Working principle:
The network subnet of one server is 192.168.1.0/24.
Vro 100.10.15.1
The server on the other side is 192.168.10.0/24.
The vro is 200.000025.1.
Perform the following steps:
1. Determine a pre-shared key (secret password) (in the following example, the secret password is assumed to be noIP4u)
2. Configure IKE for the SA negotiation process.
3. Configure IPSec.
Configure IKE:
Shelby (config) # crypto isakmp policy 1
Note: policy 1 indicates policy 1. If you want to configure more VPNs, you can write policy 2 and policy3 policies.
Shelby (config-isakmp) # group 1
Note: Unless you purchase a high-end router or the VPN communication is relatively small, you 'd better use the key with the length of group 1. The group Command has two parameter values: 1 and 2. Parameter Value 1 indicates that the key uses a 768-bit key. Parameter Value 2 indicates that the key uses a 1024-bit key. Obviously, the latter key is highly secure, but consumes more CPU time.
Shelby (config-isakmp) # authentication pre-share
Note: Tell the router to use a pre-shared password.
Shelby (config-isakmp) # Life Time 3600
Note: Adjust the cycle of the new SA. The value is in seconds. The default value is 86400, that is, one day. It is worth noting that both vrouters must set the same SA cycle. Otherwise, after the VPN is initialized normally, it will be interrupted in a shorter SA cycle.
Shelby (config) # crypto isakmp key noIP4u address 200.000025.1
Note: Return to global setting mode to determine the pre-shared key to be used and the IP address of the vro at the other end of the VPN, that is, the IP address of the destination vro. The vro configuration on the other end is similar to the preceding command, except that the IP address is changed to 100.10.15.1.
Configure IPSec
Shelby (config) # access-list 130 permit ip 192.168.1.0 0.0.255 172.16.10.0 0.0.0.255
Note: The access list number used here cannot be the same as any filtered access list. Different access list numbers should be used to identify VPN rules.
Shelby (config) # crypto ipsec transform-set vpn1 ah-md5-hmac esp-des esp-md5-hmac
Note: The only difference between the two vrouters is vpn1, which is the name defined for this option combination. On the vrouters at both ends, the name can be the same or different. The preceding command defines the IPSec parameters used. To enhance security, enable the authentication header. Because both networks use private address spaces and data needs to be transmitted through tunnels, the secure Encapsulation Protocol must also be used. Finally, we need to define DES as the encryption algorithm for the secret key.
Shelby (config) # crypto map against sec 60 ipsec-isakmp
Note: The preceding command defines the cycle for generating a new secret key. If attackers crack the secret key, they can decrypt all communications using the same key. For this reason, we need to set a short key update period. For example, a new key is generated every minute. This command must match on the vrouters at both ends of the VPN. The parameter ipvsec is the name defined for this configuration. You can associate it with the external interface of the router later.
Shelby (config-crypto-map) # set peer 200.000025.1
Note: This is the valid IP address that identifies the peer router. Enter a similar command on the remote router, but the peer router address should be 100.10.15.1.
Shelby (config-crypto-map) # set transform-set vpn1
Shelby (config-crypto-map) # match address 130
Note: These two commands respectively identify the transmission settings and access list for this connection.
Shelby (config) # interface s0
Shelby (config-if) # crypto map against Sec
Note: Apply the password diagram you just defined to the external interface of the router.
Now the rest is to test the VPN connection and ensure that the communication is performed as expected.
The last step is not to forget to save the running configuration, otherwise the credit will be wasted.
Appendix: for the network security scope, VPN hardware equipment should be placed in the following four locations:
● Outside the DMZ Firewall
● Connect to the third network card (Service Network) of the firewall)
● Within the protection scope of the firewall
● Integration with Firewall