Until now we talked about the configuration of VPN with IPsec considered just two point, it’s the time of seeing how to configure a VPN between more of two point using always IPsec as encrypt method. In the above picture the infrastructure is composed by a Main Office (ROUTER-A) and 2 Remote Offices (ROUTER-B, ROUTER-C), the Main office will have a tunnel for each Remote offices, and ROUTER-B, ROUTER-C have one between them. All the routers have one xDSL connection for each one with the following virtual Public IP. ROUTER-A int Se0/0/0.1 100.0.0.1/30 ROUTER-B int Se0/0/0.1 200.0.0.1/30 ROUTER-C int Se0/0/0.1 300.0.0.1/30 The respective VPN Site-To-Site will be realized as of following: 200.0.0.1/30<VPN>100.0.0.1/30<VPN>300.0.0.1/30 and 200.0.0.1/30<VPN>300.0.0.1/30
ROUTER-A
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key PwdRoB address 200.0.0.1
crypto isakmp key PwdRoC address 300.0.0.1
!
crypto ipsec transform-set VPN_RoA-VPN_RoB esp-3des esp-sha-hmac
crypto ipsec transform-set VPN_RoA-VPN_RoC esp-3des esp-sha-hmac
!
crypto map VPN_RoA-VPN_RoB 1 ipsec-isakmp
description *** TUNNEL TO ROUTER B Se0/0/0.1 200.0.0.1 ***
set peer 200.0.0.1
set transform-set VPN_RoA-VPN_RoB
match address 150
!
crypto map VPN_RoA-VPN_RoC 2 ipsec-isakmp
description *** TUNNEL TO ROUTER C Se0/0/0.1 300.0.0.1 ***
set peer 300.0.0.1
set transform-set VPN_RoA-VPN_RoC
match address 150
!
interface Vlan1
description *** CONNECTION INTERNAL LAN ***
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
description *** HDSL CONNECTION EXTERNAL WAN ***
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event
dlci-status-change ip
access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** LINK DATA MCR 1024 ***
ip address 100.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay frame-relay
interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
ROUTER-B
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key PwdRoA address 100.0.0.1
crypto isakmp key PwdRoC address 300.0.0.1
!
crypto ipsec transform-set VPN_RoB-VPN_RoA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN_RoB-VPN_RoC esp-3des esp-sha-hmac
!
crypto map VPN_RoB-VPN_RoA 1 ipsec-isakmp
description *** TUNNEL TO ROUTER A Se0/0/0.1 100.0.0.1 ***
set peer 100.0.0.1
set transform-set VPN_RoB-VPN_RoA
match address 150
!
crypto map VPN_RoB-VPN_RoC 2 ipsec-isakmp
description *** TUNNEL TO ROUTER C Se0/0/0.1 300.0.0.1 ***
set peer 300.0.0.1
set transform-set VPN_RoB-VPN_RoC
match address 150
!
interface Vlan1
description *** CONNECTION INTERNAL LAN ***
ip address 192.168.20.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
description *** HDSL CONNECTION EXTERNAL WAN ***
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
ip access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** LINK DATA MCR 1024 ***
ip address 200.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay frame-relay
interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.20.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
ROUTER-C
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key PwdRoA address 100.0.0.1
crypto isakmp key PwdRoB address 200.0.0.1
!
crypto ipsec transform-set VPN_RoC-VPN_RoA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN_RoC-VPN_RoB esp-3des esp-sha-hmac
!
crypto map VPN_RoC-VPN_RoA 1 ipsec-isakmp
description *** TUNNEL TO ROUTER A Se0/0/0.1 100.0.0.1 ***
set peer 100.0.0.1
set transform-set VPN_RoC-VPN_RoA
match address 150
!
crypto map VPN_RoC-VPN_RoB 2 ipsec-isakmp
description *** TUNNEL TO ROUTER B Se0/0/0.1 200.0.0.1 ***
set peer 200.0.0.1
set transform-set VPN_RoC-VPN_RoB
match address 150
!
interface Vlan1
description *** CONNECTION INTERNAL LAN ***
ip address 192.168.30.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Serial0/0/0
description *** HDSL CONNECTION EXTERNAL WAN ***
no ip address
encapsulation frame-relay IETF
logging event subif-link-status
logging event dlci-status-change
ip access-group 103 in
load-interval 30
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
description *** LINK DATA MCR 1024 ***
ip address 300.0.0.1 255.255.255.252
ip nat outside
ip virtual-reassembly
snmp trap link-status
no cdp enable
no arp frame-relay frame-relay
interface-dlci 100 IETF
crypto map VPN
!
ip route 0.0.0.0 0.0.0.0 Serial0/0/0.1
!
ip nat inside source route-map VPN-NAT interface Serial0/0/0.1 overload
!
access-list 100 remark *** ACL NAT ***
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
!
access-list 103 remark **********************************************
access-list 103 remark *** OPEN PORTS VPN SITE-TO-SITE ***
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit ahp any any
access-list 103 remark *** CLOSE THE PORTS TO BLOCK THE REST OF THE ACCESS ***
access-list 103 deny ip any any log
access-list 103 remark **********************************************
!
access-list 150 remark *** ACL VPN SITE-TO-SITE ***
access-list 150 permit ip 192.168.30.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 permit ip 192.168.30.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 150 remark **********************************************
!
route-map VPN-NAT permit 10
match ip address 100
!
crypto isakmp enable
No hay comentarios:
Publicar un comentario