dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Sample Configuration of IPSec VPN Concentrator

1. Using Local Credential to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen local
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

2. Using external TACACS+ server to do AAA (Authentication, Authorization and Accounting)

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPN
!
boot-start-marker
boot-end-marker
!
!
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
!
!--- Enable Authentication, Authorization and Accounting (AAA) for user authentication and group authorization.
!
aaa new-model
!
!--- In order to enable Xauth for user authentication, enable the aaa authentication commands.
!
aaa authentication login userauthen group tacacs+ local
aaa authentication enable userauthen group tacacs+ enable
!
!--- In order to enable group authorization, enable the aaa authorization commands.
!
aaa authorization console
aaa authorization exec groupauthor group tacacs+ local
aaa authorization commands 15 groupauthor group tacacs+ local
aaa authorization network groupauthor group tacacs+ local
!
!--- In order to record all commands entered or executed, enable the aaa accounting commands.
!
aaa accounting exec groupauthor start-stop group tacacs+
aaa accounting commands 15 groupauthor start-stop group tacacs+
aaa accounting network groupauthor start-stop group tacacs+
aaa accounting connection groupauthor start-stop group tacacs+
!
aaa session-id common
!
resource policy
!
!
!--- For local authentication of the IPsec user, create the user with a password
!
username user password 0 cisco
!
!
!
!--- Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!--- Create a group that is used to specify the WINS and DNS server addresses to the VPN Client,
!--- along with the pre-shared key for authentication.
!--- Use ACL 101 used for the Split Tunneling in the VPN Clinet end.
!
crypto isakmp client configuration group vpnclient
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
!--- Create the Phase 2 Policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
!--- Create a dynamic map and apply the transform set that was created earlier.
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!--- Create the actual crypto map, and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
description LAN interface
ip address 10.10.10.1 255.255.255.0
half-duplex
ip nat inside
!
!--- Apply the crypto map on the outbound interface.
!
interface FastEthernet1/0
description WAN interface
ip address 172.16.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
!--- Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 192.168.1.1 192.168.1.254
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.1.2
!
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
!
!--- Enables Network Address Translation (NAT) of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
!
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which subnets are permitted to access the router
!
access-list 10 remark Permittable Subnet To Access
access-list 10 permit 10.10.10.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255
!
!--- The access list is used to specify which traffic is to be translated for the outside Internet.
!
access-list 111 remark NAT for Internet Traffic Only
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
!
!--- Configure the interesting traffic to be encrypted from the VPN Client to the central site router (access list 101).
!--- Apply this ACL in the ISAKMP configuration.
!
access-list 101 remark No NAT for VPN traffic
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
transport input ssh
!
end

Note:
* For more info on AAA and TACACS+ server, check out the following
»Cisco Forum FAQ »Securing access to routers with AAA commands

Some discussions
»[HELP] Static NAT on interface address with route-map for VPN

Sample Configuration of PPTP Windows VPN Concentrator

This is a simple configuration for Cisco router with one interface connected to your ISP using DHCP and NAT, and the second interface connected to your private network. With this configuration remote users can access your private network via a Windows VPN connection.

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname myrouter
!
no logging console
!
aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common
!
enable secret 5 XXXXXXXXXXX
enable password 7 XXXXXXXXX
!
username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX
!
ip routing
ip subnet 0
ip domain-name mydomain.com
ip name-server 192.168.2.1
ip icmp rate-limit unreachable 2000
ip icmp rate-limit unreachable DF 2000
no ip source route
no ip finger
no ip bootp server
no service tcp-small-servers
no service udp-small-servers
no boot network
no service config
!
router rip
version 2
network 192.168.0.0
passive-interface FastEthernet 0/0
no auto-summary
!
!
ip audit notify log
ip audit smtp spam 25
ip audit po max-events 50
ip audit name AUDIT.1 info action alarm
ip audit name AUDIT.1 attack action alarm drop reset
!
vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn
!
!
async-bootp dns-server 192.168.2.1
async-bootp nbns-server 192.169.2.1
!
!
interface FastEthernet0/0
description WAN Interface
ip address dhcp
ip nat outside
ip access-group filter_wan_in in
ip audit AUDIT.1 in
no ip unreachables
no ip directed-broadcast
no ip proxy-arp
no ip route-cache
no cdp enable
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN Interface
ip address 192.168.1.1 255.255.0.0
ip nat inside
ip access-group filter_lan_in in
ip access-group filter_lan_out out
cdp enable
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap
!
!
ip local pool VPN-IN 192.168.2.51 192.168.2.53
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723
!
ip classless
no ip http server
!
ip access-list extended filter_wan_in
! use this to deny any incoming traffic
permit ip any any
deny ip any any log
!
ip access-list extended filter_lan_in
permit ip any host 192.168.2.51
permit ip any host 192.168.2.52
permit ip any host 192.168.2.53
deny udp any range 137 138 any
deny tcp any eq 135 any
deny tcp any eq 139 any
deny tcp any eq 445 any
permit icmp any any
permit ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.25.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip any 192.168.0.0 0.0.255.255 log
deny ip any 172.16.0.0 0.15.255.255 log
deny ip any 10.0.0.0 0.255.255.255 log
deny ip any any log
!
ip access-list extended filter_lan_out
permit ip host 192.168.2.51 any
permit ip host 192.168.2.52 any
permit ip host 192.168.2.53 any
permit icmp any any net-unreachable
permit icmp any any host-unreachable
permit icmp any any port-unreachable
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any ttl-exceeded
permit icmp any any echo-reply
deny icmp any any
deny udp any any range 137 138
deny tcp any any eq 135
deny tcp any any eq 139
deny tcp any any eq 445
deny ip any any log
!
access-list 1 remark NAT Source Restrictions
access-list 1 permit any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
password 7 XXXXXXXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXXXXXXXXXXX
!
!
end

Configuration Description

The majority of the above configuration is fairly standard and can be found in other FAQs so I will just stick to the settings for getting the router to accept VPN connections. The first bit:

aaa new-model
aaa authentication ppp default local
aaa authorization network default if-authenticated
aaa session-id common

simply enables the access control model for logins. The second part

username admin privilige 15 password 7 XXXXXXXXXXX
username johndoe password 7 XXXXXXXXXXXXXXXXXX

defines the users and their passwords. These users can log in either over VPN or directly via telnet (or ssh if configured).

The following part

vpdn enable
!
vpdn-group 1
accept-dialin
protocol pptp
virtual-template 1
local name my-vpn

enables virtual private dialup networking (vpdn) using point-to-point tunneling protocol (pptp).

Next part

interface Virtual-Template1
ip unnumbered FastEthernet0/1
ip mroute-cache
peer default ip address pool VPN-IN
ppp encrypt mppe 40 required
ppp authentication ms-chap

creates a virtual-template bound to the LAN port of the router and assigns an ip address to the client from the VPN-IN pool.

This part

ip local pool VPN-IN 192.168.2.51 192.168.2.53

defines the ip addresses available to the VPN clients (3 in this case). Next part

ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.1 1723 interface FastEthernet0/0 1723

defines the static port mappings for NAT 1723 is the port for pptp.

The ACLs can be customized to you needs but note how the VPN client addresses are reversed....
192.168.2.51 --> Fa0/1 In --> 192.168.0.0/23
192.168.2.52 --> Fa0/1 In --> 192.168.0.0/23
192.168.2.53 --> Fa0/1 In --> 192.168.0.0/23

Now all that left is to configure the client computers. With windows XP it's easy....
1) open up the Network Connections folder
2) click "Create a new connection"
3) click Next
4) choose "Connect to the network at my workplace" then click Next
5) select "Virtual Private Network connection" then click Next
6) Enter a name for the connection and lick Next
7) Now you can set the VPN connection to auto-dial or not, choose either, then click Next
8) Enter the IP address of your Router (this is the public address). Since in our case it's assigned by dhcp we could use a dyndns address here
9) Click Next
10) Click Finish

Once the Wizard has completed right-click the new connection, then click Properties. On the Security tab select "Advanced (custom settings)" and click the Settings button.

Verify that the Data encryption drop-down has "Require Encryption" selected. Then make sure Microsoft CHAP (MS-CHAP) and (MS-CHAP v2) are enabled and click Ok.

Finally goto the Networking tab and change the "type of VPN" from Automatic to "PPTP VPN", then click the Settings button and verify that:
1) Enable LCP Extensions - is checked
2) Enable software compression - is checked
3) Negotiate multi-link - is not checked

Now your all set and ready to go.....

Some discussion

»[Config] How do I assign default gateway for a PPTP VPN client
»VPN - Can't ping next-hop
»[HELP] Small VPN conundrum!

Note that in general, PPTP VPN connection is less secure than the "industry-standard" IPSec VPN connection. Therefore it is strongly suggested to use the IPSec VPN connection instead.

Sample Configuration of VPN Concentrator Using Other VPN Technologies

»Cisco Forum FAQ »Configure router and ASA/PIX Firewall to support various VPN technologies



Expand got feedback?

by mandraw See Profile edited by aryoba See Profile
last modified: 2013-09-27 07:15:10