TYPES_OF_VPN_AND_SCRIPT_CISCO



























Site To Site IPSEC VPN CONFIG


step1: Setup the ISAKMP policy (for IKE phase1)

 
R1(config)#crypto isakmp policy 2
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#encryption aes
R1(config-isakmp)#group 2
R1(config-isakmp)#hash sha
To Verify: R1#show crypto isakmp policy
           R1# debug crypto isakmp
Configure pre-shared keys:
R1(config)#crypto isakmp key CISCO address 20.0.0.2
   

step2:Setup IPSEC transform-set for IKE phase2 

 
R1(config)#crypto ipsec transform-set NAME esp-aes 256 ah-sha-hmac
R1(config)#crypto ipsec security-association lifetime seconds 1800 (optional)
To Verify: R1# show crypto ipsec transform-set
           R1# show crypto ipsec sa
           R1# debug crypto ipsec
 
 

step3: Define interesting traffic (Must Mirror)

 
 
R1(config)#ip access-list extended LIST
R1(config-ext-nacl)#permit ip 1.0.0.0 0.0.0.255 2.0.0.0 0.0.0.255
 
 

step4: Setup crypto map

 
R1(config)#crypto map VPN_MAP 10 ipsec-isakmp
R1(config-crypto-map)#match address LIST
R1(config-crypto-map)#set peer 20.0.0.2
 
where LIST is the name of the ACL
 
R1(config-crypto-map)#set transform-set NAME
R1(config-crypto-map)#set pfs <DH_GROUP>           (optional)
R1(config-crypto-map)#set security-association lifetime seconds <VALUE>      (optional)    
 
where NAME is the name of the IPSEC transform-set
To Verify: R1# show crypto map
 

setp5: Asign crypto map to interafce

 
R1(config)#int s1/0
R1(config-if)#crypto map VPN_MAP
 
 
step6: Configure NAT
R1(config)#access-list 100 deny ip host 1.1.1.1 host 2.2.2.2
R1(config)#access-list 100 permit ip host 1.1.1.1 any
R1(config)#int f0/0
R1(config-if)#ip access-group 100 in
 
Verify IPsec VPN Operation:
R1# show crypto isakmp sa
R1# show crypto ipsec sa

EASY SERVER VPN CONFIG

 

 

 ip domain lookup
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin password 0 admin
!
!
ip tcp synwait-time 5
!
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local ippool
!
crypto isakmp client configuration group eagle
 key admin3100
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 10.0.0.1 255.0.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip local pool ippool 10.0.0.3 10.0.0.5
no ip http server
no ip http secure-server
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.0.255
no cdp log mismatch duplex
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line vty 0 4
!
!
end
 
R2#
R2#
R2#
R2#
R2#
R2#
R2#
 

No comments:

Post a Comment

Subscribe to: Posts (Atom)

TCP_IP_ATTACKS