Manuals / Cisco Systems / Power Tools / Router

Cisco Systems C819HG4GVK9, C819GUK9 Configuration Examples, Configure a VPN over an IPSec Tunnel

Models: C819GUK9

1 196

Download 196 pages 51.42 Kb

Page 101

Configuration Examples

Chapter 9 Configuring Security Features

Configuring VPN

Configuration Examples

Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a VPN over an IPSec Tunnel” section on page 9-7. Then, the specific procedure for a remote access configuration is given, followed by the specific procedure for a site-to-site configuration.

The examples shown in this chapter apply only to the endpoint configuration on the Cisco 819 ISRs. Any VPN connection requires both endpoints to be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models.

VPN configuration information must be configured on both endpoints. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).

Configure a VPN over an IPSec Tunnel

Perform the following tasks to configure a VPN over an IPSec tunnel:

•Configure the IKE Policy, page 9-7

•Configure Group Policy Information, page 9-9

•Apply Mode Configuration to the Crypto Map, page 9-10

•Enable Policy Lookup, page 9-11

•Configure IPSec Transforms and Protocols, page 9-12

•Configure the IPSec Crypto Method and Parameters, page 9-12

•Apply the Crypto Map to the Physical Interface, page 9-14

•Where to Go Next, page 9-14

Configure the IKE Policy

To configure the Internet Key Exchange (IKE) policy, perform these steps, beginning in global configuration mode:

SUMMARY STEPS

1.crypto isakmp policy priority

2.encryption {des 3des aes aes 192 aes 256}

3.hash {md5 sha}

4.authentication {rsa-sig rsa-encr pre-share}

5.group {1 2 5}

6.lifetime seconds

7.exit

Cisco 819 Series Integrated Services Routers Software Configuration Guide

	OL-23590-02	9-7

Image 101

Cisco Systems C819HG4GVK9, C819GUK9 Configuration Examples, Configure a VPN over an IPSec Tunnel, Configure the IKE Policy

Contents

Cisco Systems, Inc 170 West Tasman Drive San Jose, CA Americas Headquarters800 553-NETS Fax 408 Text Part Number OL-23590-02 September 2THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS New Features Information Needed for ConfigurationWLAN Features Wireless Device OverviewPrerequisites for Configuring the 3G Wireless Interface Configuring a Cellular InterfaceConfiguring DDR Verifying ConfigurationConfiguration Examples Ignoring DCD and Monitoring DSR as Line Up/Down IndicatorInterface Enablement Configuration Examples Configuring Security FeaturesCreate a Cisco Easy VPN Remote Configuration Configure the IKE PolicyConfigure a Site-to-Site GRE Tunnel Configuring the Ethernet SwitchesConfiguring VLANs Configure the Virtual Private Dialup Network Group NumberConfiguring 802.1x Authentication Configuration TasksConfigure the IKE Policy Entering Global Configuration Mode A-5Configure Group Policy Information Understanding Command ModesChanging the Configuration Register Using Prompts C-11 Changing the Configuration Register Manually C-11Backup Interface ROM Monitor CommandsOL-23590-02 ContentsProduct Overview General Description, page SKU Information, page New Features, pageGeneral Description C H A P T E RFigure 1-2 Cisco 819HGW Integrated Services Router Figure 1-1 Cisco 819HG Integrated Services RouterChapter 1 Product Overview General Description OL-23590-023G Features New Features3G Features, page WLAN Features, page 4G LTE Features, page Platform Features, page Security Features, pageSecurity Features WLAN FeaturesPlatform Features ScanSafe Wireless Device OverviewScanSafe, page TFTP support with Ethernet WAN interface, page LEDs, pageLEDs TFTP support with Ethernet WAN interfaceColor DescriptionColor show platform led for all LEDs show controller cellular 0 for 3G LEDsDescription 3G LED Descriptions continuedrouter# show controllers cellular Chapter 2 Wireless Device Overview LEDsWLAN Features Wireless Local Area NetworkDual-Radio, page Images Supported, page CleanAir Technology, page Dual-RadioImages Supported CleanAir TechnologyDynamic Frequency Selection LEDsColor WLAN LEDDescription WLAN LED DescriptionsOL-23590-02 Chapter 3 Wireless Local Area Network WLAN FeaturesC H A P T E R 4G LTE Wireless WANOL-23590-02 Chapter 4 4G LTE Wireless WANInterface Ports, page Default Configuration, page Basic Router ConfigurationInformation Needed for Configuration, page Configuring Command-Line Access, pageInterface Ports Default ConfigurationRouter InterfaceInformation Needed for Configuration If you are setting up IP routing 3G-ACC-OUT-LA-See Cisco 3G Lightning Arrestor 3G-ACC-OUT-LA1. line aux console tty vty line-number 2. password password Configuring Command-Line Access3. login 4. exec-timeout minutes secondsDETAILED STEPS CommandPurpose ExampleCommand ExamplePurpose Exampleconfigure terminal Configuring Global Parametersenable secret password hostname nameConfiguring a Gigabit Ethernet WAN Interface Configuring WAN InterfacesConfiguring a Gigabit Ethernet WAN Interface, page Configuring the Cellular Wireless WAN Interface, pageCommand Configuring the Cellular Wireless WAN InterfaceEnters the configuration mode for a Gigabit Enables the Ethernet interface, changing its5-11 Prerequisites for Configuring the 3G Wireless InterfaceRestrictions for Configuring the Cellular Wireless Interface Verifying Signal Strength and Service Availability, page Verifying Signal Strength and Service AvailabilityConfiguring a GSM Modem Data Profile, page Command or Action5-13 Configuring a GSM Modem Data ProfileCommand or Action Command or ActionType of authentication, for example, CHAP, PAP authenticationUsername provided by your service provider Passwordcellular cdma activate iota Activating with Over-the-Air Service Provisioningrouter # cellular 0 cdma activate otasp phonenumber 5-151. configure terminal 2. interface cellular 3. encapsulation ppp Configuring a Cellular Interface4. ppp chap hostname hostname 5. ppp chap password 0 password 6. asynchronous mode interactive 7. ip address negotiated1. configure terminal 2. interface cellular 3. dialer in-band Configuring DDR4. dialer idle-timeout seconds 5. dialer string string 9. ip access-list access list number permit ip source addressCommand or Action 5-18DETAILED STEPS PurposeCommand or Action 5-19Purpose ExampleBasic Cellular Interface Configuration Examples for Configuring Cellular Wireless InterfacesBasic Cellular Interface Configuration, page Tunnel over Cellular Interface Configuration, pageConfiguration for 8705 modem Tunnel over Cellular Interface Configuration5-21 Chapter 5 Basic Router Configuration Configuring WAN InterfacesSyntax Configuring Dual SIM for Cellular Networks5-22 Command5-23 Configuring Router for Image and Config Recovery Using Push ButtonCommand SyntaxOutput When Button Is Pushed Example Output When Button Is Not Pushed ExampleROMMON Behavior IOS BehaviorConfiguring the Fast Ethernet LAN Interfaces Configuring a Loopback InterfacePush Button in WLAN AP 3. exitEnters configuration mode for the loopback Verifying ConfigurationExits configuration mode for the loopback interface and returns to global configurationFor details about this command and about Configuring Static RoutesIOS IP Routing Protocol-Independent Command Exits router configuration mode and entersVerifying Configuration Configuring Dynamic RoutesConfiguring Routing Information Protocol, page Configuring Enhanced Interior Gateway Routing Protocol, pagerouter rip Configuring Routing Information Protocol2. version 1 3. network ip-address1. router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol2. network ip-address 3. endVerifying Configuration 5-31Command ExampleOL-23590-02 5-32Chapter 5 Basic Router Configuration Configuring Dynamic Routes Configuring Backup Interfaces Configuring Backup Data Lines and Remote ManagementConfiguring Backup Interfaces, page Configuring Cellular Dial-on-Demand Routing Backup, page1. interface type number 2. backup interface interface-type interface-numberCommand SUMMARY STEPSConfiguring DDR Backup Using Dialer Watch Configuring Cellular Dial-on-Demand Routing Backup1. configure terminal 6. ip access-list access list number permit ip source addressDETAILED STEPS Command or ActionPurpose ExampleCellular Wireless Modem as Backup with NAT and IPsec Configuration Configuring DDR Backup Using Floating Static Route1. configure terminal Command or Actionno aaa new-model Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup OL-23590-02 Chapter 6 Configuring Backup Data Lines and Remote ManagementConfiguring Cellular Dial-on-Demand Routing Backup exec-timeout 0 0 script dialer gsm login line con no modem enable line aux 0 lineline vty 0 4 login route-map track-primary-if permit 10 match ip addressCisco 819 router 1 A1. ip name-server server-address 2. ip dhcp pool name 3. exit 15. modem enable 16. exit4. chat-script script-name expect-send 5. interface type number 6. exit6-11 section on pageCommand DETAILED STEPSEnables dynamic translation of addresses on the Exits the interface configuration modea default gateway Defines an extended access list that indicatesCommand 6-13Chapter 6 Configuring Backup Data Lines and Remote Management modem enableChapter 6 Configuring Backup Data Lines and Remote Management 6-14Chapter 6 Configuring Backup Data Lines and Remote Management 6-15no ip http server ip pim bidir-enable OL-23590-02OL-23590-02 6-16Chapter 6 Configuring Backup Data Lines and Remote Management C H A P T E R Environmental and Power ManagementCisco EnergyWise Support Legacy Protocol Transport, page Configuring Serial Interfaces, page Configuring the Serial InterfaceInformation About Configuring Serial Interfaces, page How to Configure Serial Interfaces, page Configuration Examples, pageConnector Type Configuring Serial InterfacesLegacy Protocol Transport Product NumberKeepalive Timer, page Frame Relay Encapsulation, page Information About Configuring Serial InterfacesCisco HDLC Encapsulation PPP EncapsulationMultilink PPP Keepalive TimerChapter 8 Configuring the Serial Interface Frame Relay EncapsulationInformation About Configuring Serial Interfaces OL-23590-02Configuring a Synchronous Serial Interface How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface, page Configuring Low-Speed Serial Interfaces, pageUsing the NRZI Line-Coding Format, page 8-9 Optional Configuring Compression of HDLC Data, page 8-9 OptionalInverting the Transmit Clock Signal, page 8-10 Optional Setting Transmit Delay, page 8-11 OptionalConfiguring Bisync Configuring PPPCommand CommandUsing the NRZI Line-Coding Format Configuring Compression of HDLC Data1. encapsulation hdlc 2. compress stac 1. nrzi-encodingEnabling the Internal Clock Inverting the Transmit Clock Signal1. transmit-clock-internal 1. invert txclock 2. invert rxclockConfiguring DTR Signal Pulsing Setting Transmit DelayIgnoring DCD and Monitoring DSR as Line Up/Down Indicator 8-11Configures the DCE to use SCTE from the DTE 1. dce-terminal-timing enableSpecifying the Serial Network Interface Module Timing 1. ignore-dcd8-13 1. dte-invert-txcCommand or Action Chapter 8 Configuring the Serial InterfaceUnderstanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial InterfacesHalf-Duplex DTE State Machines Understanding Half-Duplex DTE and DCE State Machines, pageHalf-Duplex DTE Receive State Machine Half-Duplex DCE State Machines8-15 Half-Duplex DCE Transmit State Machine 8-161. no half-duplex controlled-carrier Placing a Low-Speed Serial Interface in Constant-Carrier Mode8-17 Command or Actionsdlc cts-delay sdlc rts-timeout Tuning Half-Duplex TimersChanging Between Synchronous and Asynchronous Modes 1. physical-layer sync asyncInterface Enablement Configuration Examples Configuration Examples1. no physical-layer 8-19Half-Duplex Timers Example, page Half-Duplex Timers ExampleLow-Speed Serial Interface Examples Synchronous or Asynchronous Mode ExamplesAuthentication, Authorization, and Accounting Configuring Security FeaturesAuthentication, Authorization, and Accounting, page Configuring AutoSecure, page Configuring Access Lists, pageConfiguring Access Lists Configuring AutoSecureConfiguration Commands access-list 1-99permit deny source-addr source-maskip inspect name inspection-name protocol timeout seconds Configuring Cisco IOS FirewallAccess Groups Configuring VPN Configuring Cisco IOS IPSRemote Access VPN, page Site-to-Site VPN, page Configuration Examples, pageRemote Access VPN Library, Cisco IOS Release 12.4T Site-to-Site VPNConfigure a VPN over an IPSec Tunnel Configuration ExamplesConfigure the IKE Policy Configure the IKE Policy, pageMD5 algorithm. The default is Secure Hash Command or ActionSpecifies the authentication method used in the Exits IKE policy configuration mode and enters1. crypto isakmp client configuration group group-name default Configure Group Policy Information6. ip local pool default poolname low-ip-address high-ip-address 2. key nameTechnologies Command Reference Apply Mode Configuration to the Crypto Map1. crypto map map-name isakmp authorization list list-name 2. crypto map tag client configuration address initiate respond2. aaa authentication login default list-name method1 method2 Enable Policy Lookupdetails, see Securing User Services Configuration IOS Security Command ReferenceConfigure the IPSec Crypto Method and Parameters Configure IPSec Transforms and ProtocolsConfigures IPSec profile to apply protection on See Secure Connectivity Configuration GuideSee Cisco IOS Security Command Reference for crypto map configuration modemore details about this command Returns to global configuration modeEnters the interface configuration mode for the Where to Go NextApply the Crypto Map to the Physical Interface 2. crypto map map-name 3. exitCreates a Cisco Easy VPN remote configuration Create a Cisco Easy VPN Remote Configurationand enters Cisco Easy VPN remote configuration hostname resolution9-16 Configuration ExampleCommand or Action Purpose4. tunnel destination default-gateway-ip-address Configure a Site-to-Site GRE Tunnel7. ip access-list standard extended access-list-name 3. tunnel source interface-type numberExits interface configuration mode and returns to tunnel interface must be configured toEnters ACL configuration mode for the named Creates a tunnel interface and enters interfaceSpecifies that only GRE traffic is permitted on the Returns to global configuration modeoutbound interface 9-19hash md5 authentication pre-share crypto isakmp key cisco123 address 9-20Chapter 9 Configuring Security Features Configuring VPN Switch Port Numbering and Naming Configuring the Ethernet SwitchesRestrictions for the FE Switch Switch Port Numbering and Naming, pageLayer 2 Ethernet Switching Information About Ethernet Switches802.1x Authentication VLANs and VLAN Trunk Protocol, page Layer 2 Ethernet Switching, pageOverview of SNMP MIBs Switched Port AnalyzerIGMP Snooping Storm ControlRouterconfig#snmp-server community public RW BRIDGE-MIB for Layer 2 Ethernet SwitchingMIBs MIBs Link10-5 MAC Address NotificationRouterconfig#Routersnmp-server group public v2c context bridge-group Routerconfig#snmp-server community public RWConfiguring VLANs How to Configure Ethernet SwitchesConfiguring VLANs, page Configuring Layer 2 Interfaces, page Configuring 802.1x Authentication, pageswitchport mode dynamic desirable Configuring Layer 2 InterfacesVLANs on the GE Port Comand10-8 Configuring 802.1x AuthenticationConfiguring Spanning Tree Protocol Configuring Cisco Discovery Protocol Configuring MAC Table ManipulationManipulation Port SecurityConfiguring IP Multicast Layer 3 Switching Configuring the Switched Port AnalyzerConfiguring IGMP Snooping Configuring Per-Port Storm Control10-11 Configuring Fallback Bridging10-12 Managing the SwitchC H A P T E R Configuring PPP over Ethernet with NAT11-1 Configure the Virtual Private Dialup Network Group Number Configuration TasksConfigure the Virtual Private Dialup Network Group Number, page Configure the Fast Ethernet WAN Interfaces, page11-3 Configure the Fast Ethernet WAN InterfacesCommand or Action DETAILED STEPSEnters interface configuration mode for a Configure the Dialer InterfaceConfigures the PPPoE client and specifies the Enables the Fast Ethernet interface and theCommand Reference 5. ppp authentication protocol1 protocol2 6. dialer pool number1. interface dialer dialer-rotary-group-number 2. ip address negotiated 3. ip mtu bytesUsing a dialer group controls access to Configure Network Address TranslationExits the dialer 0 interface configuration For details about this command and additional4. ip nat inside outside 5. no shutdown 6. exit 3. interface type number8. ip nat inside outside 9. no shutdown 10. exit 11-7permitted by access list acl1 to be translated to one by the access list 1 to be translated to one of theCommand Reference, Volume 1 of 4 Addressing and ServicesEnters configuration mode for the Fast Ethernet Configuration ExampleDefines a standard access list indicating which WAN interface FE4 to be the outside interfaceChapter 11 Configuring PPP over Ethernet with NAT 11-10Configuration Example vpdn enable vpdn-group 1 request-dialin protocol pppoe11-11 Verifying Your ConfigurationChapter 11 Configuring PPP over Ethernet with NAT Configuration ExampleChapter 11 Configuring PPP over Ethernet with NAT 11-12Configuration Example OL-23590-02DHCP Configuring a LAN with DHCP and VLANs12-1 C H A P T E RConfigure DHCP, page Configure VLANs, page Configure DHCP7. default-router address address2...address8 VLANsresolution Identifies the default domain that the router uses toenters DHCP pool configuration mode. The name Specifies up to eight default routers for a DHCPExits DHCP configuration mode and enters global Verify Your DHCP ConfigurationSpecifies up to eight DNS servers available to a DHCP client1. vlan ? 2. ISL VLAN ID 3. exit Configure VLANs12-5 Chapter 12 Configuring a LAN with DHCP and VLANs Configuration TasksServices Command Reference Assign a Switch Port to a VLAN1. interface switch port id 2. switchport access vlan vlan-id 3. endSpecifies the switch port that you want to assign Verify Your VLAN Configurationto the VLAN Assigns a port to the VLANChapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks 12-8Cisco 819 Integrated Services Routers Software Configuration Guide Router# vlan databaseChapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks 12-9Router# show vlan-switch OL-23590-02Chapter 12 Configuring a LAN with DHCP and VLANs Configuration Tasks 12-10Cisco 819 Integrated Services Routers Software Configuration Guide OL-23590-02C H A P T E R Configuring a VPN Using Easy VPN and an IPSec Tunnel13-1 Figure 13-1 Remote Access VPN Using IPSec Tunnel Cisco Easy VPN13-2 Create an Easy VPN Remote Configuration, page Configure the IKE Policy13-3 Configuration Tasksstandard SHA-1 The example specifies 168-bit data encryptionThe example specifies a pre-shared key Specifies the Diffie-Hellman group to be used in13-5 Configure Group Policy Information1. crypto isakmp client configuration group group-name default 6. ip local pool default poolname low-ip-address high-ip-address13-6 Apply Mode Configuration to the Crypto MapCommand or Action Technologies Command Reference13-7 Enable Policy Lookup2. aaa authentication login default list-name method1 method2 Command or ActionConfigure the IPSec Crypto Method and Parameters Configure IPSec Transforms and Protocols13-8 Command or ActionCommand or Action 13-9crypto map configuration mode See Cisco IOS Security Command Reference forApply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration2. group group-name key group-key 3. peer ipaddress hostname 13-10this command would be interface atm remote configuration applied6. interface type number 7. crypto ipsec client ezvpn name outside inside 8. exit13-12 Verifying Your Easy VPN ConfigurationConfiguration Example Command or ActionChapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-13Configuration Example OL-23590-02Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel 13-14Configuration Example Cisco 819 Integrated Services Routers Software Configuration GuideConfiguring the Router from a PC, page A-1 Configuring the Router from a PCUnderstanding Command Modes, page A-2 Getting Help, page A-4 Enable Secret Passwords and Enable Passwords, page A-5Terminal Emulation Software Understanding Command ModesPC Operating System the “Enable Secret Passwords and Access MethodEnable Passwords” procedure on Moderouter rip-from Getting HelpAccess Method ModeEntering Global Configuration Mode Enable Secret Passwords and Enable PasswordsAbbreviating Commands Using CommandsUndoing Commands Command-Line Error MessagesSummary Saving Configuration ChangesWhere to Go Next OL-18906-02 Appendix A Cisco IOS Software Basic Skills Where to Go NextCisco 819 Integrated Services Routers Software Configuration Guide Ethernet, page B-4 Dial Backup, page B-5 NAT, page B-6 PPP Authentication Protocols, page B-3 TACACS+, page B-4Easy IP Phase 1, page B-6 Easy IP Phase 2, page B-7 QoS, page B-7 Access Lists, page B-9Routing Protocol Options Routing UpdatesProtocol Ideal TopologyEnhanced IGRP PPP Authentication ProtocolsCHAP TACACS+Ethernet Backup Interface Dial BackupBackup Interface, page B-5 Floating Static Routes, page B-5 Floating Static RoutesEasy IP Phase Easy IP Phase IP Precedence, page B-8 PPP Fragmentation and Interleaving, page B-8CBWFQ, page B-8 RSVP, page B-8 Low Latency Queuing, page B-9 PPP Fragmentation and Interleaving IP PrecedenceCBWFQ RSVPLow Latency Queuing Access ListsOL-18906-02 B-10Appendix B Concepts Access Lists Command Descriptions, page C-3 Entering the ROM Monitor, page C-1 ROM Monitor Commands, page C-2Disaster Recovery with TFTP Download, page C-3 Configuration Register, page C-10 Console Download, page C-12exit ROM Monitor Commandsreload Descriptions” section on page C-3Disaster Recovery with TFTP Download Command Descriptionsreset or Configuration Fundamentals and Network Management GuideRequired Variables TFTP Download Command VariablesVariable CommandOptional Variables Using the TFTP Download CommandCommand VariableExamples OL-18906-02 Appendix C ROM Monitor Disaster Recovery with TFTP DownloadCisco 819 Integrated Services Routers Software Configuration Guide Cisco 819 Integrated Services Routers Software Configuration Guide Appendix C ROM Monitor Disaster Recovery with TFTP DownloadOL-18906-02 Disaster Recovery with TFTP DownloadAppendix C ROM Monitor C-10 Configuration RegisterAppendix C ROM Monitor Configuration Register Cisco 819 Integrated Services Routers Software Configuration GuideC-11 Changing the Configuration Register ManuallyChanging the Configuration Register Using Prompts recognize it, the name of the configuration file must be routerconfg Command DescriptionConsole Download xmodem -cyrx destinationfilenameC-13 Debug CommandsError Reporting C-14 Exiting the ROM MonitorA P P E N D I X D Common Port AssignmentsPort KeywordKeyword PortDescription Table D-1