Cisco Router 860, 880 Series User Manual
Have a look at the manual Cisco Router 860, 880 Series User Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-7 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN For more information about IPSec and GRE configuration, see the “Configuring Security for VPNs with IPSec” chapter of the Cisco IOS Release 12.4T Security Configuration Guide at http://www.cisco.com/en/US/docs/ios/security/configuration/guide/12_4t/sec_12_4t_book.html. Configuration Examples Each example configures a VPN over an IPSec tunnel, using the procedure given in the “Configure a VPN over an IPSec Tunnel” section on page 6-7. Then, the specific procedure for a remote access configuration is given, followed by the specific procedure for a site-to-site configuration. The examples shown in this chapter apply only to the endpoint configuration on the Cisco 860 and Cisco 880 ISRs. Any VPN connection requires both endpoints be configured properly to function. See the software configuration documentation as needed to configure VPN for other router models. VPN configuration information must be configured on both endpoints. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT). Configure a VPN over an IPSec Tunnel, page 6-7 Create a Cisco Easy VPN Remote Configuration, page 6-14 Configure a Site-to-Site GRE Tunnel, page 6-16 Configure a VPN over an IPSec Tunnel Perform the following tasks to configure a VPN over an IPSec tunnel: Configure the IKE Policy, page 6-7 Configure Group Policy Information, page 6-8 Apply Mode Configuration to the Crypto Map, page 6-9 Enable Policy Lookup, page 6-10 Configure IPSec Transforms and Protocols, page 6-11 Configure the IPSec Crypto Method and Parameters, page 6-12 Apply the Crypto Map to the Physical Interface, page 6-13 Where to Go Next, page 6-13 Configure the IKE Policy To configure the Internet Key Exchange (IKE) policy, perform these steps, beginning in global configuration mode: 4Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT) 5LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1 6VPN client—Another router, which controls access to the corporate network 7LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1 8Corporate office network 9IPSec tunnel with GRE
6-8
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Configure Group Policy Information
To configure the group policy, perform these steps, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy priority
Example:
Router(config)# crypto isakmp policy 1Router(config-isakmp)#
Creates an IKE policy that is used during IKE
negotiation. The priority is a number from 1 to
10000, with 1 being the highest.
Also enters the Internet Security Association Key
and Management Protocol (ISAKMP) policy
configuration mode.
Step 2encryption {des | 3des | aes | aes 192 | aes 256}
Example:
Router(config-isakmp)# encryption 3des
Router(config-isakmp)#
Specifies the encryption algorithm used in the IKE
policy.
The example specifies 168-bit data encryption
standard (DES).
Step 3hash {md5 | sha}
Example:
Router(config-isakmp)# hash md5
Router(config-isakmp)#
Specifies the hash algorithm used in the IKE
policy.
The example specifies the Message Digest 5
(MD5) algorithm. The default is Secure Hash
standard (SHA-1).
Step 4authentication {rsa-sig | rsa-encr | pre-share}
Example:
Router(config-isakmp)# authentication
pre-share
Router(config-isakmp)#
Specifies the authentication method used in the
IKE policy.
The example specifies a pre-shared key.
Step 5group {1 | 2 | 5}
Example:
Router(config-isakmp)# group 2
Router(config-isakmp)#
Specifies the Diffie-Hellman group to be used in
an IKE policy.
Step 6lifetime seconds
Example:
Router(config-isakmp)# lifetime 480
Router(config-isakmp)#
Specifies the lifetime, from 60 to 86400 seconds,
for an IKE security association (SA).
Step 7exit
Example:
Router(config-isakmp)# exitRouter(config)#
Exits IKE policy configuration mode, and enters
global configuration mode.
6-9
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Apply Mode Configuration to the Crypto Map
To apply mode configuration to the crypto map, perform these steps, beginning in global configuration
mode:
Command or ActionPurpose
Step 1crypto isakmp client configuration group
{group-name | default}
Example:
Router(config)# crypto isakmp client
configuration group rtr-remote
Router(config-isakmp-group)#
Creates an IKE policy group containing attributes
to be downloaded to the remote client.
Also enters the Internet Security Association Key
and Management Protocol (ISAKMP) group
policy configuration mode.
Step 2key name
Example:
Router(config-isakmp-group)# key
secret-password
Router(config-isakmp-group)#
Specifies the IKE pre-shared key for the group
policy.
Step 3dns primary-server
Example:
Router(config-isakmp-group)# dns 10.50.10.1
Router(config-isakmp-group)#
Specifies the primary Domain Name System
(DNS) server for the group.
You may also want to specify Windows Internet
Naming Service (WINS) servers for the group by
using the wins command.
Step 4domain name
Example:
Router(config-isakmp-group)# domain
company.com
Router(config-isakmp-group)#
Specifies group domain membership.
Step 5exit
Example:
Router(config-isakmp-group)# exitRouter(config)#
Exits IKE group policy configuration mode, and
enters global configuration mode.
Step 6ip local pool {default | poolname} [low-ip-ad-
dress [high-ip-address]]
Example:
Router(config)# ip local pool dynpool
30.30.30.20 30.30.30.30
Router(config)#
Specifies a local address pool for the group.
For details about this command and additional
parameters that can be set, see the
Cisco IOS Dial
Technologies Command Reference.
6-10
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Enable Policy Lookup
To enable policy lookup through AAA, perform these steps, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto map map-name isakmp authorization list
list-name
Example:
Router(config)# crypto map dynmap isakmp
authorization list rtr-remote
Router(config)#
Applies mode configuration to the crypto map and
enables key lookup (IKE queries) for the group
policy from an authentication, authorization, and
accounting (AAA) server.
Step 2crypto map tag client configuration address
[initiate | respond]
Example:
Router(config)# crypto map dynmap client
configuration address respond
Router(config)#
Configures the router to reply to mode
configuration requests from remote clients.
Command or ActionPurpose
Step 1aaa new-model
Example:
Router(config)# aaa new-modelRouter(config)#
Enables the AAA access control model.
Step 2aaa authentication login {default | list-name}
method1 [method2...]
Example:
Router(config)# aaa authentication login
rtr-remote local
Router(config)#
Specifies AAA authentication of selected users at
login, and specifies the method used.
This example uses a local authentication database.
You could also use a RADIUS server for this. For
details, see the
Cisco IOS Security Configuration
Guide and the Cisco IOS Security Command
Reference.
6-11
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Configure IPSec Transforms and Protocols
A transform set represents a certain combination of security protocols and algorithms. During IKE
negotiation, the peers agree to use a particular transform set for protecting data flow.
During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at
both peers. When a transform set is found that contains such a transform, it is selected and applied to the
protected traffic as a part of both peers’ configurations.
To specify the IPSec transform set and protocols, perform these steps, beginning in global configuration
mode:
Step 3aaa authorization {network | exec | commands
level | reverse-access | configuration} {default |
list-name} [method1 [method2...]]
Example:
Router(config)# aaa authorization network
rtr-remote local
Router(config)#
Specifies AAA authorization of all
network-related service requests, including PPP,
and specifies the method of authorization.
This example uses a local authorization database.
You could also use a RADIUS server for this. For
details, see the
Cisco IOS Security Configuration
Guide and Cisco IOS Security Command
Reference.
Step 4username name {nopassword | password
password | password encryption-type encrypt
-
ed-password}
Example:
Router(config)# username Cisco password 0
Cisco
Router(config)#
Establishes a username-based authentication
system.
This example implements a username of Cisco
with an encrypted password of Cisco.
Command or Action Purpose
Command or ActionPurpose
Step 1crypto ipsec profile profile-name
Example:
Router(config)# crypto ipsec profile pro1
Router(config)#
Configures IPSec profile to apply protection on
the tunnel for encryption.
6-12
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
Configure the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes negotiation requests for new security associations from remote
IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).
To configure the IPSec crypto method, perform these steps, beginning in global configuration mode:
Step 2crypto ipsec transform-set transform-set-name
transform1 [transform2] [transform3]
[transform4]
Example:
Router(config)# crypto ipsec transform-set
vpn1 esp-3des esp-sha-hmac
Router(config)#
Defines a transform set—an acceptable
combination of IPSec security protocols and
algorithms.
See the Cisco IOS Security Command Reference
for detail about the valid transforms and
combinations.
Step 3crypto ipsec security-association lifetime
{seconds seconds | kilobytes kilobytes}
Example:
Router(config)# crypto ipsec
security-association lifetime seconds 86400
Router(config)#
Specifies global lifetime values used when IPSec
security associations are negotiated.
See the Cisco IOS Security Command Reference
for details.
Command or Action Purpose
Command or ActionPurpose
Step 1crypto dynamic-map dynamic-map-name dy-
namic-seq-num
Example:
Router(config)# crypto dynamic-map dynmap 1
Router(config-crypto-map)#
Creates a dynamic crypto map entry and enters
crypto map configuration mode.
See the Cisco IOS Security Command Reference
for more detail about this command.
Step 2set transform-set transform-set-name [trans-
form-set-name2...transform-set-name6]
Example:
Router(config-crypto-map)# set
transform-set vpn1
Router(config-crypto-map)#
Specifies which transform sets can be used with
the crypto map entry.
Step 3reverse-route
Example:
Router(config-crypto-map)# reverse-route
Router(config-crypto-map)#
Creates source proxy information for the crypto
map entry.
See the Cisco IOS Security Command Reference
for details.
6-13 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Apply the Crypto Map to the Physical Interface The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet. To apply a crypto map to an interface, perform these steps, beginning in global configuration mode: Where to Go Next If you are creating a Cisco Easy VPN remote configuration, go to the “Create a Cisco Easy VPN Remote Configuration” section on page 6-14. Step 4exit Example: Router(config-crypto-map)# exitRouter(config)# Returns to global configuration mode. Step 5crypto map map-name seq-num [ipsec-isakmp] [dynamic dynamic-map-name] [discover] [profile profile-name] Example: Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap Router(config)# Creates a crypto map profile. Command or Action Purpose Command or ActionPurpose Step 1interface type number Example: Router(config)# interface fastethernet 4 Router(config-if)# Enters the interface configuration mode for the interface to which you want the crypto map applied. Step 2crypto map map-name Example: Router(config-if)# crypto map static-mapRouter(config-if)# Applies the crypto map to the interface. See the Cisco IOS Security Command Reference for more detail about this command. Step 3exit Example: Router(config-crypto-map)# exit Router(config)# Returns to global configuration mode.
6-14
Book Title
OL-xxxxx-xx
Chapter 6 Configuring Security Features
Configuring VPN
If you are creating a site-to-site VPN using IPSec tunnels and GRE, go to the “Configure a Site-to-Site
GRE Tunnel” section on page 6-16.
Create a Cisco Easy VPN Remote Configuration
The router acting as the Cisco Easy VPN client must create a Cisco Easy VPN remote configuration and
assign it to the outgoing interface.
To create the remote configuration, perform these steps, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto ipsec client ezvpn name
Example:
Router(config)# crypto ipsec client ezvpn
ezvpnclient
Router(config-crypto-ezvpn)#
Creates a Cisco Easy VPN remote configuration,
and enters Cisco Easy VPN remote configuration
mode.
Step 2group group-name key group-key
Example:
Router(config-crypto-ezvpn)# group
ezvpnclient key secret-password
Router(config-crypto-ezvpn)#
Specifies the IPSec group and IPSec key value for
the VPN connection.
Step 3peer {ipaddress | hostname}
Example:
Router(config-crypto-ezvpn)# peer
192.168.100.1
Router(config-crypto-ezvpn)#
Specifies the peer IP address or hostname for the
VPN connection.
NoteA hostname can be specified only when
the router has a DNS server available for
hostname resolution.
NoteUse this command to configure multiple
peers for use as backup. If one peer goes
down, the Easy VPN tunnel is established
with the second available peer. When the
primary peer comes up again, the tunnel is
reestablished with the primary peer.
Step 4mode {client | network-extension | network
extension plus}
Example:
Router(config-crypto-ezvpn)# mode clientRouter(config-crypto-ezvpn)#
Specifies the VPN mode of operation.
Step 5exit
Example:
Router(config-crypto-ezvpn)# exit
Router(config)#
Returns to global configuration mode.
6-15 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN Configuration Example The following configuration example shows a portion of the configuration file for the VPN and IPSec tunnel described in this chapter. ! aaa new-model !aaa authentication login rtr-remote local aaa authorization network rtr-remote local aaa session-id common! username Cisco password 0 Cisco !crypto isakmp policy 1 encryption 3des authentication pre-sharegroup 2 lifetime 480 !crypto isakmp client configuration group rtr-remote key secret-password dns 10.50.10.1 10.60.10.1domain company.com pool dynpool !crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac ! Step 6crypto isakmp keepalive seconds Example: Router(config-crypto-ezvpn)# crypto isakmp keepalive 10 Router(config)# Enables dead peer detection messages. Time between messages is given by seconds, with a range of 10 to 3600. Step 7interface type number Example: Router(config)# interface fastethernet 4Router(config-if)# Enters the interface configuration mode for the interface to which you want the Cisco Easy VPN remote configuration applied. NoteFor routers with an ATM WAN interface, this command would be interface atm 0. Step 8crypto ipsec client ezvpn name [outside | inside] Example: Router(config-if)# crypto ipsec client ezvpn ezvpnclient outside Router(config-if)# Assigns the Cisco Easy VPN remote configuration to the WAN interface, causing the router to automatically create the NAT or port address translation (PAT) and access list configuration needed for the VPN connection. Step 9exit Example: Router(config-crypto-ezvpn)# exit Router(config)# Returns to global configuration mode. Command or Action Purpose
6-16 Book Title OL-xxxxx-xx Chapter 6 Configuring Security Features Configuring VPN crypto ipsec security-association lifetime seconds 86400! crypto dynamic-map dynmap 1 set transform-set vpn1reverse-route ! crypto map static-map 1 ipsec-isakmp dynamic dynmapcrypto map dynmap isakmp authorization list rtr-remote crypto map dynmap client configuration address respond crypto ipsec client ezvpn ezvpnclient connect auto group 2 key secret-passwordmode client peer 192.168.100.1 ! interface fastethernet 4 crypto ipsec client ezvpn ezvpnclient outsidecrypto map static-map ! interface vlan 1crypto ipsec client ezvpn ezvpnclient inside ! Configure a Site-to-Site GRE Tunnel To configure a GRE tunnel, perform these steps, beginning in global configuration mode: Command or ActionPurpose Step 1interface type number Example: Router(config)# interface tunnel 1 Router(config-if)# Creates a tunnel interface and enters interface configuration mode. Step 2ip address ip-address mask Example: Router(config-if)# 10.62.1.193 255.255.255.252 Router(config-if)# Assigns an address to the tunnel. Step 3tunnel source interface-type number Example: Router(config-if)# tunnel source fastethernet 0 Router(config-if)# Specifies the source endpoint of the router for the GRE tunnel.