+ All Categories
Home > Documents > Cisco Router As A Vpn Server

Cisco Router As A Vpn Server

Date post: 25-Jan-2015
Category:
Upload: mmoizuddin
View: 16,623 times
Download: 6 times
Share this document with a friend
Description:
 
24
Cisco Router as a VPN Server
Transcript
Page 1: Cisco Router As A Vpn Server

Cisco Router as a VPN Server

Page 2: Cisco Router As A Vpn Server

Agenda• VPN• Categories of VPN

– Secure VPNs– Trusted VPN

• Hardware / Software Requirement• Network Diagram• Basic Router Configuration• Configuring AAA Server• Virtual Template• VPDN• IPSec

Page 3: Cisco Router As A Vpn Server

What is VPN ? A virtual private network (VPN) is a

computer network that is implemented in an additional logical layer (overlay) on top of an existing network. It has the purpose of creating a private scope of computer communications or providing a secure extension of a private network into an insecure network such as the Internet.

http://en.wikipedia.org/wiki/Virtual_private_network

Page 4: Cisco Router As A Vpn Server

Categories of VPN

VPN technologies may be classified by many standards.

Two broad categories of VPN are:

– Secure VPNs

– Trusted VPNs

Page 5: Cisco Router As A Vpn Server

Secure VPNs

• Provide mechanisms for authentication of the tunnel endpoints and encryption of the traffic.

• Provide remote access facilities to employees.• Connects multiple networks together securely

using the Internet to carry the traffic.• Secure VPN protocols include IPSec, SSL or

PPTP (with MPPE).• Doesn't provide Qos or routing.

Page 6: Cisco Router As A Vpn Server

Trusted VPNs

• Created by carriers and large organizations on large core networks.

• Provides Quality of Service.• Trusted VPN protocols include MPLS, ATM or

Frame Relay.• Do not provide security features such as data

confidentiality through encryption.

Page 7: Cisco Router As A Vpn Server

Hardware / Software Req• Cisco integrated services router with

12.4 advance enterprise IOS.

• Ethernet Cables (Cross Over).• PCs / Laptops.• Cisco VPN Client (v5.0.06.0110).• Cisco Security Device Manager (SDM

for GUI based configuration).• Java Runtime Environment (for SDM).

Page 8: Cisco Router As A Vpn Server

Network Diagram

Page 9: Cisco Router As A Vpn Server

Basic Router Configuration

• Creating Local Login Users for VPN.Router(config)# username [loginID] privilege [1-15] password 0 [password]

• Configure Fast Ethernet InterfacesRouter#config tRouter(config)#int f0/0Router(config-if)# description Internal LAN (192.168.0.0/24)Router(config-if)#ip address 192.168.0.254 255.255.255.0Router(config-if)#no shutRouter(config)#int f0/1Router(config-if)# description VPN INT (10.1.1.0/24)Router(config-if)#ip address 10.1.1.254 255.255.255.0Router(config-if)#no shut

Page 10: Cisco Router As A Vpn Server

Basic Router Configuration (contd)

• Configure Routing Protocol

Router#config tRouter(config)#router eigrp 1Router(config-router)#network 192.168.0.0Router(config-router)#network 172.16.1.0Router(config-router)#network 10.0.0.0

• IP Pool

Router(config)# ip local pool ip_pool 172.16.1.10 172.16.1.20

Page 11: Cisco Router As A Vpn Server

Configuring AAA

• aaa-modelEnables the authentication, authorization, and accounting (AAA) access control

model.

Router(config)#aaa new-model

• aaa session-id [common | unique] Ensures that all session identification (ID) information that is sent out for a given

call will be made identical. The default behavior is common.

Router(config)#aaa session-id common

Page 12: Cisco Router As A Vpn Server

Configuring AAA (contd)

• aaa authentication login [list-name] localSets (AAA) authentication at login. ‘Local’ keyword tells the AAA to use local

username database for authentication.

Router(config)# aaa authentication login vpn_xauth local

• aaa authorization network [list-name] localCreates a list for authorization of all network-related service requests . ‘Local’

keyword tells the AAA to use local username database for authentication

Router(config)# aaa authorization network vpn_group local

Page 13: Cisco Router As A Vpn Server

Virtual Template

• A virtual template interface is a logical entity that are created, configured dynamically, used, and then freed when no longer needed.

• Requires the same amount of memory as a serial interface.

• Cisco routers support a maximum of 300 virtual interfaces.

Page 14: Cisco Router As A Vpn Server

Benifts of Virtual Template

• For easier maintenance, allows customized configurations to be predefined.

• For scalability, allows interface configuration to be separated from physical interfaces.

• For consistency and configuration ease, allows the same predefined template to be used for all users.

• For efficient router operation, frees the virtual access interface memory for another dial-in use when the user's call ends.

Page 15: Cisco Router As A Vpn Server

Configuring Virtual Template

Router#config t

Router(config)# interface Virtual-Template1

Router(config-if)# ip unnumbered FastEthernet0/1

Router(config-if)# no peer default ip address

Router(config-if)# ppp encrypt mppe auto required

Router(config-if)# ppp authentication ms-chap ms-chap-v2

Page 16: Cisco Router As A Vpn Server

VPDN

• A virtual private dial−up network (VPDN) allows a private network dial in service to span across to remote access servers (defined as the L2TP Access Concentrator [LAC]).

• LAC forwards the PPP session on to an L2TP Network Server (LNS). The LNS then authenticates the user and starts the PPP negotiation.

• VPDN uses the Layer 2 Forwarding protocol (L2F) which permits the tunneling of link level frames

Page 17: Cisco Router As A Vpn Server

Configuring VPDN

• enable vpdnEnables virtual private networking.

Router(config)#enable vpdn

• vpdn-group [group name]Ceates a vpdn group which specifies the protocol, dialup mode and interface

Router(config)# vpdn-group VPN_ServerRouter(config)# accept-dialinRouter(config)# protocol pptpRouter(config)# virtual-template 1

Page 18: Cisco Router As A Vpn Server

IPSec

• Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications.

• IPsec uses the following protocols to perform various functions Internet key exchange (IKE and IKEv2) to set up a security

association (SA) Authentication Header (AH) to provide connectionless

integrity. Encapsulating Security Payload (ESP) to provide

confidentiality.

Page 19: Cisco Router As A Vpn Server

Configuring IPSec based VPN

Defines an Internet Key Exchange (IKE) policy. IKE policies define a set of parameters to be used during the IKE negotiation

Router(config)#crypto isakmp policy 1Router(config-crypto-isakmp)# encr 3desRouter(config-crypto-isakmp)# authentication pre-shareRouter(config-crypto-isakmp)# group 2

• crypto isakmp policy [priority]

Page 20: Cisco Router As A Vpn Server

Configuring IPSec based VPN (contd)

• sh crypto isakmp policyBelow command list the policy created as a result of last command (previous slide).

Router#sh crypto isakmp policyGlobal IKE policyProtection suite of priority 1 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 86400 seconds, no volume limit

Page 21: Cisco Router As A Vpn Server

Configuring IPSec based VPN (contd)

• crypto isakmp client configuration group [name]Specify which group’s policy profile will be defined by defining key and ip address

pool.

Router(config)#crypto isakmp client configuration group ipsec_groupRouter(config-crypto-isakmp )# key ipsecRouter(config-crypto-isakmp )# pool ip_poolRouter(config-crypto-isakmp )# netmask 255.255.255.255

Page 22: Cisco Router As A Vpn Server

Configuring IPSec based VPN (contd)

• crypto ipsec transform-set A transform set specifies the encryption and authentication algorithms used to protect the

data in the VPN Tunnel.

Router(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac Router(config-crypto-ipsec )#crypto dynamic-map DYNMAP 1Router(config-crypto-ipsec )#set transform-set ESP-3DES-SHA

Transform Set:Name:ESP-3DES-SHA1ESP Encryption: ESP_3DESESP Integrity: ESP_SHA_HMAC

Page 23: Cisco Router As A Vpn Server

Configuring IPSec based VPN (contd)

• crypto mapCreates a crypto profile that provides a template for configuration.

Router(config)#crypto map CMAP client authentication list vpn_authRouter(config)#crypto map CMAP isakmp authorization list vpn_groupRouter(config)#int f0/1Router(config-if)#crypto map CMAP

Page 24: Cisco Router As A Vpn Server

Live Demonstration


Recommended