel.! With respect to this unit, that traffic would be anything with! a source IP of our LAN network (10.10.10.0) and a destination! IP of the Peer Private network (10.10.20.0).! All other traffic will not be allowed over the tunnel. ip access-list extended corporate_traffic permit ip 10.10.10.0 0.0.0.255 any log deny ip any any! Create an IPSec Crypto Map to define the IPSec tunnel! Crypto Map Name: corporate_vpn! Crypto Map Index: 1! Select VPN tunnel traffic using named ACL corporate_traffic! Peer: 68.105.15.129! Use the encryption and authentication transform-set as specified! in highly_secure! IPSec Lifetime: 8000 Kbytes or 28800 seconds, whichever comes first! Do not use Perfect Forward Secrecy when creating new IPSec SAs crypto map corporate_vpn 1 ipsec-ike match address corporate_traffic set peer 68.105.15.129 set transform-set highly_secure set security-association lifetime seconds 28800 no set pfs! Configure the public interface (ppp 1)! Apply the specified crypto map to our public interface, interface ppp 1 ip address 63.97.45.57 255.255.255.248 crypto map corporate_vpn no shutdown! Configure the private interface (ethernet 0/1) interface ethernet 0/1 ip address 10.10.10.254 255.255.255.0 no shutdown Verifying Your Configuration Using Show Commands Use the following SROS show commands to display information regarding your configuration. Enter show commands at any prompt using the do command. For example: (config-eth 0/1)#do show access-list 5991-2120 13

Verifying Your Configuration Using Show Commands VPN Configuration Guide Table 3. Show Commands Command Description Sample Output show access-lists show crypto ike show crypto ipsec show crypto map Displays all configured access lists in the system (or a specific list). Displays information regarding the IKE configuration. Variations of this command include the following: show crypto ike client configuration pool show crypto ike client configuration pool <poolname> show crypto ike policy show crypto ike policy <policy priority> show crypto ike remote-id <remote-id> show crypto ike sa Displays information regarding the IPSec configuration. Variations of this command include the following: show crypto ipsec sa show crypto ipsec sa address <ip address> show crypto ipsec sa map <mapname> show crypto ipsec transform-set show crypto ipsec transform-set <setname> Displays information regarding crypto map settings. Variations of this command include the following: show crypto map show crypto map interface ethernet <#/#> show crypto map interface frame-relay <#> show crypto map interface loopback <#> show crypto map interface ppp <#> show crypto map <map name> show crypto map <map name> <map #> #show access-lists Standard access list MatchAll permit host 10.3.50.6 (0 matches) permit 10.200.5.0 wildcard bits 0.0.0.255 (0 matches) Extended access list UnTrusted deny icmp 10.5.60.0 wildcard bits 0.0.0.255 any source-quench (0 matches) deny tcp any any (0 matches) #show crypto ike policy Crypto IKE Policy 100 Main mode Using System Local ID Address Peers: 63.105.15.129 initiate main respond anymode Attributes:10 Encryption: 3DES Hash: SHA Authentication: Pre-share Group: 1 Lifetime: 900 seconds #show crypto ipsec transform-set Transform Set MySet ah-md5-hmac mode tunnel Transform Set Set1 esp-3des esp-sha-hmac mode tunnel Transform Set esp-des esp-des mode tunnel #show crypto map testmap Crypto Map testmap 10 ipsec-ike Extended IP access list NewList Peers:63.97.45.57 Transform sets:esp-des Security-association lifetimes: 0 kilobytes 86400 seconds No PFS group configured Interfaces using crypto map testmap: eth 0/1 Copyright 2005 Hewlett-Packard Development Company, LP. The information contained herein is subject to change without notice. 14 5991-2120

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information