myITmicroblog

Posts

Remote Access VPN (IPsec) - IOS - isakmp/ipsec profiles

The last requirement from my previous post is controlling what kind of traffic a VPN user can send over the tunnel. On Cisco ASA you can easily add vpn-filter to the group policy: Asa1 ( config ) # group-policy MyGroup attributes Asa1 ( config - group - policy ) # vpn-filter acl_vpn but here with IOS we don’t have such possibility. The first solution is a radius server and configuration of downloadable ACLs per user. If you don’t have any external server you can change the config a bit and start using VTIs (Virtual Tunnel Interface) along with isakmp and ipsec profiles. Let’s start. First, I have to add the isakmp profile and match all the setting I configured previously under the crypto map: ! crypto isakmp profile ISAKMP - PRF match identity group CG client authentication list USERS isakmp authorization list AUTH - LIST client configuration address respond client configuration group CG virtual - template 1 ! Next I have to add the ipsec profile: ...

Remote Access VPN (IPsec) - IOS

Today I would like to implement remote access VPN (IPsec) on the cisco router. I check all features you can enable/disable. As for any IPsec VPN we need to add ISAKMP (phase1 ): ! crypto isakmp policy 1 encr aes authentication pre - share group 2 ! In next step I add pool with IP addresses that will be allocated for users: ! ip local pool POOL 4.4 . 4.4 4.4 . 4.40 ! crypto isakmp client configuration address - pool local POOL ! Now I add client configuration group: ! crypto isakmp client configuration group CG key cisco pool POOL ! I can now add this group to aaa configuration: ! aaa new - model ! aaa authorization network AUTH - LIST local ! I have to specify where is the user database (local/ACS/etc): aaa authentication login USERS local username cisco password 0 cisco The ISAKMP part is completed and now I can IPsec transform set: crypto ipsec transform - set TS esp - aes 256 esp - sh...

VPN - GRE over IPsec SSO

As I promised in my last post I will add the stateful switchover to the following scenario: The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and r4: R4: ! ipc zone default association 1 no shutdown protocol sctp local - port 5000 local - ip 10.1 . 0.4 remote - port 5000 remote - ip 10.1 . 0.3 ! redundancy inter - device scheme standby VPN ! ! interface FastEthernet0 / 1 ip address 10.1 . 0.4 255.255 . 255.0 standby 0 ip 10.1 . 0.100 standby 0 preempt standby 0 name VPN standby 0 track 1 decrement 10 standby 0 track 2 decrement 10 standby 0 track 3 decrement 10 ! ! interface Tunnel0 ip address 7.7 . 7.4 255.255 . 255.0 tunnel source 10.1 . 0.100 tunnel destination 10.1 . 0.5 tunnel protection ipsec profile IPSEC - PRF ! R3: ! ipc zone default association 1 no shutdown protocol sctp local - por...