Configure the IKE Policy, 13-3 | Cisco Systems C819HG4GVK9 instruction

Chapter 13 Configuring a VPN Using Easy VPN and an IPSec Tunnel

Configuration Tasks

Note The Cisco Easy VPN client feature supports configuration of only one destination peer. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and Network Address Translation/Peer Address Translation (NAT/PAT) parameters on both the client and the server.

Configuration Tasks

Perform the following tasks to configure your router for this network scenario:

•Configure the IKE Policy, page 13-3

•Configure Group Policy Information, page 13-5

•Apply Mode Configuration to the Crypto Map, page 13-6

•Enable Policy Lookup, page 13-7

•Configure IPSec Transforms and Protocols, page 13-8

•Configure the IPSec Crypto Method and Parameters, page 13-8

•Apply the Crypto Map to the Physical Interface, page 13-10

•Create an Easy VPN Remote Configuration, page 13-10

An example showing the results of these configuration tasks is provided in the “Configuration Example” section on page 13-12.

Note The procedures in this chapter assume that you have already configured basic router features, as well as PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, see “Basic Router Configuration” section on page 5-1.

Note The examples shown in this chapter refer only to the endpoint configuration on the Cisco 819 router. Any VPN connection requires both endpoints be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models.

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode:

SUMMARY STEPS

1.crypto isakmp policy priority

2.encryption {des 3des aes aes 192 aes 256}

3.hash {md5 sha}

4.authentication {rsa-sig rsa-encr pre-share}

5.group {1 2 5}

		Cisco 819 Integrated Services Routers Software Configuration Guide

	OL-23590-02			13-3
	OL-23590-02			13-3

Image 151

Cisco Systems C819HG4GVK9, C819GUK9 manual Configure the IKE Policy, 13-3

Contents

Text Part Number OL-23590-02 September 2 Americas HeadquartersPage N T E N T S Data Account Provisioning Configuring a Cellular Interface Specifying a Synchronous Serial Interface Create a Cisco Easy VPN Remote Configuration NAT Getting Help TACACS+ OL-23590-02 General Description Product Overview 1shows the Cisco 819HG ISR 3G Features New FeaturesSKU Information Platform Features Wlan FeaturesSecurity Features ScanSafe Wireless Device Overview LEDs Tftp support with Ethernet WAN interfaceColor Description Rssi Router# show controllers cellular Wlan Features Wireless Local Area NetworkDual-Radio LEDs CleanAir TechnologyImages Supported Dynamic Frequency Selection Wlan LED OL-23590-02 4G LTE Wireless WAN OL-23590-02 Basic Router Configuration Interface Ports Default ConfigurationRouter Interface Port Label Information Needed for Configuration OL-23590-02 Line aux console tty vty line-number Password password Login Configuring Command-Line Access Example Command Purpose Privileged Exec mode Enables password checking at the virtual terminalSession login Exits line configuration mode and returns to Configuring Global Parameters Configuring a Gigabit Ethernet WAN Interface Configuring WAN InterfacesNo shutdown Exit Example Configuring the Cellular Wireless WAN Interface Restrictions for Configuring the Cellular Wireless Interface Prerequisites for Configuring the 3G Wireless Interface Data Account Provisioning Command or Action Purpose Displays the cellular gps information Shows the radio signal strengthSignal strength, the network security, and so on Details about the command parameters Cellular unit cdma activate manual mdn msid msl 2lists the modem data profile parametersActivation and Provisioning Process Carrier Manual Activation Cellular cdma activate iota Activating with Over-the-Air Service ProvisioningRouter # cellular 0 cdma activate otasp phonenumber Configuring a Cellular Interface Interface cellular Dialer string string Configuring DDR Enters the global configuration mode Enters global configuration modeEnables DDR and configures the specified serial Specifies the number of the dialer access group to Configures this line for GSM Specifies the line configuration mode. It is alwaysSpecifies a default modem chat script Exits line configuration mode This section provides the following configuration examples Examples for Configuring Cellular Wireless Interfaces Following shows how to configure an HSPA+ modem Tunnel over Cellular Interface Configuration Command Syntax Description Configuring Dual SIM for Cellular Networks Locks or unlocks the SIM Perform the following commands to manually switch the SIMFollowing command forces the modem to connect to SIM1 Cellular GSM SIM Output When Button Is Pushed Example Output When Button Is Not Pushed ExampleRommon Behavior IOS Behavior Configuring the Fast Ethernet LAN Interfaces Configuring a Loopback InterfacePush Button in Wlan AP Router# show interface loopback Verifying Configuration Another way to verify the loopback interface is to ping it Configuring Static Routes Verifying Configuration Configuring Dynamic RoutesExample No auto-summary End Configuring Routing Information ProtocolCommand Task Router rip Version 1 Router eigrp as-number Configuring Enhanced Interior Gateway Routing Protocol Number identifies the route to other Eigrp routers Enters router configuration mode and enablesBe applied, using the IP address of the network Eigrp on the router. The autonomous-system OL-23590-02 Configuring Backup Interfaces Configuring Backup Data Lines and Remote Management819 Yes Be configured to back up a serial 0 interface Enters interface configuration mode forInterface for which you want to configure backup Assigns an interface as the secondary or backup Dialer watch group group-number Configuring Cellular Dial-on-Demand Routing BackupConfiguring DDR Backup Using Dialer Watch Configure terminal Specifies the interface Enables dialer watch on the backup interfaceDo not use the access list permit all command to Using the chat script command Configuring DDR Backup Using Floating Static Route No aaa new-model Source-interface Dialer2 Line vty 0 4 login Scheduler max-task-time Webvpn cef end Dial Backup and Remote Management Through the Auxiliary Port Ip name-server server-address Ip dhcp pool name Exit Pool configuration mode, see the Example Enters Dhcp pool configuration mode. The nameConfigure the Dhcp address pool. For Sample commands that you can use in Dhcp Enters configuration mode for the line interface Enables hardware signal flow control Switches the port from console to auxiliary portExits the configure interface mode Enters configuration mode for the auxiliary Ppp authentication pap callin PC IP address behind CPE OL-23590-02 Router# show environment Environmental and Power Management Cisco EnergyWise Support Environmental and Power Management Cisco EnergyWise Support WAN Concentration Configuring the Serial Interface Product Number Cable Type Length Connector Type Configuring Serial InterfacesLegacy Protocol Transport Cisco Hdlc Encapsulation Information About Configuring Serial InterfacesPPP Encapsulation Multilink PPP Keepalive Timer Frame Relay Encapsulation This section contains the following tasks How to Configure Serial InterfacesConfiguring a Synchronous Serial Interface LMI on Frame Relay Interfaces Specifying a Synchronous Serial Interface Configures synchronous serial encapsulationSpecifying Synchronous Serial Encapsulation Configures an Sdlc interface for half-duplex mode Configuring PPPSignals Nrzi-encoding Configuring Compression of Hdlc DataUsing the Nrzi Line-Coding Format Encapsulation hdlc Compress stac Invert txclock Invert rxclock Inverting the Transmit Clock SignalEnabling the Internal Clock Transmit-clock-internal Configuring DTR Signal Pulsing Setting Transmit DelayIgnoring DCD and Monitoring DSR as Line Up/Down Indicator Ignore-dcd Dce-terminal-timing enableConfigures the DCE to use Scte from the DTE Specifying the Serial Network Interface Module Timing Dte-invert-txc Specifies timing configuration to invert TXC clock Understanding Half-Duplex DTE and DCE State Machines Configuring Low-Speed Serial Interfaces Half-Duplex DCE State Machines Half-Duplex DCE Transmit State Machine No half-duplex controlled-carrier Constant-carrier modePlaces a low-speed serial interface Changing Between Synchronous and Asynchronous Modes Sdlc cts-delay Sdlc rts-timeoutPhysical-layer sync async No physical-layer Configuration ExamplesInterface Enablement Configuration Examples Returns the interface to its default mode, which is Half-Duplex Timers Example Synchronous or Asynchronous Mode ExamplesLow-Speed Serial Interface Examples Authentication, Authorization, and Accounting Configuring Security Features ACL Type Configuring AutoSecureConfiguring Access Lists Configuration Commands Access Groups Configuring Cisco IOS Firewall Configuring VPN Configuring Cisco IOS IPSURL Filtering Remote Access VPN Corporate office network Site-to-Site VPNBranch office containing multiple LANs and VLANs VPN client-Cisco 819 ISR Configure a VPN over an IPSec Tunnel Configuration ExamplesConfigure the IKE Policy Command or Action Purpose Domain name Exit Configure Group Policy Information Specifies a local address pool for the group Apply Mode Configuration to the Crypto MapExits IKE group policy configuration mode For details about this command and additional Enable Policy Lookup Configure the IPSec Crypto Method and Parameters Configure IPSec Transforms and ProtocolsCrypto ipsec profile profile-name See Cisco IOS Security Command Reference for Apply the Crypto Map to the Physical Interface Where to Go NextCrypto map map-name Exit Crypto ipsec client ezvpn name Create a Cisco Easy VPN Remote ConfigurationCrypto ipsec client ezvpn name outside inside Exit Configuration Example Configure a Site-to-Site GRE Tunnel Creates a tunnel interface and enters interface Returns to global configuration mode No cdp run 10-1 Configuring the Ethernet SwitchesSwitch Port Numbering and Naming Restrictions for the FE Switch Information About Ethernet Switches Storm Control Switched Port AnalyzerOverview of Snmp MIBs Igmp Snooping 10-4 BRIDGE-MIB for Layer 2 Ethernet SwitchingRouterconfig#snmp-server community public RW MIBs MIBs Link 10-5 MAC Address Notification 10-6 How to Configure Ethernet SwitchesConfiguring VLANs VLANs on the FE Ports Comand Purpose Configuring Layer 2 InterfacesSwitchport mode dynamic desirable VLANs on the GE Port Configuring Spanning Tree Protocol Configuring 802.1x Authentication10-8 10-9 Configuring MAC Table ManipulationConfiguring Cisco Discovery Protocol Port Security Configuring Per-Port Storm Control Configuring the Switched Port AnalyzerConfiguring IP Multicast Layer 3 Switching Configuring Igmp Snooping 10-11 Configuring Fallback Bridging 10-12 Managing the Switch 11-1 Configuring PPP over Ethernet with NAT 11-2 Configuration TasksConfigure the Virtual Private Dialup Network Group Number PPPoE 11-3 Configure the Fast Ethernet WAN Interfaces 11-4 Configure the Dialer Interface 11-5 Ip address negotiated Ip mtu bytes 11-6 Configure Network Address Translation 11-7 Ip nat inside outside No shutdown Exit 11-8 11-9 Configuration Example 11-10 11-11 Verifying Your Configuration 11-12 12-1 Configuring a LAN with Dhcp and VLANs VLANs Configure Dhcp12-2 12-3 Detailed Steps 12-4 Verify Your Dhcp Configuration Vlan ? Configure VLANs12-5 12-6 Assign a Switch Port to a VlanSwitchport access vlan vlan-id End Example 12-7 Verify Your Vlan Configuration Router# vlan database 12-8 12-9 Router# show vlan-switch 12-10 13-1 Configuring a VPN Using Easy VPN and an IPSec Tunnel VPN server-Easy VPN server Cisco Easy VPNRemote, networked users VPN client-Cisco 819 ISRs 13-3 Configure the IKE Policy Lifetime seconds Exit 13-5 Configure Group Policy InformationInternet Naming Service Wins servers For the group by using the wins command 13-6 Apply Mode Configuration to the Crypto Map Login, and specifies the method used Enable Policy Lookup13-7 Configure the IPSec Crypto Method and Parameters Configure IPSec Transforms and Protocols13-8 13-9 Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration13-10 13-11 Mode client network-extension network extension plus Exit Following example verifies your easy vpn connection Verifying Your Easy VPN Configuration13-12 13-13 13-14 Cisco IOS Software Basic Skills Configuring the Router from a PC PC Operating System Terminal Emulation Software Understanding Command Modes As interface atm To exit to user Exec Use this mode toGlobal Enter the configure User Exec Begin a session with Router rip-from Configuration mode Routing protocol AppropriateGetting Help Router Enter one of the router Entering Global Configuration Mode Enable Secret Passwords and Enable PasswordsYou can now make changes to your router configuration Command-Line Error Messages Using CommandsAbbreviating Commands Undoing Commands Where to Go Next Saving Configuration ChangesSummary OL-18906-02 Network Protocols Concepts Routing Protocol Options Protocol Ideal Topology Metric Routing Updates Enhanced Igrp PPP Authentication Protocols Chap Ethernet Dialer Watch Dial BackupBackup Interface Floating Static Routes Easy IP Phase QoS PPP Fragmentation and Interleaving IP Precedence Low Latency Queuing Access Lists OL-18906-02 Entering the ROM Monitor Configure terminal Enters global configuration modeConfig-reg Resets the configuration register ROM Monitor Prompt increments with each new line ROM Monitor CommandsExits global configuration mode Reload Disaster Recovery with Tftp Download Command DescriptionsCommand Description Variable Command Tftp Download Command VariablesRequired Variables Configures how the router displays file Using the Tftp Download CommandOptional Variables You will see an output similar to the following Examples Type Embedded AP s Appendix C ROM Monitor Appendix C ROM Monitor Configuration Register Configuration Register Changing the Configuration Register Using Prompts Changing the Configuration Register Manually Console Download Command Description Error Reporting Debug CommandsContext-Displays processor context for example Appendix C ROM Monitor Exiting the ROM Monitor Exiting the ROM Monitor Port Keyword Description Common Port Assignments Authentication service Any private RJE serviceISO-Transport Service Access Point Procedure Call