Cisco Labs – Network Security (10) – RAS VPN using HW client (network and client modes)+ pre-shared keys on Router


NS2 – Modul6 6.4.1 IOS task definition

RAS VPN using HW client (network and client modes)+ pre-shared keys on Router

Goal

  • Remote access VPN tunnel will be established on IOS router using pre-shared key.
  • Router3 will only pass traffic to site routers. It simulates internet.
  • Only traffic from LAN 1 and LAN 2 will be encrypted.
  • Use OSPF routing protocol.
  • a/ client will be set in client mode (NAT).
  • b/ client will be set in network-extension mode.
  • Do not forget to have configuration erased before startup and check if IOS is compatible with needed features.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.4.1_IOS_topology1_VIRTLAB

Configuration

PC2

ifconfig INT8 10.0.0.100 netmask 255.255.255.0
route add default gw 10.0.0.1 dev INT8

Router2 – EzVPN server

This configuration is same for both client modes.

1) interface settings + OSPF

R19@ostrava(config)#hostname EZServer
EZServer(config)#interface INT4
EZServer(config-if)#ip address 10.0.0.1 255.255.255.0
EZServer(config-if)#no shutdown

EZServer(config)#interface INT3
EZServer(config-if)#duplex half								 ;setting for Virtlab compatibility
EZServer(config-if)#ip address 172.16.0.1 255.255.255.0         
EZServer(config-if)#no shutdown

EZServer(config)#router ospf 1
EZServer(config-router)#network 172.16.0.0 0.0.0.255 area 0
EZServer(config-router)#network 10.0.0.0 0.0.0.255 area 0

2) aaa settings

EZServer(config-router)#aaa new-model							;define aaa authentication model
EZServer(config)#aaa authentication login VPNLIST local					;define local database for authentication
EZServer(config)#aaa authorization network VPNLIST local				;define local database for authorisation
EZServer(config)#username EZVPNUSER password cisco					;define username and password

3)EzVPN server configuration

EZServer(config)#ip local pool EZVPNPOOL 10.0.0.10 10.0.0.20				;local pool for ezvpn client computers

EZServer(config)#crypto isakmp policy 10						;first phase policy definition
EZServer(config-isakmp)#encryption 3des
EZServer(config-isakmp)#authentication pre-share
EZServer(config-isakmp)#group 2

EZServer(config)#crypto isakmp keepalive 10 10						;tunnel keepalive setting

EZServer(config)#crypto isakmp client configuration group EZVPNGROUP			;client configuration group - this settings will be pushed to client
EZServer(config-isakmp-group)#key EZVPNKLIC						;this key must be configured also in client appliance
EZServer(config-isakmp-group)#pool EZVPNPOOL						;connect with named pool 
EZServer(config-isakmp-group)#save-password						;this option must be present for client auto-connect mode 

EZServer(config)#crypto ipsec transform-set EZVPNTRSET esp-3des esp-sha-hmac		;define transform set

EZServer(config)#crypto dynamic-map DYNAMIC 1						;define dynamic crypto map
EZServer(config-crypto-map)#set transform-set EZVPNTRSET				;define transform set used
EZServer(config-crypto-map)#reverse-route remote-peer 172.16.1.1			;define reverse route for traffic from peer

EZServer(config)#crypto map EZVPNMAP client authentication list VPNLIST			;connect with aaa settings
EZServer(config)#crypto map EZVPNMAP isakmp authorization list VPNLIST
EZServer(config)#crypto map EZVPNMAP 3 ipsec-isakmp dynamic DYNAMIC			;connect with synamic named crypto map 
EZServer(config)#crypto map EZVPNMAP client configuration address respond		;configure to give IP addresss to client

4) applying point 3) to interface

EZServer(config)#interface INT3
EZServer(config-if)#crypto map EZVPNMAP							;apply crypto map to an interface

Router3 – internet

This configuration is same for both client modes.

Router3(config)#interface INT5
Router3(conf-if)#ip address 172.16.1.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#interface INT6
Router3(conf-if)#ip address 172.16.0.2 255.255.255.0
Router3(conf-if)#no shutdown

Router3(config)#router ospf 1
Router3(rout)#network 172.16.1.0 0.0.0.255 area 0
Router3(rout)#network 172.16.0.0 0.0.0.255 area 0

a/ Client mode configuration

PC1

ifconfig INT7 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 192.168.0.1 255.255.255.0
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown

EZClient(config)#router ospf 1								;set routing protocol
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0				;set routed network

2) client settings

EZClient(config-router)#crypto ipsec client ezvpn VPN					;configure named ezvpn client
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC				;server group and key definition
EZClient(config-crypto-ezvpn)#local-address INT2					;include local lan address on selected interface
EZClient(config-crypto-ezvpn)#mode client						;define client mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1						;set remote peer
EZClient(config-crypto-ezvpn)#connect manual						;set connection to manual

3) applying to interface

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside				;apply ezvpn inside profile to inside interface

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside				;apply ezvpn outside profile to outside interface
											;new virtual interface will be created to which all inside traffic will be NATted

Now provide function test and continue or part b/ or point 4/ – part a/.

4) configure client for auto connection mode

To let client connect automatically you MUST connect manually first time providing xauth as in function test point F3).

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#connect auto						;client auto connection setting

b/ Network extension mode configuration

PC1

ifconfig INT7 10.0.1.100 netmask 255.255.255.0
route add default gw 10.0.1.1 dev INT7

Router2 – EzVPN Client

1) interface settings + OSPF

R18@ostrava(config)#hostname EZClient
EZClient(config)#interface INT1
EZClient(config-if)#ip address 10.0.1.1 255.255.255.0					;set network-extension mode - fully routable address with LAN2
EZClient(config-if)#no shutdown

EZClient(config)#interface INT2
EZClient(config-if)#ip address 172.16.1.1 255.255.255.0
EZClient(config-if)#duplex half								;setting for Virtlab compatibility
EZClient(config-if)#no shutdown		

EZClient(config)#router ospf 1
EZClient(config-router)#network 172.16.1.0 0.0.0.255 area 0

2) client settings

EZClient(config-router)#crypto ipsec client ezvpn VPN
EZClient(config-crypto-ezvpn)#group EZVPNGROUP key EZVPNKLIC
EZClient(config-crypto-ezvpn)#local-address INT2
EZClient(config-crypto-ezvpn)#mode network-extension					;set network-extension mode
EZClient(config-crypto-ezvpn)#peer 172.16.0.1
EZClient(config-crypto-ezvpn)#connect auto
EZClient(config-crypto-ezvpn)#username EZVPNUSER password cisco

3) applying to interface

EZClient(config)#interface INT1
EZClient(config-if)#crypto ipsec client ezvpn VPN inside 

EZClient(config)#interface INT2
EZClient(config-if)#crypto ipsec client ezvpn VPN outside

Function test

It is same for both parts.

Use debug crypto ipsec and debug crypto isakmp in order to solve issues with configuring VPN tunnels.

F1)Turn on debug

Ezserver#debug crypto ipsec								 ;second phase debugging
Ezserver#debug crypto isakmp								 ;first phase debugging
Ezserver#debug crypto engine								 ;whole crypto engine debugging

F2)check IKE/IPSEC server and client configuration

EZServer#sh crypto isakmp policy							 ;show isakmp policy configuration
EZServer#sh crypro dynamic-map								 ;show dynamic map configuration
EZServer#sh crypto map									 ;crypto map configuration
EZClient#sh run

F3)initialize tunnel

EZClient>crypto ipsec client ezvpn connect						 ;connect tunnel
EZClient>crypto ipsec client ezvpn xauth						 ;insert user credentials

NS2-6.4.1_IOS_DIA3-1

Server retransmits xauth requests.

NS2-6.4.1_IOS_DIA3-2

Before xauth request is provided, you can check tunnel status as shown in picture.

NS2-6.4.1_IOS_DIA3-3

Now interface is up and protocol up after providing xauth request.

NS2-6.4.1_IOS_DIA3-4

F4)Test initialized tunnel

Check if client has address leased from pool and if ipsec is active.

EZServer#sh ip local pool

NS2-6.4.1_IOS_DIA4-1

EZClient#sh crypto ipsec client ezvpn

NS2-6.4.1_IOS_DIA4-2

Use ping command to test traffic prom LAN1 to LAN2 (PC1 to PC2).

If PC2 responds, tunnel works fine. You can check functionality further by using sh crypto ? commands in router privileged mode.

PC1#ping 10.0.0.100

NS2-6.4.1_IOS_DIA5-1

And NAT statistics could be found for EzVPN client mode using following syntax:

EZClient# sh ip nat transactions

NS2-6.4.1_IOS_DIA5-2

F5)delete tunnel and then repeat steps F3) to initialize tunnel again

First delete tunnel on client

EZClient(config-if)#shutdown								 ;shutdown outside interface
EZClient#clear crypto session								 ;clear sessions
EZServer#clear crypto session
EZServer#clear crypto ipsec client ezvpn

Optional tasks

  • Create access list on Router3 which permits only needed traffic.
  • Make client in client mode connecting automatically point a/ – part 4.
  • Make client in network extension mode connecting manually point b/ – part 4.
  • Add one more router to topology and create another tunnel to this router.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s