Implementation of VPN on a Cisco router: 1. software requirements: IOS with performaniseplusistmc56 is required. Currently, stable versions are 12.07T2. Hardware requirements: 8 mbflashand40mbram in DownloadIOS, the software and hardware requirements of the downloaded IOS version are prompted. 3. IPSec manual method considerations
Implementation of VPN on a Cisco router: 1. software requirements: IOS of enterprise plus ipsec 56 is required. The current stable version is 12.07 TB. 2. Hardware requirements: 8 MB Flash and 40 mb ram will prompt the software and hardware requirements of the IOS version downloaded. 3. IPSec manual method considerations
Cisco
VroOn the VPN
Implementation:
1. software requirements:
IOS that requires enterprise plus ipsec 56. The current stable version is 12.07 TB.
2. Hardware requirements:
8 MB Flash and 40 MB RAM
When you Download the IOS version, the system prompts the downloaded IOS version.
Software and Hardware requirements.
3. IPSec
Manual
MethodNote:
(1) Once an encrypted channel is established, it will not be disconnected.
(2) Manual Key does not provide the anti-replay Function
(3) At Manual Key
MethodOnly one permit entry in access-list takes effect, while others are ignored.
(4) At Manual Key
MethodThe transform set names on both sides must be the same.
4. VPN
Manual
MethodThe main Commands are as follows:
(1) access-list
Set access-list to encrypt the IP packets that meet the conditions.
(2) crypto isakmp
Crypto isakmp is used by default.
Method, So in
Manual
MethodTo disable this option.
(3) crypto ipsec
Configure IPSec Encryption
Method, Select manual
Method
(4) crypto map
Configure IPSec Encryption
Method
A) set peer
Set Remote VPN gateway
B) set security-association
Set security alliances, including inbound and outbound
C) set transform-set
Set encryption form
D) match address
Encrypts access-list matching objects.
5. VPN
Manual
Implementation
Method:
(1) configure access-list to set up VPN connections for which packets.
Access-list 101 permit ip host 192.168.0.1 host
192.168.1.1
(2) Cancel automatic VPN negotiation
Method
No crypto isakmp enable
(3) Establish an IPSec Encapsulation
Method-On both sides
VroThe same name is required. In the example, encry-des
Crypto ipsec transform-set encry-desesp-des
(4) Various conditions required for establishing a VPN connection-ipsec-manual
Method
Crypto map vpntest 8 ipsec-manual
(5) Use crypto map in the previous step to enter the crypto configuration mode.
A) configure a remote VPN gateway
Set peer 202.106.185.2
B) Configure Inbound and Outbound Security alliances
Set security-association inbound esp 1000 cipher 21 authenticator 01
Configure inbound Alliance Encryption
MethodSequence Number
Set security-association outbound esp 1001 cipher 12 authenticator 01
C) Set IPSec Encryption
Method
Set transform-set encry-des
D) encrypt the matching address
Match address 101
(6) In
VroExternal network port binding Encryption
Method
Int e 0/1
Ip addr 202.106.185.1 255.255.255.0
Crypto map vpntest
6. Notes
(1) access-list at both ends must be opposite to each other, for example
VroWrite on:
Access-list 101 permit ip host 192.168.0.1 host 192.168.1.1
Then in B
VroWrite on:
Access-list 101 permit ip host 192.168.1.1 host 192.168.0.1
(2) The transform set names at both ends must be consistent
For example, write crypto ipsec transform-set encry-des esp-des.
(3) inbound at one end is outboud at the other end, and outbound at one end is inboud at the other end. Therefore, their sequence should be the opposite.
For example
VroWrite on:
Set security-association inbound esp 1000 cipher 21 authenticator 01
Set security-association outbound esp 1001 cipher 12 authenticator 01
Then in B
VroWrite on:
Set security-association inbound esp 1001 cipher 12 authenticator 01
Set security-association outbound esp 1000 cipher 21 authenticator 01
(4) In short
Manual
MethodThe configurations at both ends should be the same or relative.
7. Application Conditions
I think in
VroVPN has the following applications:
(1) it can be used for remote management and authentication on secondary and primary nodes in China Telecom. VPN is not recommended for level-1 nodes and backbone nodes because of the large communication volume.
Method. To reduce the load, we recommend that you use VPN only when transmitting special applications, instead of simply determining the Source IP and Destination IP.
(2) mobile users are used to connect to their own company's servers.
(3) It is used in the form of communication between subsidiaries and parent companies.
8. Benefits of Using VPN
(1) cost saving, because you only need to use existing
VroYou can.
(2)
ImplementationTo ensure the security of important data during transmission.
(3) high flexibility. If the user passes
VroTo access the Internet, you can configure your own security. But it is not very useful for ISPs.
9. VPN application example:
In
VroThe configuration on R1 is as follows:
No crypto isakmp enable
Crypto ipsec transform-set encry-des esp-des
Crypto map vpntest 8 ipsec-manual
Set peer 202.106.185.2
Set security-association inbound esp 1000 cipher 21 authenticator 01
Set security-association outbound esp 1001 cipher 12 authenticator 01
Set transform-set encry-des match address 101
Interface Ethernet0/0
Ip address 192.168.0.1 255.255.255.0
Interface Ethernet0/1
Ip address 202.106.185.1 255.255.255.0
Crypto map vpntest
Ip route 0.0.0.0 0.0.0.0 202.106.185.2
Access-list 101 permit ip host 192.168.0.1 host 192.168.1.1
In
VroThe configuration on R2 is as follows:
No crypto isakmp enable
Crypto ipsec transform-set encry-des esp-des
Crypto map vpntest 8 ipsec-manual set peer 202.106.185.1
Set security-association inbound esp 1001 cipher 12 authenticator 01
Set security-association outbound esp 1000 cipher 21 authenticator 01
Set transform-set encry-des match address 101
Interface Ethernet0/0
Ip address 192.168.1.1 255.255.255.0
Interface Ethernet0/1
Ip address 202.106.185.2 255.255.255.0
Crypto map vpntest
Ip route 0.0.0.0 0.0.0.0 202.106.185.1
Access-list 101 permit ip host 192.168.1.1 host 192.168.0.1
IKE
MethodOf
Implementation
1. IKE uses UPD 500
2. Support for CA
3. Support for mobile users
IKE components:
1. DES
2. Diffie-Hellman-preshare key
3. RSA signatures (CA) and RSA encrypted nonces
IKE configuration content:
1. enable IKE-default enable
2. accesslist
3. transformset
4. crypto map
5. binding interface
IKE Policy-numbers on both sides can be different. Matching:
Authentication, hash, diff-herman, encrytpion, and lifetime (minimum value)
1. authentication
(1) RSA signature
(2) RSA non
(3) Preshare Key
2. encryption
IKE Configuration
(1) Configure accesslist
(2) crypto isakmp enable (enabled by default, but write it to avoid it)
(3) crypto isakmp policy 10
A) encryption algorithm: DES
B) hash algorithm: SHA1
C) authentication method: RSA sig
D) Diffie-Hellman group: 1
E) Lifetime: 86400
(4) crypto isakmp key test address 202.106.100.2
(5) crypto ipsec transform-set set2 ah-sha-hmac
Esp-des esp-sha-hmac
(6) crypto map IKE ipsec-isakmp
A) set peer remote IP
B) set transform-set
C) set pfs group2
D) match address
(7) dir
Use RSA-encr
Method
Ip domain-name
Crypto key generate rsa
Sh crypto key mypubkey rsa
Crypto key pubkey-chain rsa
Key-string
When to use
Manual
MethodWhen to use IKE
Method