Difference between revisions of "EasyVPN Cisco IOS"
From Teknologisk videncenter
m (→==Cisco 897 EasyVPN server) |
m (added Category:Security using HotCat) |
||
(5 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
==Cisco 819 EasyVPN client== | ==Cisco 819 EasyVPN client== | ||
<source lang=cli> | <source lang=cli> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
ip dhcp pool RFC1918 | ip dhcp pool RFC1918 | ||
− | import all | + | import all |
− | network 192.168.44.0 255.255.255.0 | + | network 192.168.44.0 255.255.255.0 |
− | default-router 192.168.44.1 | + | default-router 192.168.44.1 |
− | dns-server 8.8.8.8 | + | dns-server 8.8.8.8 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
crypto ipsec client ezvpn HW-CLIENT | crypto ipsec client ezvpn HW-CLIENT | ||
− | connect auto | + | connect auto |
− | group HW-CLIENT-GROUP45 key HW-GROUP5 | + | group HW-CLIENT-GROUP45 key HW-GROUP5 |
− | mode client | + | mode client |
− | peer 83.90.239.189 | + | peer 83.90.239.189 |
− | xauth userid mode interactive | + | xauth userid mode interactive |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Cellular0 | interface Cellular0 | ||
− | ip address negotiated | + | ip address negotiated |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | encapsulation slip | + | encapsulation slip |
− | dialer in-band | + | dialer in-band |
− | dialer pool-member 1 | + | dialer pool-member 1 |
− | dialer-group 1 | + | dialer-group 1 |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Vlan1 | interface Vlan1 | ||
− | ip addre 255.255.255.0 | + | ip addre 255.255.255.0 |
− | ip nat inside | + | ip nat inside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | crypto ipsec client ezvpn HW-CLIENT inside | + | crypto ipsec client ezvpn HW-CLIENT inside |
! | ! | ||
− | interface | + | interface Dialer 1 |
− | ip nat outside | + | ip address negotiated |
− | + | ip nat outside | |
− | + | dialer-group 1 | |
− | + | crypto ipsec client ezvpn HW-CLIENT | |
− | |||
− | |||
− | |||
− | |||
− | dialer-group 1 | ||
− | |||
− | |||
! | ! | ||
− | |||
− | |||
− | |||
nat inside source list 140 interface Dialer1 overload | nat inside source list 140 interface Dialer1 overload | ||
ip route 0.0.0.0 0.0.0.0 Dialer1 | ip route 0.0.0.0 0.0.0.0 Dialer1 | ||
Line 135: | Line 43: | ||
access-list 140 deny ip any 192.168.40.0 0.0.0.255 | access-list 140 deny ip any 192.168.40.0 0.0.0.255 | ||
access-list 140 permit ip 192.168.44.00.255 any | access-list 140 permit ip 192.168.44.00.255 any | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</source> | </source> | ||
==Cisco 897 EasyVPN server== | ==Cisco 897 EasyVPN server== | ||
<source lang=cli> | <source lang=cli> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
crypto isakmp policy 1 | crypto isakmp policy 1 | ||
− | encr 3des | + | encr 3des |
− | authentication pre-share | + | authentication pre-share |
− | group 2 | + | group 2 |
− | crypto isakmp client configuration address-pool local EZVPN-POOL | + | crypto isakmp client configuration address-pool local EZVPN-POOL |
! | ! | ||
crypto isakmp client configuration group HW-CLIENT-GROUP45 | crypto isakmp client configuration group HW-CLIENT-GROUP45 | ||
− | key HW-GROUP5 | + | key HW-GROUP5 |
− | dns 192.168.40.1 | + | dns 192.168.40.1 |
− | domain tekkom.local | + | domain tekkom.local |
− | pool EZVPN-POOL | + | pool EZVPN-POOL |
− | acl EZVPN-ACL | + | acl EZVPN-ACL |
! | ! | ||
! | ! | ||
crypto ipsec transform-set TS esp-3des esp-sha-hmac | crypto ipsec transform-set TS esp-3des esp-sha-hmac | ||
− | mode tunnel | + | mode tunnel |
− | |||
− | |||
! | ! | ||
crypto dynamic-map EZVPN-MAP 1 | crypto dynamic-map EZVPN-MAP 1 | ||
− | set transform-set TS | + | set transform-set TS |
− | reverse-route | + | reverse-route |
− | |||
− | |||
! | ! | ||
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45 | crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45 | ||
crypto map EZVPN-MAP client configuration address respond | crypto map EZVPN-MAP client configuration address respond | ||
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP | crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface GigabitEthernet8 | interface GigabitEthernet8 | ||
− | bandwidth 1000000 | + | bandwidth 1000000 |
− | no ip address | + | no ip address |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | load-interval 30 | + | load-interval 30 |
− | duplex auto | + | duplex auto |
− | speed auto | + | speed auto |
− | service-policy output PARENT | + | service-policy output PARENT |
! | ! | ||
interface GigabitEthernet8.66 | interface GigabitEthernet8.66 | ||
− | description INTERNET | + | description INTERNET |
− | encapsulation dot1Q 66 | + | encapsulation dot1Q 66 |
− | ip address dhcp | + | ip address dhcp |
− | ip nat outside | + | ip nat outside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | zone-member security INTERNET | + | zone-member security INTERNET |
− | crypto map EZVPN-MAP | + | crypto map EZVPN-MAP |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
interface Vlan1 | interface Vlan1 | ||
− | description DMZ | + | description DMZ |
− | ip address 192.168.40.1 255.255.255.0 | + | ip address 192.168.40.1 255.255.255.0 |
− | ip nat inside | + | ip nat inside |
− | ip virtual-reassembly in | + | ip virtual-reassembly in |
− | zone-member security DMZ | + | zone-member security DMZ |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
+ | ip local pool EZVPN-POOL 192.168.40.100 192.168.40.12 | ||
! | ! | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
ip access-list extended EZVPN-ACL | ip access-list extended EZVPN-ACL | ||
− | permit ip 192.168.40.0 0.0.0.255 any | + | permit ip 192.168.40.0 0.0.0.255 any |
ip access-list extended INT2self-ACL | ip access-list extended INT2self-ACL | ||
− | permit udp any eq domain any gt 1023 | + | permit udp any eq domain any gt 1023 |
ip access-list extended IP-TO-NAT | ip access-list extended IP-TO-NAT | ||
deny ip any 10.0.0.0 0.255.255.255 | deny ip any 10.0.0.0 0.255.255.255 | ||
Line 566: | Line 109: | ||
permit ip 192.168.40.0 0.0.7.255 any | permit ip 192.168.40.0 0.0.7.255 any | ||
permit ip 192.168.48.0 0.0.1.255 any | permit ip 192.168.48.0 0.0.1.255 any | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
</source> | </source> | ||
Line 600: | Line 116: | ||
*[http://mars.tekkom.dk/mediawiki/images/8/85/EasyVPN.pdf EasyVPN] | *[http://mars.tekkom.dk/mediawiki/images/8/85/EasyVPN.pdf EasyVPN] | ||
{{Source cli2}} | {{Source cli2}} | ||
+ | |||
+ | [[Category:Cisco]] | ||
+ | [[Category:WiFi]] | ||
+ | [[Category:Security]] |
Latest revision as of 07:20, 15 January 2016
Example
Cisco 819 EasyVPN client
!
ip dhcp pool RFC1918
import all
network 192.168.44.0 255.255.255.0
default-router 192.168.44.1
dns-server 8.8.8.8
!
crypto ipsec client ezvpn HW-CLIENT
connect auto
group HW-CLIENT-GROUP45 key HW-GROUP5
mode client
peer 83.90.239.189
xauth userid mode interactive
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer pool-member 1
dialer-group 1
!
interface Vlan1
ip addre 255.255.255.0
ip nat inside
ip virtual-reassembly in
crypto ipsec client ezvpn HW-CLIENT inside
!
interface Dialer 1
ip address negotiated
ip nat outside
dialer-group 1
crypto ipsec client ezvpn HW-CLIENT
!
nat inside source list 140 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 107 permit ip 194.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 140 deny ip any 192.168.40.0 0.0.0.255
access-list 140 permit ip 192.168.44.00.255 any
Cisco 897 EasyVPN server
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local EZVPN-POOL
!
crypto isakmp client configuration group HW-CLIENT-GROUP45
key HW-GROUP5
dns 192.168.40.1
domain tekkom.local
pool EZVPN-POOL
acl EZVPN-ACL
!
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto dynamic-map EZVPN-MAP 1
set transform-set TS
reverse-route
!
crypto map EZVPN-MAP isakmp authorization list HW-CLIENT-GROUP45
crypto map EZVPN-MAP client configuration address respond
crypto map EZVPN-MAP 1 ipsec-isakmp dynamic EZVPN-MAP
!
interface GigabitEthernet8
bandwidth 1000000
no ip address
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
service-policy output PARENT
!
interface GigabitEthernet8.66
description INTERNET
encapsulation dot1Q 66
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security INTERNET
crypto map EZVPN-MAP
!
interface Vlan1
description DMZ
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
!
ip local pool EZVPN-POOL 192.168.40.100 192.168.40.12
!
ip access-list extended EZVPN-ACL
permit ip 192.168.40.0 0.0.0.255 any
ip access-list extended INT2self-ACL
permit udp any eq domain any gt 1023
ip access-list extended IP-TO-NAT
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip 192.168.40.0 0.0.7.255 any
permit ip 192.168.48.0 0.0.1.255 any
!