Cisco Systems Router 1800 Series User Manual

							
 
6-7
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel   Configure the IPSec Crypto Method and Parameters
Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration 
mode:
Command or ActionPurpose
Step 1crypto ipsec transform-set  transform-set-name 
transform1  [transform2 ] [transform3 ] 
[ transform4 ]
Example:
Router(config)#  crypto ipsec transform-set 
vpn1 esp-3des esp-sha-hmac
Router(config)# 
Defines a transform set—an acceptable 
combination of IPSec security protocols and 
algorithms.
See the  Cisco IOS Security Command Reference  
for detail about the valid transforms and 
combinations.
Step 2crypto ipsec security-association lifetime  
{ seconds  seconds  | kilobytes  kilobytes }
Example:
Router(config)#  crypto ipsec 
security-association lifetime seconds 86400
Router(config)# 
Specifies global lifetime values used when IPSec 
security associations are negotiated.
See the  Cisco IOS Security Command Reference  
for details.
NoteWith manually established security associations, there is no negotiation with the peer, and both sides 
must specify the same transform set. 
Configure the IPSec Crypto Method and Parameters
A dynamic crypto map policy processes negotiation requests for new security associations from remote 
IPSec peers, even if the router do es not know all the crypto map para meters (for example, IP address).
Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:
Command or ActionPurpose
Step 1crypto dynamic-map dynamic-map-name 
dynamic-seq-num
Example:
Router(config)#  crypto dynamic-map dynmap 1Router(config-crypto-map)# 
Creates a dynamic crypto map entry and enters 
crypto map configuration mode.
See the Cisco IOS Security Command Reference  
for more detail about this command.
Step 2set transform-set transform-set-name 
[ transform-set-name2 ...transform-set-name6 ] 
Example:
Router(config-crypto-map)#  set 
transform-set vpn1
Router(config-crypto-map)# 
Specifies which transform sets can be used with 
the crypto map entry. 
						

							 
6-8
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Apply the Crypto Map to the Physical Interface
Apply the Crypto Map to the Physical Interface
The crypto maps must be applied to each interface through which IP Security (IPSec) traffic flows. 
Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against 
the security associations database. With the default configurations, the router provides secure 
connectivity by encrypting the traffic sent between remote sites. However, the public interface still 
allows the rest of the traffic to pass and provides connectivity to the Internet.
Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:
Step 3reverse-route
Example:
Router(config-crypto-map)# reverse-routeRouter(config-crypto-map)# 
Creates source proxy information for the crypto 
map entry.
See the Cisco IOS Security Command Reference 
for details.
Step 4exit
Example:
Router(config-crypto-map)# exit
Router(config)# 
Returns to global configuration mode.
Step 5crypto map map-name seq-num [ipsec-isakmp] 
[dynamic dynamic-map-name] [discover] 
[profile profile-name] 
Example:
Router(config)# crypto map static-map 1 
ipsec-isakmp dynamic dynmap
Router(config)# 
Creates a crypto map profile.
Command or Action Purpose
Command or ActionPurpose
Step 1interface type number
Example:
Router(config)# interface fastethernet 0Router(config-if)# 
Enters the interface configuration mode for the 
interface to which you want the crypto map 
applied. 
						

							 
6-9
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Create an Easy VPN Remote Configuration
Create an Easy VPN Remote Configuration 
The router acting as the IPSec remote router must create an Easy VPN remote configuration and assign 
it to the outgoing interface. 
Perform these steps to create the remote configuration, beginning in global configuration mode:
Step 2crypto map map-name
Example:
Router(config-if)# crypto map static-mapRouter(config-if)# 
Applies the crypto map to the interface.
See the Cisco IOS Security Command Reference 
for more detail about this command.
Step 3exit
Example:
Router(config-crypto-map)# exit
Router(config)# 
Returns to global configuration mode.
Command or Action Purpose
Command or ActionPurpose
Step 1crypto ipsec client ezvpn name 
Example:
Router(config)# crypto ipsec client ezvpn 
ezvpnclient
Router(config-crypto-ezvpn)# 
Creates a Cisco Easy VPN remote configuration, 
and enters Cisco Easy VPN remote configuration 
mode.
Step 2group group-name key group-key
Example:
Router(config-crypto-ezvpn)# group 
ezvpnclient key secret-password
Router(config-crypto-ezvpn)# 
Specifies the IPSec group and IPSec key value for 
the VPN connection.
Step 3peer {ipaddress | hostname}
Example:
Router(config-crypto-ezvpn)# peer 
192.168.100.1
Router(config-crypto-ezvpn)# 
Specifies the peer IP address or hostname for the 
VPN connection.
NoteA hostname can be specified only when 
the router has a DNS server available for 
hostname resolution.
Step 4mode {client | network-extension | network 
extension plus}
Example:
Router(config-crypto-ezvpn)# mode clientRouter(config-crypto-ezvpn)# 
Specifies the VPN mode of operation. 
						

							 
6-10
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Verifying Your Easy VPN Configuration
Verifying Your Easy VPN Configuration
Router# show crypto ipsec client ezvpn
Tunnel name :ezvpnclient
Inside interface list:vlan 1Outside interface:fastethernet 0
Current State:IPSEC_ACTIVE
Last Event:SOCKET_UPAddress:8.0.0.5
Mask:255.255.255.255
Default Domain:cisco.com
Configuration Example
The following configuration example shows a portion of the configuration file for the VPN and IPSec 
tunnel described in this chapter.
!
aaa new-model!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote localaaa session-id common
!
username Cisco password 0 Cisco
Step 5exit
Example:
Router(config-crypto-ezvpn)# exitRouter(config)# 
Returns to global configuration mode.
Step 6interface type number
Example:
Router(config)# interface fastethernet 0
Router(config-if)# 
Enters interface configuration mode.
NoteFor routers with an ATM WAN interface, 
this command would be interface atm 0.
Step 7crypto ipsec client ezvpn name [outside | inside] 
Example:
Router(config-if)# crypto ipsec client 
ezvpn ezvpnclient outside
Router(config-if)# 
Assigns the Cisco Easy VPN remote configuration 
to the WAN interface, causing the router to 
automatically create the NAT or PAT and access 
list configuration needed for the VPN connection.
Step 8exit
Example:
Router(config-crypto-ezvpn)# exitRouter(config)# 
Returns to global configuration mode.
Command or Action Purpose 
						

							 
6-11
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configuration Example
!crypto isakmp policy 1
encryption 3des
authentication pre-sharegroup 2
lifetime 480
!crypto isakmp client configuration group rtr-remote
key secret-password
dns 10.50.10.1 10.60.10.1domain company.com
pool dynpool
!crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec security-association lifetime seconds 86400!
crypto dynamic-map dynmap 1
set transform-set vpn1reverse-route
!
crypto map static-map 1 ipsec-isakmp dynamic dynmapcrypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
crypto ipsec client ezvpn ezvpnclientconnect auto
group 2 key secret-password
mode clientpeer 192.168.100.1
!
interface fastethernet 0
crypto ipsec client ezvpn ezvpnclient outside
crypto map static-map!
interface vlan 1
crypto ipsec client ezvpn ezvpnclient inside! 
						

							 
6-12
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 6      Configuring a VPN Using Easy VPN and an IPSec Tunnel
  Configuration Example 
						

							
CH A P T E R
 
7-1
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
7
Configuring VPNs Using an IPSec Tunnel and 
Generic Routing Encapsulation
The Cisco 1800 series integrated services fixed-configuration routers support the creation of virtual 
private networks (VPNs). 
Cisco routers and other broadband devices provide high-performance connections to the Internet, but 
many applications also require  the security of VPN connections which perform a high level of 
authentication and which encrypt the data between two particular endpoints. 
Two types of VPNs are supported—site-to-site and remo te access. Site-to-site VPNs are used to connect 
branch offices to corporate offices,  for example. Remote access VPNs are used by remote clients to log 
in to a corporate network.
The example in this chapter illustrates the configurat ion of a site-to-site VPN that uses IPSec and the 
generic routing encapsulation (GRE) protocol to se cure the connection between the branch office and 
the corporate network. 
Figure 7-1 shows a typical deployment scenario. 
Figure 7-1 Site-to-Site VPN Using an IPSec Tunnel and GRE
121783
Internet
3
1
2457
6
8
9
1Branch office containing multiple LANs and VLANs
2Fast Ethernet LAN interface—Wi th address 192.165.0.0/16 (also the inside interface for NAT)
3VPN client—Cisco 1800 series integrated services router
4Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)
5LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1
6VPN client—Another router, which controls access to the corporate network 
						

							 
7-2
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  
GRE Tunnels
GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that 
controls access to a private network, such as a corporate network. Traffic forwarded through the GRE 
tunnel is encapsulated and routed out onto the physical interface of the router. When a GRE interface is 
used, the Cisco router and the router that controls access to the corporate network can support dynamic 
IP routing protocols to exchange routing updates over the tunnel, and to enable IP multicast traffic. 
Supported IP routing protocols include Enhanced Interior Gateway Routing Protocol (EIGRP), Routing 
Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path 
First (OSPF), and Border Gateway Protocol (BGP).
NoteWhen IP Security (IPSec) is used with GRE, the access list for encrypting traffic does not list the desired 
end network and applications, but instead refers to the permitted source and destination of the GRE 
tunnel in the outbound direction. All packets forwarded to the GRE tunnel are encrypted if no further 
access control lists (ACLs) are applied to the tunnel interface. 
VPNs
VPN configuration information must be configured on both endpoints; for example, on your Cisco router 
and at the remote user, or on your Cisco router and on another router. You must specify parameters, such 
as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address 
Translation (NAT).
Configuration Tasks
Perform the following tasks to configure this network scenario:
 Configure a VPN
 Configure a GRE Tunnel
An example showing the results of these configuration tasks is shown in the section “Configuration 
Example.”
NoteThe procedures in this chapter assume that you have already configured basic router features as well as 
PPPoE or PPPoA with NAT, DCHP and VLANs. If you have not performed these configurations tasks, 
see 
Chapter 1, “Basic Router Configuration,” Chapter 3, “Configuring PPP over Ethernet with NAT,” 
Chapter 4, “Configuring PPP over ATM with NAT,” and Chapter 5, “Configuring a LAN with DHCP and 
VLANs,” as appropriate for your router.
7LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1
8Corporate office network
9IPSec tunnel with GRE 
						

							 
7-3
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
Configure a VPN
Perform the following tasks to configure a VPN over an IPSec tunnel:
 Configure the IKE Policy
 Configure Group Policy Information
 Enable Policy Lookup
 Configure IPSec Transforms and Protocols
 Configure the IPSec Crypto Method and Parameters
 Apply the Crypto Map to the Physical Interface
Configure the IKE Policy
Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global 
configuration mode:
Command or ActionPurpose
Step 1crypto isakmp policy priority 
Example:
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# 
Creates an IKE policy that is used during IKE 
negotiation. The priority is a number from 1 to 
10000, with 1 being the highest.
Also enters Internet Security Association Key and 
Management Protocol (ISAKMP) policy 
configuration mode.
Step 2encryption {des | 3des | aes | aes 192 | aes 256}
Example:
Router(config-isakmp)# encryption 3des
Router(config-isakmp)# 
Specifies the encryption algorithm used in the IKE 
policy. 
The example uses 168-bit Data Encryption 
Standard (DES).
Step 3hash {md5 | sha}
Example:
Router(config-isakmp)# hash md5Router(config-isakmp)# 
Specifies the hash algorithm used in the IKE 
policy. 
The example specifies the Message Digest 5 
(MD5) algorithm. The default is Secure Hash 
standard (SHA-1).
Step 4authentication {rsa-sig | rsa-encr | pre-share} 
Example:
Router(config-isakmp)# authentication 
pre-share
Router(config-isakmp)# 
Specifies the authentication method used in the 
IKE policy. 
The example uses a pre-shared key. 
						

							 
7-4
Cisco 1800 Series Integrated Services Routers (Fixed) Software Configuration Guide
OL-6426-02
Chapter 7      Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation
  Configure a VPN
Configure Group Policy Information
Perform these steps to configure the group policy, beginning in global configuration mode:
Step 5group {1 | 2 | 5}
Example:
Router(config-isakmp)# group 2Router(config-isakmp)# 
Specifies the Diffie-Hellman group to be used in 
the IKE policy.
Step 6lifetime seconds
Example:
Router(config-isakmp)# lifetime 480
Router(config-isakmp)# 
Specifies the lifetime, 60–86400 seconds, for an 
IKE security association (SA).
Step 7exit
Example:
Router(config-isakmp)# exit
Router(config)# 
Exits IKE policy configuration mode, and enters 
global configuration mode.
Command or Action Purpose
Command or ActionPurpose
Step 1crypto isakmp client configuration group 
{group-name | default}
Example:
Router(config)# crypto isakmp client 
configuration group rtr-remote
Router(config-isakmp-group)# 
Creates an IKE policy group that contains 
attributes to be downloaded to the remote client.
Also enters Internet Security Association Key 
Management Protocol (ISAKMP) policy 
configuration mode.
Step 2key name 
Example:
Router(config-isakmp-group)# key 
secret-password
Router(config-isakmp-group)# 
Specifies the IKE pre-shared key for the group 
policy.
Step 3dns primary-server
Example:
Router(config-isakmp-group)# dns 10.50.10.1
Router(config-isakmp-group)# 
Specifies the primary Domain Name Service 
(DNS) server for the group.
NoteYou may also want to specify Windows 
Internet Naming Service (WINS) servers 
for the group by using the wins command.