Cisco Systems 520 series specification

C H A P T E R 7

Configuring VPNs Using an IPsec Tunnel and Generic Routing Encapsulation

The Cisco Secure Router 520 Series routers support the creation of virtual private networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPsec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 7-1shows a typical deployment scenario.

Figure 7-1 Site-to-Site VPN Using an IPsec Tunnel and GRE

8

	3		6
2	4	5	7

Internet

1

9

121783

1

2

3

4

5

6

7

8

9

Branch office containing multiple LANs and VLANs

Fast Ethernet LAN interface—With address 192.168.0.0/16 (also the inside interface for NAT)

VPN client—Cisco Secure Router 520 Series routers

Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

VPN client—Another router, which controls access to the corporate network

LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1

Corporate office network

IPsec tunnel with GRE

Cisco Secure Router 520 Series Software Configuration Guide

	OL-14210-01	7-1

Image 77

Cisco Systems 520 series manual Site-to-Site VPN Using an IPsec Tunnel and GRE

Contents

Americas Headquarters Cisco Secure Router 520 Series Software Configuration GuidePage Iii N T E N T S Verify the Configuration Additional Configuration Options Reference Information Vii Rsvp Viii Using the Tftp Download Command C-5 Audience PrefaceObjective Part 3 Configuring Additional Features and Troubleshooting Part 2 Configuring Your Router for Ethernet and DSL AccessOrganization Part 1 Getting Started Appendix D, Common Port Assignments Conventions Avvertenza Importanti Istruzioni Sulla Sicurezza Warnung Wichtige SicherheitshinweiseAviso Instruções Importantes DE Segurança Xii Xiii Guarde Estas Instrucciones Xiv GEM Disse AnvisningerPage Cisco Secure Router 520 Series Hardware Installation Guide Cisco Regulatory Compliance and Safety Information RoadmapRelated Documentation Xvi Xvii Obtaining Documentation and Submitting a Service Request Xviii Getting Started Page Basic Router Configuration Information Needed for Customizing the Default Parameters Viewing the Default Configuration Router Interface Port Label Configuring Basic ParametersInterface Port Labels Configure Fast Ethernet LAN Interfaces Configure Global ParametersConfigure WAN Interfaces Command Purpose Routerconfig-if# ip address 255.255.255.0 Routerconfig# interface fastethernetInterface type number No shutdown Configuring a Loopback Interface Configure the Wireless InterfaceEnables the ATM 0 interface Exits configuration mode for the ATM interface Interface and returns to global configuration mode Exits configuration mode for the loopbackLoopback interface Router# show interface loopback Password password Configuring Command-Line Access to the RouterLogin Exec-timeoutminutes seconds End Verifying Your Configuration Configuring Static RoutesConfiguration Example Configuring RIP Configuring Dynamic RoutesCommand Task Router rip No auto-summary Configuring Your Router for Ethernet and DSL Access Page For DSL-Based Network Deployments Sample Network DeploymentsFor Ethernet-Based Network Deployments Sample Network Deployments PPPoE session between the client and a PPPoE server Configuring PPP over Ethernet with NAT Command or Action Purpose Configuration TasksVpdn enable PPPoE Configures the PPPoE client and specifies Configure the Fast Ethernet WAN InterfacesRequest-dialin Protocol l2tp pppoe Configure the Dialer Interface Ppp authentication protocol1 protocol2 Configure Network Address TranslationDialer pool number Dialer-group group-number By the access list 1 to be translated to one Enables dynamic translation of addresses onPermitted by access list acl1 to be translated to one Enables the configuration changes just made to Routerconfig# access-list 1 permit Access-list access-list-number deny permitIp nat inside outside Source source-wildcard Router# show ip nat statistics Configuration Example Id 1 access-list 1 interface Dialer0 refcount Queued Packets OL-14210-01 PPP over ATM with NAT Configuring PPP over ATM with NAT PPPoA Authentication Protocol Chap Sets the PPP authentication methodUsing a dialer group controls access to Specifies that the IP address for the dialer Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configuring Adsl Configure DSL Signaling ProtocolAttribute Description Default Value Dsl lom integer Dsl enable-training-log Pool1 Permitted by access list acl1 to be translated toOne of the addresses specified in the NAT pool Reference, Volume 1 of 4 Addressing 0.255 ATM0 Dhcp Configuring a LAN with Dhcp and VLANs Dotted-decimal domain name Configure DhcpVLANs Exits Dhcp configuration mode, and enters Enters Dhcp pool configuration mode. The nameGlobal configuration mode Creates a Dhcp address pool on the router Router# show ip dhcp import Verify Your Dhcp ConfigurationIp dhcp pool Server statistics Vlan vlan-id media type name vlan-name Configure VLANsVlan database Verify Your Vlan Configuration Assign a Switch Port to a VlanExits interface mode and returns to privileged Exec mode Vlan Router# show vlan-switch Said MTU Remote Access VPN Using IPsec Tunnel Configuring a VPN Using Easy VPN and an IPsec Tunnel Cisco Easy VPN Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Configure IPsec Transforms and Protocols Enable Policy Lookup Configure the IPsec Crypto Method and Parameters Reverse-route Apply the Crypto Map to the Physical InterfaceCrypto map map-name seq-num ipsec-isakmp Dynamic dynamic-map-name discover Crypto map map-name Create an Easy VPN Remote Configuration Crypto ipsec client ezvpn name outside inside Verifying Your Easy VPN ConfigurationEzvpn ezvpnclient outside Router# show crypto ipsec client ezvpn Crypto ipsec client ezvpn ezvpnclient connect auto OL-14210-01 Site-to-Site VPN Using an IPsec Tunnel and GRE VPNs Configure a VPNGRE Tunnels Configure the IKE Policy Ip local pool default poolname Configure Group Policy InformationDomain name Low-ip-address high-ip-address Configure IPsec Transforms and Protocols Enable Policy Lookup Creates a dynamic crypto map entry, and enters Configure the IPsec Crypto Method and ParametersSpecifies global lifetime values used when Map Apply the Crypto Map to the Physical Interface 192.168.101.1 Configure a GRE Tunnel Exits interface configuration mode, and returns to Tunnel interface must be configured toEnters ACL configuration mode for the named Access-list-name ACL that is used by the crypto map Set transform-set set1 match address No cdp run OL-14210-01 Configuring a Simple Firewall Fast Ethernet LAN interface the inside interface for NAT Creates an access list which prevents Internet Configure Access ListsDetails about this command Creates an access list that allows network traffic Apply Access Lists and Inspection Rules to Interfaces Configure Inspection Rules Routerconfig-if# ip access-group 103 Ip nat outside no cdp enable 1shows a wireless network deployment Configuring a Wireless LAN Connection For clients Configure the Root Radio StationEquivalent Privacy WEP cannot use Bridges for more details Name of a wireless network Creates a Service Set ID SSID, the publicSets the permitted authentication methods for a User attempting access to the wireless LAN Configure Bridging on VLANs Bridge-group parameter Configure Radio Station SubinterfacesBridge-group number On the wireless interface Disables the Cisco Discovery Protocol CDPEnabled, the following commands are Automatically enabled, and cannot be No bridge-group 2 unicast-flooding No ip address bridge-group Configuring Additional Features and Troubleshooting Page 10-1 Additional Configuration Options 10-2 11-1 Configuring Security FeaturesAuthentication, Authorization, and Accounting Configuring Access Lists Configuring AutoSecureConfiguration Commands ACL Type Access Groups Configuring a Cbac FirewallIp access-groupaccess-list-number access-list-nameinout Ip inspect name inspection-name protocol timeout seconds 11-4 Configuring Cisco IOS Firewall IDSConfiguring VPNs Getting Started TroubleshootingBefore Contacting Cisco or Your Reseller 12-1 ATM Troubleshooting Commands Adsl TroubleshootingPing atm interface Command 12-2 12-3 Show interface Command 12-4 Shutdown commandOutput Cause Debug atm Commands Show atm interface CommandField Description 12-5 Router# debug atm events Router# Router# debug atm errors ATM errors debugging is on Router#12-6 Example 12-6 Viewing ATM Interface Processor Events-Failure 12-7 Router# debug atm packet Router# 012348ATM0O Software Upgrade Methods12-8 Change the Configuration Register Recovering a Lost Password12-9 Router# show version Rommon 2 confreg 12-10 Reset the Configuration Register Value Reset the Password and Save Your ChangesRouter# show startup-config Router# copy running-config startup-config 12-12 Reference Information Page PC Operating System Software Configuring the Router from a PCCisco IOS Software Basic Skills Understanding Command Modes Ctrl-Z As interface atm Router rip, from Enable Secret Passwords and Enable PasswordsGetting Help Using Commands Entering Global Configuration Mode Abbreviating Commands Saving Configuration ChangesUndoing Commands Command-Line Error Messages Summary Where to Go Next OL-14210-01 Adsl Concepts Routing Protocol Options Network Protocols PAP PPP Authentication Protocols ATM for DSL Network InterfacesEthernet PVC Dialer Interface Easy IP Phase PPP Fragmentation and Interleaving QoSIP Precedence Low Latency Queuing Cbwfq Access Lists OL-14210-01 Config-reg Resets the configuration register Configure terminal Enters global configuration modeROM Monitor Entering the ROM Monitor Reload ROM Monitor Commands Command Description Command DescriptionsDisaster Recovery with Tftp Download Variable Command Tftp Download Command Variables Using the Tftp Download Command Configuration RegisterTFTPTIMEOUT= time Retrytimes Rommon 1 confreg Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts Xmodem -cyrxdestinationfilename Command DescriptionConsole Download Error Reporting Debug Commands Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor OL-14210-01 Port Keyword Description Common Port Assignments Finger See Adsl See ARPSee AAL See ATM IN-2 See CAR IN-3 See Dhcp IN-4 See LCP IN-5 IN-6 See RIPSee NAT IN-7 IN-8