A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices users access to a central organizational network. VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties..
By Wikipedia
One of the solution to create a VPN Site-To-Site between 2 or more Router Cisco is here reported. Using the above network, the VPN is created on the interfaces Fa0/0 and allows to the 2 LAN (192.168.1.0/24-192.168.2.0/24) to communicate as if they were an unique LAN. Of following I’ve reported the configuration of both devices starting with R1.
ROUTER-A
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key TEST address 200.0.0.1
crypto isakmp keepalive 10
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN ipsec-isakmp
set peer 200.0.0.1
set transform-set VPN-SET
match address 150
!
interface FastEthernet0/0
description *** ROUTER-A --> LAN ***
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
ip access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** ROUTER-A --> WAN ***
ip address 100.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay frame-relay
interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
ROUTER-B
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key TEST address 100.0.0.1
crypto isakmp keepalive 10
!
crypto ipsec transform-set VPN-SET esp-3des esp-md5-hmac
!
crypto map VPN ipsec-isakmp
set peer 100.0.0.1
set transform-set VPN-SET
match address 150
!
interface FastEthernet0/0
description *** ROUTER-A --> LAN ***
ip address 192.168.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
!
interface Serial0/0/0
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
ip access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** ROUTER-A --> WAN ***
ip address 200.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay
frame-relay interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
To get up the VPN it’s necessary to launch the command on ROUTER-A this:
ROUTER-A# ping 192.168.2.254 source 192.168.1.3
after few seconds the VPN will be up, to check it we can use the following command:
ROUTER-A# sh crypto session
Crypto session current status
Interface: Serial0/0/0.1
Session status: UP-ACTIVE
Peer: 200.0.0.1 port 500
IKE SA: local 100.0.0.1/500 remote 200.0.0.1/500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.2.0/255.255.255.0
Active SAs: 2, origin: crypto map
No hay comentarios:
Publicar un comentario