Configure a VPN | Cisco Systems OL-6426-02 specification

Chapter 7 Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a VPN

BETA DRAFT - CISCO CONFIDENTIAL

Configure a VPN

Perform the following tasks to configure a VPN over an IPSec tunnel:

•Configure the IKE Policy

•Configure Group Policy Information

•Enable Policy Lookup

•Configure IPSec Transforms and Protocols

•Configure the IPSec Crypto Method and Parameters

•Apply the Crypto Map to the Physical Interface

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode:

	Command or Action	Purpose
Step 1
Step 1	crypto isakmp policy priority	Creates an IKE policy that is used during IKE
		negotiation. The priority is a number from 1 to
	Example:	10000, with 1 being the highest.
	Router(config)# crypto isakmp policy 1	Also enters Internet Security Association Key and
	Router(config-isakmp)#	Management Protocol (ISAKMP) policy
		Management Protocol (ISAKMP) policy
		configuration mode.
Step 2
Step 2	encryption {des 3des aes aes 192 aes 256}	Specifies the encryption algorithm used in the IKE
		policy.
	Example:	The example uses 168-bit Data Encryption
		The example uses 168-bit Data Encryption
	Router(config-isakmp)# encryption 3des	Standard (DES).
	Router(config-isakmp)#
Step 3
Step 3	hash {md5 sha}	Specifies the hash algorithm used in the IKE
		policy.
	Example:	The example specifies the Message Digest 5
		The example specifies the Message Digest 5
	Router(config-isakmp)# hash md5	(MD5) algorithm. The default is Secure Hash
	Router(config-isakmp)#	standard (SHA-1).
		standard (SHA-1).
Step 4
Step 4	authentication {rsa-sig rsa-encr pre-share}	Specifies the authentication method used in the
		IKE policy.
	Example:	The example uses a pre-shared key.
		The example uses a pre-shared key.
	Router(config-isakmp)# authentication
	pre-share
	Router(config-isakmp)#

Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide

	OL-6426-02	7-3

Image 87

Cisco Systems OL-6426-02 manual Configure a VPN, Configure the IKE Policy, Also enters Internet Security Association Key

Contents

Cisco Systems, Inc Page N T E N T S Configuring Your Router for Ethernet and DSL Access 802.1x Authentication Configure the IPSec Crypto Method and Parameters Configuring Backup Interfaces Chap Configuration Register C-6 OL-6426-02 Audience Preface Organization Chapter Title DescriptionVPN Boldface Command ConventionsConventions Convention Description Related Documents Obtaining DocumentationCisco.com Ordering Documentation Documentation FeedbackCisco Product Security Overview Documentation DVD An emergency, you can also reach Psirt by telephone 877 408 Reporting Security Problems in Cisco ProductsObtaining Technical Assistance Cisco Technical Support Website Definitions of Service Request Severity Submitting a Service Request Obtaining Additional Publications and Information Getting Started Page Basic Router Configuration Interface Port LabelsRouter Interface Port Label USB Modem Viewing the Default ConfigurationADSLoISDN ATM WAN Shdsl Example 1-1 Cisco 1812 Default Configuration on Startup Information Needed for Configuration To configure the router, perform one or more of these tasks Configuring Basic Parameters Example Configure Global ParametersConfigure Fast Ethernet LAN Interfaces Command Purpose Configure the Fast Ethernet WAN Interface Configure WAN Interfaces No shutdown Configure the ATM WAN InterfaceMode atm Exit Controller dsl Configure the Wireless Interface Configuring a Loopback InterfaceConfiguration Example Line aux console tty vty line-number Configuring Command-Line Access to the RouterVerifying Your Configuration Password password Login Exec-timeout minutes secondsEnd Parameters that can be set, see the Cisco IOS IP Configuring Static RoutesExits router configuration mode, and enters Privileged Exec mode Configuring Dynamic Routes Configuration ExampleVerifying Your Configuration Version 1 Configuring RIPCommand Task Router rip Number identifies the route to other Eigrp routers Configuring Enhanced IgrpEnters router configuration mode, and enables Eigrp on the router. The autonomous-system Be applied, using the IP address of the network Routerconfig# networkSpecifies a list of networks on which Eigrp is to Configuring Your Router for Ethernet and DSL Access Page Sample Network Deployments For Ethernet-Based Network DeploymentsFor DSL-Based Network Deployments OL-6426-02 Configuring PPP over Ethernet with NAT PPPoE Configuration TasksCommand or Action Purpose Vpdn enable Protocol l2f l2tp pppoe any Configure the Fast Ethernet WAN InterfacesRequest-dialin Initiate to ip ip-address Enables the Fast Ethernet interface Cisco 1800 integrated services routers haveThese steps to configure one or both of them Configures the PPPoE client and specifies Configure the Dialer Interface Your router Using a dialer group controls access toExits the dialer 0 interface configuration Assigns the dialer interface to a dialer group Configure Network Address Translation Access-list access-list-number deny permit Ip nat inside outsideSource source-wildcard Configuration Example Router# show ip nat statistics PPP over ATM with NAT Configuring PPP over ATM with NAT PPPoA Interface is obtained through PPP/IPCP IP Sets the PPP authentication methodAuthentication Protocol Chap Specifies that the IP address for the dialer Command Reference, Volume 1 of 4 Routing Configure the ATM WAN Interface Configure DSL Signaling Protocol Configuring AdslAttribute Description Default Value Configuring Shdsl Verify the ConfigurationDsl lom integer Dsl enable-training-log Line-mode 4-wire enhanced 4-wire standard WireIgnore-error-duration number Configure Network Address Translation For NAT Enables the configuration changes just made toAbout enabling static translation, see the Cisco FE2-FE9 reside to be the inside interface Identifies the specified WAN interface as the NAT Static translation, see the Cisco IOS IP CommandExits configuration mode for the ATM interface Defines a standard access list permitting addresses ATM0 Configuring a LAN with Dhcp and VLANs VlanVLANs Configure Dhcp Domain-name domain Default-router address address2 ...address8Import all Dns-server address address2 ...address8 Verify Your Dhcp Configuration Router# show ip dhcp importIp dhcp pool Example Configure VLANsVerify Your Vlan Configuration Vlan ? Vlan Router# show vlan-switch Switch Port Configurations Vlan Trunking Protocol VTP 802.1x Authentication Layer 2 Interfaces Maximum Switched Virtual Interfaces SVIsSwitched Port Analyzer Span IP Multicast Switching Igmp Snooping Per-Port Storm ControlFallback Bridging Separate Voice and Data Subnets Internet Configuring a VPN Using Easy VPN and an IPSec Tunnel Cisco Easy VPN Configure the IKE Policy Key name Configure Group Policy InformationCrypto isakmp client configuration group Group-name default Ip local pool default poolname Apply Mode Configuration to the Crypto Map Configure IPSec Transforms and Protocols Enable Policy Lookup Configure the IPSec Crypto Method and Parameters Dynamic dynamic-map-name discover Apply the Crypto Map to the Physical InterfaceReverse-route Crypto map map-name seq-num ipsec-isakmp Crypto map map-name Create an Easy VPN Remote Configuration Crypto ipsec client ezvpn name outside inside Verifying Your Easy VPN Configuration Crypto ipsec client ezvpn ezvpnclient connect auto Beta Draft Cisco Confidential Site-to-Site VPN Using an IPSec Tunnel and GRE VPNs GRE Tunnels Example uses 168-bit Data Encryption Configure a VPNConfigure the IKE Policy Also enters Internet Security Association Key Configure Group Policy Information Group 1 2Lifetime seconds Specifies group domain membership Enable Policy LookupExits IKE group policy configuration mode, Enters global configuration mode Negotiating IPSec security associations Configure IPSec Transforms and ProtocolsMethod used to do so Specifies global lifetime values used when Map entry Configure the IPSec Crypto Method and ParametersCreates a dynamic crypto map entry, and enters Creates source proxy information for the crypto Applies the crypto map to the interface Configure a GRE TunnelApply the Crypto Map to the Physical Interface Map Access-list-name ACL that is used by the crypto map Tunnel interface must be configured toExits interface configuration mode, and returns to Enters ACL configuration mode for the named Configuration Example Ip nat outside no cdp enable Beta Draft Cisco Confidential Router with Firewall Configured Configuring a Simple Firewall Unprotected network Series integrated services router, respectivelyFast Ethernet LAN interface the inside interface for NAT Protected network Details about this command Configure Access ListsConfigure Inspection Rules Creates an access list which prevents Internet Apply Access Lists and Inspection Rules to Interfaces Assigns the set of firewall inspection rules toInside interface on the router Configuring a Simple Firewall Configuration Example Beta Draft Cisco Confidential 1shows a wireless network deployment Configuring a Wireless LAN Connection Configuring a Wireless LAN Connection Configure the Root Radio Station Interface configuration mode for the wireless Sets the permitted authentication methods for aUser attempting access to the wireless LAN Exits Ssid configuration mode, and enters Bridge-group number Configure Bridging on VLANsStation-role repeater root Bridge number crb irb mac-address-table Configure Radio Station Subinterfaces Enables Ieee 802.1q encapsulation onSpecified subinterface Assigns a bridge group to the subinterface Exits subinterface configuration mode, No bridge-group 3 unicast-flooding Interface Vlan1 Sample Configuration Router# show running-config10-1 Ip dhcp pool vlan3 10-2 10-3 10-4 10-5 10-6 11-1 Additional Configuration Options 11-2 Configuring Additional Features and Troubleshooting Page Configuring Security Features Authentication, Authorization, and Accounting12-1 ACL Type Configuring AutoSecureConfiguring Access Lists Configuration Commands Ip access-group number name in out Configuring a Cbac FirewallAccess Groups Guidelines for Creating Access Groups Configuring Cisco IOS Firewall IDS Configuring VPNs12-4 13-1 Configuring Dial Backup and Remote ManagementDial Backup Feature Activation Methods Backup Interfaces Configuring Backup Interfaces Floating Static Routes13-2 Configuring Floating Static Routes Enables RIP routing13-3 13-4 Configuring Dialer WatchDialer Watch Specifies the group number for the watch list Dial Backup Feature Limitations Dial Backup Type Possible? Dial Backup Method Limitations13-5 13-6 13-7 13-8 Example 13-3 Configuring Dial Backup Using Dialer Watch 13-9 Configure Isdn Settings 13-10 Dialer-group group-number Access-groupIp address negotiated Dialer pool number Configure the Aggregator and Isdn Peer Router For your Cisco router during the ATM network downtime13-12 13-13 Asynchronous Interface Configuration 13-14 13-15 Line Configuration 13-16 14-1 TroubleshootingGetting Started Before Contacting Cisco or Your Reseller 14-2 Adsl TroubleshootingShdsl Troubleshooting PortFast Troubleshooting 14-3 ATM Troubleshooting CommandsPing atm interface Command Show interface Command Shutdown command Output Cause14-4 Show atm interface Command 14-5Router# show atm interface atm Field Description Debug atm CommandsGuidelines for Using Debug Commands Debug atm errors Command Router# debug atm events Router# Debug atm events CommandRouter# debug atm errors ATM errors debugging is on Router# 14-7 Example 14-7shows a sample output Debug atm packet CommandWhere the keywords are defined as follows Optional ATM interface or subinterface number 14-9 Software Upgrade MethodsRecovering a Lost Password ATM0 Change the Configuration Register 14-10Router# show version Prompt changes to the privileged Exec prompt Reset the RouterRouter# show startup-config Press Return. The following prompt appears Reset the Password and Save Your Changes Reset the Configuration Register Value14-12 14-13 Managing Your Router with SDM 14-14 Reference Information Page PC Operating System Software Configuring the Router from a PCOne of the configuration topic chapters in this guide Cisco IOS Software Basic Skills Understanding Command Modes Exec As interface atmCtrl-Z Router rip, from Configuration mode Routing protocol AppropriateGetting Help Router Enter one of the router Enable Secret Passwords and Enable Passwords Entering Global Configuration ModeYou can now make changes to your router configuration Command-Line Error Messages Using CommandsAbbreviating Commands Undoing Commands Saving Configuration Changes Where to Go NextSummary OL-6426-02 Adsl Concepts Routing Protocol Options Network Protocols RIP PPP Authentication ProtocolsProtocol Ideal Topology Metric Routing Updates Enhanced Igrp PAP Ethernet Network Interfaces Dial Backup Backup InterfaceDialer Interface NAT Easy IP Phase QoS IP PrecedencePPP Fragmentation and Interleaving Low Latency Queuing Cbwfq Access Lists OL-6426-02 ROM Monitor EnableConfig-reg Resets the configuration register Descriptions section in this appendix ROM Monitor CommandsExits global configuration mode Reload Command Description Command DescriptionsDisaster Recovery with Tftp Download Tftp Download Command Variables Variable Command Required VariablesOptional Variables Retrytimes Using the Tftp Download CommandTFTPTIMEOUT= time TFTPCHECKSUM= setting Rommon 1 confreg Configuration RegisterChanging the Configuration Register Manually Changing the Configuration Register Using Prompts Console Download Command Description Frame-Displays an individual stack frame Debug CommandsError Reporting Context-Displays processor context for example Exiting the ROM Monitor OL-6426-02 Port Keyword Description Common Port Assignments Finger NETBIOS-NSNETBIOS-DGM NETBIOS-SSN IN-1 See ARPSee AAL See ATM See Chap See CARIN-2 IN-3 Dhcp GRE Experience, user Extended access list Overview B-11See also examples Ethernet B-5 Events, ATM, displaying See LCP See NCPIN-5 See Ipcp See PAPSee PVC See PPP See RIP See NATIN-7 Upgrading software, methods for 14-9User Datagram Protocol See UDPIN-8