Cisco 870-Series Router Manual PDF (Setup & Configuration Guide)

Page 76 / 196 Scroll up to view Page 71 - 75

6-10

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 6

Configuring a VPN Using Easy VPN and an IPSec Tunnel

Create an Easy VPN Remote Configuration

The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign

it to the outgoing interface.

Perform these steps to create the remote configuration, beginning in global configuration mode:

Step 2

crypto map

map-name

Example:

Router(config-if)#

crypto map static-map

Router(config-if)#

Applies the crypto map to the interface.

See the

Cisco IOS Security Command Reference

for more detail about this command.

Step 3

exit

Example:

Router(config-crypto-map)#

exit

Router(config)#

Returns to global configuration mode.

Command or Action

Purpose

Command or Action

Purpose

Step 1

crypto ipsec client ezvpn

name

Example:

Router(config)#

crypto ipsec client ezvpn

ezvpnclient

Router(config-crypto-ezvpn)#

Creates a Cisco Easy VPN remote configuration,

and enters Cisco Easy VPN remote configuration

mode.

Step 2

group

group-name

key

group-key

Example:

Router(config-crypto-ezvpn)#

group

ezvpnclient key secret-password

Router(config-crypto-ezvpn)#

Specifies the IPSec group and IPSec key value for

the VPN connection.

Step 3

peer

{

ipaddress

|

hostname

}

Example:

Router(config-crypto-ezvpn)#

peer

192.168.100.1

Router(config-crypto-ezvpn)#

Specifies the peer IP address or hostname for the

VPN connection.

Note

A hostname can be specified only when

the router has a DNS server available for

hostname resolution.

Step 4

mode

{

client

|

network-extension

|

network

extension plus

}

Example:

Router(config-crypto-ezvpn)#

mode client

Router(config-crypto-ezvpn)#

Specifies the VPN mode of operation.

Page 77 / 196

6-11

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 6

Configuring a VPN Using Easy VPN and an IPSec Tunnel

Verifying Your Easy VPN Configuration

Router#

show crypto ipsec client ezvpn

Tunnel name :ezvpnclient

Inside interface list:vlan 1

Outside interface:fastethernet 4

Current State:IPSEC_ACTIVE

Last Event:SOCKET_UP

Address:8.0.0.5

Mask:255.255.255.255

Default Domain:cisco.com

Configuration Example

The following configuration example shows a portion of the configuration file for the VPN and IPSec

tunnel described in this chapter.

!

aaa new-model

!

aaa authentication login rtr-remote local

aaa authorization network rtr-remote local

aaa session-id common

Step 5

exit

Example:

Router(config-crypto-ezvpn)#

exit

Router(config)#

Returns to global configuration mode.

Step 6

interface

type number

Example:

Router(config)#

interface fastethernet 4

Router(config-if)#

Enters the interface configuration mode for the

interface to which you want the Cisco Easy VPN

remote configuration applied.

Note

For routers with an ATM WAN interface,

this command would be

interface atm 0

.

Step 7

crypto ipsec client ezvpn

name

[

outside

|

inside

]

Example:

Router(config-if)#

crypto ipsec client

ezvpn ezvpnclient outside

Router(config-if)#

Assigns the Cisco Easy VPN remote configuration

to the WAN interface, causing the router to

automatically create the NAT or port address

translation (PAT) and access list configuration

needed for the VPN connection.

Step 8

exit

Example:

Router(config-crypto-ezvpn)#

exit

Router(config)#

Returns to global configuration mode.

Command or Action

Purpose

Page 78 / 196

6-12

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 6

Configuring a VPN Using Easy VPN and an IPSec Tunnel

Configuration Example

!

username Cisco password 0 Cisco

!

crypto isakmp policy 1

encryption 3des

authentication pre-share

group 2

lifetime 480

!

crypto isakmp client configuration group rtr-remote

key secret-password

dns 10.50.10.1 10.60.10.1

domain company.com

pool dynpool

!

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto ipsec security-association lifetime seconds 86400

!

crypto dynamic-map dynmap 1

set transform-set vpn1

reverse-route

!

crypto map static-map 1 ipsec-isakmp dynamic dynmap

crypto map dynmap isakmp authorization list rtr-remote

crypto map dynmap client configuration address respond

crypto ipsec client ezvpn ezvpnclient

connect auto

group 2 key secret-password

mode client

peer 192.168.100.1

!

interface fastethernet 4

crypto ipsec client ezvpn ezvpnclient outside

crypto map static-map

!

interface vlan 1

crypto ipsec client ezvpn ezvpnclient inside

!

Page 79 / 196

C H A P T E R

7-1

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

7

Configuring VPNs Using an IPSec Tunnel and

Generic Routing Encapsulation

The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but

many applications also require the security of VPN connections which perform a high level of

authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect

branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log

in to a corporate network.

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPSec and the

generic routing encapsulation (GRE) protocol to secure the connection between the branch office and

the corporate network.

Figure 7-1

shows a typical deployment scenario.

Figure 7-1

Site-to-Site VPN Using an IPSec Tunnel and GRE

121783

Internet

3

1

2

4

5

7

6

8

9

1

Branch office containing multiple LANs and VLANs

2

Fast Ethernet LAN interface—With address 192.168.0.0/16 (also the inside interface for NAT)

3

VPN client—Cisco 850 or Cisco 870 series access router

4

Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

5

LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

6

VPN client—Another router, which controls access to the corporate network

7

LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1

8

Corporate office network

9

IPSec tunnel with GRE

Page 80 / 196

7-2

Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide

OL-5332-01

Chapter 7

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a VPN

GRE Tunnels

GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that

controls access to a private network, such as a corporate network. Traffic forwarded through the GRE

tunnel is encapsulated and routed out onto the physical interface of the router. When a GRE interface is

used, the Cisco router and the router that controls access to the corporate network can support dynamic

IP routing protocols to exchange routing updates over the tunnel, and to enable IP multicast traffic.

Supported IP routing protocols include Enhanced Interior Gateway Routing Protocol (EIGRP), Routing

Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path

First (OSPF), and Border Gateway Protocol (BGP).

Note

When IP Security (IPSec) is used with GRE, the access list for encrypting traffic does not list the desired

end network and applications, but instead refers to the permitted source and destination of the GRE

tunnel in the outbound direction. All packets forwarded to the GRE tunnel are encrypted if no further

access control lists (ACLs) are applied to the tunnel interface.

VPNs

VPN configuration information must be configured on both endpoints; for example, on your Cisco router

and at the remote user, or on your Cisco router and on another router. You must specify parameters, such

as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address

Translation (NAT).

Configuration Tasks

Perform the following tasks to configure this network scenario:

•

Configure a VPN

•

Configure a GRE Tunnel

A configuration example showing the results of these configuration tasks is provided in the

“Configuration Example” section on page 7-9

.

Note

The procedures in this chapter assume that you have already configured basic router features as well as

PPPoE or PPPoA with NAT, DCHP, and VLANs. If you have not performed these configurations tasks,

see

Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,”

Chapter 4, “Configuring PPP over ATM with NAT,”

and

Chapter 5, “Configuring a LAN with DHCP

and VLANs,”

as appropriate for your router.

Configure a VPN

Perform the following tasks to configure a VPN over an IPSec tunnel:

•

Configure the IKE Policy

•

Configure Group Policy Information

•

Enable Policy Lookup

•

Configure IPSec Transforms and Protocols

•

Configure the IPSec Crypto Method and Parameters

•

Apply the Crypto Map to the Physical Interface

Rate

Popular Cisco Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share