Cisco Systems OL-6426-02 Configure a VPN

BETA DRAFT - CISCO CONFIDENTIAL

7-3

Cisco1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

OL-6426-02

Chapter7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a VPN

Configure a VPN

Perform the following tasks to configure a VPN over an IPSec tunnel:

•Configure the IKE Policy

•Configure Group Policy Information

•Enable Policy Lookup

•Configure IPSec Transforms and Protocols

•Configure the IPSec Crypto Method and Parameters

•Apply the Crypto Map to the Physical Interface

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global

configuration mode:

Command or Action Purpose

Step1 crypto isakmp policy priority

Example:

Router(config)# crypto isakmp policy 1

Router(config-isakmp)#

Creates an IKE policy that is used during IKE

negotiation. The priority is a number from 1 to

10000, with 1 being the highest.

Also enters Internet Security Association Key and

Management Protocol (ISAKMP) policy

configuration mode.

Step2 encryption {des | 3des | aes | aes 192 | aes 256}

Example:

Router(config-isakmp)# encryption 3des

Router(config-isakmp)#

Specifies the encryption algorithm used in the IKE

policy.

The example uses 168-bit Data Encryption

Standard (DES).

Step3 hash {md5 | sha}

Example:

Router(config-isakmp)# hash md5

Router(config-isakmp)#

Specifies the hash algorithm used in the IKE

policy.

The example specifies the Message Digest 5

(MD5) algorithm. The default is Secure Hash

standard (SHA-1).

Step4 authentication {rsa-sig | rsa-encr | pre-share}

Example:

Router(config-isakmp)# authentication

pre-share

Router(config-isakmp)#

Specifies the authentication method used in the

IKE policy.

The example uses a pre-shared key.

Contents

Main Page CONTENTS Page Page Page Page Page Page Page Preface Audience Organization Conventions Notes, Cautions, and Timesavers Command Conventions Related Documents Obtaining Documentation Cisco.com Documentation DVD Ordering Documentation Documentation Feedback Cisco Product Security Overview Reporting Security Problems in Cisco Products Obtaining Technical Assistance Cisco Technical Support Website Submitting a Service Request Definitions of Service Request Severity Obtaining Additional Publications and Information Page Page Basic Router Configuration Interface Port Labels Viewing the Default Configuration 1-3 Example 1-1 Cisco1812 Default Configuration on Startup Information Needed for Configuration Configuring Basic Parameters Configure Global Parameters Configure Fast Ethernet LAN Interfaces Configure WAN Interfaces Configure the Fast Ethernet WAN Interface Configure the ATM WAN Interface Configure the Wireless Interface Configuring a Loopback Interface Verifying Your Configuration Configuring Command-Line Access to the Router Page Configuring Static Routes Configuring Dynamic Routes Configuring RIP Verifying Your Configuration Configuring Enhanced IGRP Page Page Page Sample Network Deployments Page Configuring PPP over Ethernet with NAT Configure the Virtual Private Dialup Network Group Number Configure the Fast Ethernet WAN Interfaces Page Configure the Dialer Interface Page Configure Network Address Translation Page Page 3-10 Configuring PPP over ATM with NAT Page Configure the Dialer Interface Page Configure the ATM WAN Interface Configure DSL Signaling Protocol Configuring ADSL Verify the Configuration Configuring SHDSL Verify the Configuration Configure Network Address Translation Page Page 4-12 command. Configuring a LAN with DHCP and VLANs Configure DHCP Page 5-4 Verify Your DHCP Configuration Use the following commands to view your DHCP configuration. pools, bindings, and so forth. Configure VLANs Verify Your VLAN Configuration 5-6 Switch Port Configurations VLAN Trunking Protocol (VTP) 802.1x Authentication Layer 2 Interfaces MAC Table Manipulation Maximum Switched Virtual Interfaces (SVIs) Switched Port Analyzer (SPAN) IP Multicast Switching Per-Port Storm Control Fallback Bridging Separate Voice and Data Subnets IGMP Snooping Configuring a VPN Using Easy VPN and an IPSec Tunnel Page Configure the IKE Policy Configure Group Policy Information Apply Mode Configuration to the Crypto Map Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Create an Easy VPN Remote Configuration Verifying Your Easy VPN Configuration 6-11 Page Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation Page Configure a VPN Configure the IKE Policy Configure Group Policy Information Enable Policy Lookup Configure IPSec Transforms and Protocols Configure the IPSec Crypto Method and Parameters Apply the Crypto Map to the Physical Interface Configure a GRE Tunnel Page 7-10 7-11 Page Configuring a Simple Firewall Page Configure Access Lists Configure Inspection Rules Apply Access Lists and Inspection Rules to Interfaces Page Page Configuring a Wireless LAN Connection Page Configure the Root Radio Station Page Configure Bridging on VLANs Configure Radio Station Subinterfaces 9-7 Command Purpose Repeat these steps to configure more subinterfaces, as needed. Step5 bridge-group number Example: 9-8 10-1 Sample Configuration command. Example 10-1 Sample Configuration 10-2 10-3 10-4 10-5 Page Additional Configuration Options Page Page Page Configuring Security Features Authentication, Authorization, and Accounting Configuring AutoSecure Configuring Access Lists Access Groups Guidelines for Creating Access Groups Configuring a CBAC Firewall Configuring Cisco IOS Firewall IDS Configuring VPNs Configuring Dial Backup and Remote Management Dial Backup Feature Activation Methods Backup Interfaces Configuring Backup Interfaces Floating Static Routes Configuring Floating Static Routes Dialer Watch Configuring Dialer Watch Dial Backup Feature Limitations Page 13-7 Example13-2 Configuring Dial Backup Using Floating Static Routes 13-8 Example13-3 Configuring Dial Backup Using Dialer Watch 13-9 Configuring Dial Backup and Remote Management Through the ISDN S/T Port Configure ISDN Settings Configure the Aggregator and ISDN Peer Router Configure ISDN Settings Page Page 13-12 Configure the Aggregator and ISDN Peer Router Configuring Dial Backup and Remote Management Through a V.92 Modem Asynchronous Interface Configuration Page Line Configuration Page Troubleshooting Getting Started Before Contacting Cisco or Your Reseller ADSL Troubleshooting SHDSL Troubleshooting PortFast Troubleshooting ATM Troubleshooting Commands ping atm interface Command show interface Command 14-4 Table14-1 describes possible command output for the show interface command. Table14-1 show interface Command Output Description Output Cause For ATM Interfaces show atm interface Command debug atm Commands Guidelines for Using Debug Commands debug atm errors Command 14-7 Example 14-4 Viewing ATM Errors debug atm events Command Example 14-5 Viewing ATM Interface Processor EventsSuccess Example 14-6 Viewing ATM Interface Processor EventsFailure debug atm packet Command Software Upgrade Methods Recovering a Lost Password Change the Configuration Register Reset the Router Reset the Password and Save Your Changes Reset the Configuration Register Value Managing Your Router with SDM Page Page Page A Cisco IOS Software Basic Skills Configuring the Router from a PC Understanding Command Modes Page Getting Help Enable Secret Passwords and Enable Passwords Entering Global Configuration Mode Using Commands Abbreviating Commands Undoing Commands Command-Line Error Messages Saving Configuration Changes Summary Where to Go Next Page B Concepts ADSL SHDSL Network Protocols IP Routing Protocol Options RIP PPP Authentication Protocols PAP CHAP TACACS+ Network Interfaces Ethernet ATM PVC Dial Backup Backup Interface Floating Static Routes Dialer Watch NAT Easy IP (Phase 1) Easy IP (Phase 2) QoS IP Precedence PPP Fragmentation and Interleaving CBWFQ RSVP Low Latency Queuing Access Lists Page C ROM Monitor Entering the ROM Monitor ROM Monitor Commands Command Descriptions Disaster Recovery with TFTP Download TFTP Download Command Variables Required Variables Optional Variables Using the TFTP Download Command Configuration Register Changing the Configuration Register Manually Changing the Configuration Register Using Prompts Console Download Command Description Error Reporting Debug Commands Exiting the ROM Monitor Page D Common Port Assignments Page INDEX Symbols Numerics A C D E F G H I K L M N O P Q R S T U V W X