My last
experience with the Virtual Private Network (VPN) is here reported, in this
howto I explain how to configured a Router with a VPN Site-To-Site plus
Client-To-Site. In this situation a remote PC or a remote LAN can connect to
main site. Of following I’ve reported the configuration that I used.
ROUTER-A
username ADMIN privilege 15 secret 0 ADMIN12345
username USER password 7 USER12345 !
crypto isakmp enable
crypto logging session
!
!
enable secret 0 USER54321
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key TEST address 200.0.0.1
!
crypto isakmp keepalive 10
!
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group remote-vpn
banner ^C*** You are connected to the IOS Router by VPN Client-To-Site ***^C
key bieffebi
domain bieffebi.local
pool remote-pool
acl 151
save-password
max-users 10
max-logins 10
!
crypto ipsec security-association lifetime seconds 86400
crypto ipsec security-association idle-time 3600
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto dynamic-map remote-dyn 20
description *** Client to Site VPN Users ***
set transform-set VPN-SET
reverse-route
!
!
crypto map VPN local-address Serial0/0/0.1
crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
!
crypto map VPN 10 ipsec-isakmp
set peer 200.0.0.1
set transform-set VPN-SET
match address 150
crypto map VPN 65535 ipsec-isakmp dynamic remote-dyn
!
!
interface FastEthernet0/0
description *** ROUTER-A --> LAN ***
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** ROUTER-A --> WAN ***
ip address 100.0.0.1 255.255.255.252
ip access-group 103 in
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 100 IETF
crypto map VPN
!
!
ip local pool remote-vpn-pool 10.0.0.250 10.0.0.254
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL FOR NAT ***
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 103 remark *** OPEN THE PORTS FOR SSH/TELNET SERVICES ON THE ROUTER ***
access-list 103 permit tcp any any eq 22
access-list 103 permit tcp any any eq telnet
access-list 103 permit tcp any any eq 443
access-list 103 remark **********************************************
access-list 103 remark *** OPEN THE PORTS FOR VPN SITE-TO-SITE SERVICE ON THE ROUTER ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark **********************************************
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 remark **********************************************
!
access-list 151 remark *** ACL FOR SPLIT-TUNNEL FROM VPN SITE-TO-CLIENT ***
access-list 151 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 151 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
ROUTER-B
username ADMIN privilege 15 secret 0 ADMIN12345
!
!
enable secret 0 USER54321 ! crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key TEST address 100.0.0.1
crypto isakmp keepalive 10
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN ipsec-isakmp
set peer 100.0.0.1
set transform-set VPN-SET
match address 150
!
interface FastEthernet0/0
description *** ROUTER-A --> LAN ***
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** ROUTER-A --> WAN ***
ip address 200.0.0.1 255.255.255.252
ip access-group 103 in
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL FOR NAT ***
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
It’s obviously the network
192.168.3.0/24 below to the PCs that have to use the VPN Site-To-Client
Yo siempre utilizo vpn ninja, lo contacte estando en china, su web es www.vpnninja.com
ResponderEliminar