Cisco Labs – Network Security (9) – Easy VPN server on Router, SW client


Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 6.2.12a IOS task definition

Easy VPN server on Router, SW client

Goal

  • Configure VPN client and VPN concentrator on IOS router.
  • Inicialize tunnel.
  • Generate a test connection thru HTTP, FTP and ICMP.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-6.2.12a_IOS_topology1_VIRTLAB

Configuration

PC1

ifconfig INT3 192.168.0.100 netmask 255.255.255.0
route add default gw 192.168.0.1 dev INT3

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

Router

1) Interface settings, Access lists, group policy

R18@ostrava(config)#hostname GATE
GATE(config)#interface INT1
GATE(config-if)#ip address 192.168.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#interface INT2
GATE(config-if)#ip address 10.0.0.1 255.255.255.0
GATE(config-if)#no shutdown

GATE(config)#access-list 101 permit ip any host 192.168.0.1					;permit traffic only to interface on which tunnel will communicate 

GATE(config)#aaa new-model									;enable local policy lookup
GATE(config)#aaa authentication login VPNAUTHEN local						;enable local user authentication
GATE(config)#aaa authorization network VPNAUTHOR local						;set aaa authorisation at login
GATE(config)#username USERNAME password cisco							;we will use this credentials to secure tunnel connection

2)IPSEC and ISAKMP configuration

GATE(config)#ip local pool VPNADDRESSPOOL 10.0.0.10 10.0.0.20					;connected client will get address from this pool
GATE(config)#crypto isakmp policy 10								;IKE first phase security parameters definition starts here
GATE(config-isakmp)#encryption 3des
GATE(config-isakmp)#hash sha
GATE(config-isakmp)#authentication pre-share
GATE(config-isakmp)#group 2

GATE(config)#crypto isakmp client configuration group VPNGROUP					;specify that we create policy for RAS
GATE(config-isakmp-group)#key VPNKLIC								;and pre-shared key for this policy
GATE(config-isakmp-group)#pool VPNADDRESSPOOL							;local pool
GATE(config-isakmp-group)#domain test								;and domain name specification  

GATE(config)#crypto ipsec transform-set REMOTEVPNTRSET esp-3des esp-md5-hmac			;specify transform set for RAS connection

GATE(config)#crypto dynamic-map DYNAMICMAP 10							;create dynamic crypto map    
GATE(config-crypto-map)#set transform-set REMOTEVPNTRSET                      
GATE(config-crypto-map)#reverse-route                                       		  	;enable reverse routing for RAS connection        

GATE(config)#crypto map CLIENTMAP client configuration address respond				;define behavior of client ip address resloving
GATE(config)#crypto map CLIENTMAP isakmp authorization list VPNAUTHOR				;group policy authorization def.
GATE(config)#crypto map CLIENTMAP client authentication list VPNAUTHEN				;group policy authentication def.
GATE(config)#crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNAMICMAP				;assign dynamic crypto map to static

3)Applying Crypto map and access list to interface

GATE(config)#interface INT1
GATE(config-if)#crypto map CLIENTMAP                                          			;apply static crypto map to interface  
GATE(config-if)#ip access-group 101 in                                        			;apply access list to interface

Function test

F1) Turn on debugging

GATE#debug crypto isakmp									;IKE first phase debug
GATE#debug crypto engine									;crypto engine debug
GATE#debug crypto ipsec										;IKE second phase debug
GATE#debug aaa authenticat									;group policy debugs
GATE#debug aaa authoriz

F2) Generate test connection

F2a) on Unix based PC

Run Terminal and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-1

F2b) on Windows based PC

browse Start -> Run -> type cmd.exe and then generate ICMP traffic using ping syntax.

PC1#ping 10.0.0.100

Picture shows result of this command.

NS2-6.2.12a_IOS_DIA2-2

F3) Initialize tunnel

F3a) on Unix – text vpn client

PC1#vpnc											;run text vpn 
- instert gateway - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco
- insert username and password according to your defined group policy -> VPNUSERNAME/cisco

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA3-1

Picture shows ifconfig tun0 command result.

NS2-6.2.12a_IOS_DIA3-4

F3b) on Windows – GUI Cisco VPN client

PC1#run cisco VPN client from shortcut
- connection entries -> new -> fill in:
- name -> TEST
- description -> where it creates tunnel
- host - IP address of VPN concentrator -> 192.168.0.1
- insert VPN group to which you want to connect -> VPNGROUP
- insert its pre-shared key -> cisco (password and confirm password)
- go to main screen, select connection entry and insert username and password VPNUSERNAME/cisco when prompted.

Picture shows configuration window and main window on windows client.

NS2-6.2.12a_IOS_DIA3-3

Picture shows result of tunnel initialisation on Router.

NS2-6.2.12a_IOS_DIA3-2

GATE(config)#show vpn-sessiondb remote

Picture shows result of tunnel sessions on Router.

NS2-6.2.12a_IOS_DIA3-5

F4) generate test connection

F4a) on Unix – text web browser

PC1#lynx ftp://10.0.0.100								;connect via ftp to the server
PC1#lynx http://10.0.0.100								;connect via http to the server - will work with enabled Java only
PC1#ping 10.0.0.100									;ICMP test

Picture shows result on PC.

NS2-6.2.12a_IOS_DIA4-1

F4b) on Windows – graphic web browser

Open web browser and insert following text to address bar

http://10.0.0.100									;establish http connection to the server
ftp://10.0.0.100									;establish ftp connection to the server

Picture shows result on PC (http).

NS2-6.2.12a_IOS_DIA4-2

Open command line and ftp, then follow result picture for command line refference

ftp											;command line to start ftp connection

Picture shows result on PC (ftp).

NS2-6.2.12a_IOS_DIA4-3

F5) Delete tunnel and reinitialize new one

GATE#clear crypto session
GATE#clear crypto isakmp

Picture shows result on GATE router.

NS2-6.2.12a_IOS_DIA5-1

F5a) on Unix based PC – text

PC1#pkill vpnc										;kill vpnc process

NS2-6.2.12a_IOS_DIA5-2

F5b) on Windows based PC

Open VPN client and press disconnect button.

Optional tasks

  • Try to configure different policies and VPN groups
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s