Implementation of manual VPN on a Cisco Router

Implementation of VPN on a Cisco router: 1. software requirements: IOS with performaniseplusistmc56 is required. Currently, stable versions are 12.07T2. Hardware requirements: 8 mbflashand40mbram in DownloadIOS, the software and hardware requirements of the downloaded IOS version are prompted. 3. IPSec manual method considerations

Implementation of VPN on a Cisco router: 1. software requirements: IOS of enterprise plus ipsec 56 is required. The current stable version is 12.07 TB. 2. Hardware requirements: 8 MB Flash and 40 mb ram will prompt the software and hardware requirements of the IOS version downloaded. 3. IPSec manual method considerations

Cisco VroOn the VPN Implementation:

1. software requirements:

IOS that requires enterprise plus ipsec 56. The current stable version is 12.07 TB.

2. Hardware requirements:

8 MB Flash and 40 MB RAM

When you Download the IOS version, the system prompts the downloaded IOS version.

Software and Hardware requirements.

3. IPSec Manual MethodNote:

(1) Once an encrypted channel is established, it will not be disconnected.

(2) Manual Key does not provide the anti-replay Function

(3) At Manual Key MethodOnly one permit entry in access-list takes effect, while others are ignored.

(4) At Manual Key MethodThe transform set names on both sides must be the same.

4. VPN Manual MethodThe main Commands are as follows:

(1) access-list

Set access-list to encrypt the IP packets that meet the conditions.

(2) crypto isakmp

Crypto isakmp is used by default. Method, So in Manual MethodTo disable this option.

(3) crypto ipsec

Configure IPSec Encryption Method, Select manual Method

(4) crypto map

Configure IPSec Encryption Method

A) set peer

Set Remote VPN gateway

B) set security-association

Set security alliances, including inbound and outbound

C) set transform-set

Set encryption form

D) match address

Encrypts access-list matching objects.

5. VPN Manual Implementation Method:

(1) configure access-list to set up VPN connections for which packets.

Access-list 101 permit ip host 192.168.0.1 host

192.168.1.1

(2) Cancel automatic VPN negotiation Method

No crypto isakmp enable

(3) Establish an IPSec Encapsulation Method-On both sides VroThe same name is required. In the example, encry-des

Crypto ipsec transform-set encry-desesp-des

(4) Various conditions required for establishing a VPN connection-ipsec-manual Method

Crypto map vpntest 8 ipsec-manual

(5) Use crypto map in the previous step to enter the crypto configuration mode.

A) configure a remote VPN gateway

Set peer 202.106.185.2

B) Configure Inbound and Outbound Security alliances

Set security-association inbound esp 1000 cipher 21 authenticator 01

Configure inbound Alliance Encryption MethodSequence Number

Set security-association outbound esp 1001 cipher 12 authenticator 01

C) Set IPSec Encryption Method

Set transform-set encry-des

D) encrypt the matching address

Match address 101

(6) In VroExternal network port binding Encryption Method

Int e 0/1

Ip addr 202.106.185.1 255.255.255.0

Crypto map vpntest

6. Notes

(1) access-list at both ends must be opposite to each other, for example VroWrite on:

Access-list 101 permit ip host 192.168.0.1 host 192.168.1.1

Then in B VroWrite on:

Access-list 101 permit ip host 192.168.1.1 host 192.168.0.1

(2) The transform set names at both ends must be consistent

For example, write crypto ipsec transform-set encry-des esp-des.

(3) inbound at one end is outboud at the other end, and outbound at one end is inboud at the other end. Therefore, their sequence should be the opposite.

For example VroWrite on:

Set security-association inbound esp 1000 cipher 21 authenticator 01

Set security-association outbound esp 1001 cipher 12 authenticator 01

Then in B VroWrite on:

Set security-association inbound esp 1001 cipher 12 authenticator 01

Set security-association outbound esp 1000 cipher 21 authenticator 01

(4) In short Manual MethodThe configurations at both ends should be the same or relative.

7. Application Conditions

I think in VroVPN has the following applications:

(1) it can be used for remote management and authentication on secondary and primary nodes in China Telecom. VPN is not recommended for level-1 nodes and backbone nodes because of the large communication volume. Method. To reduce the load, we recommend that you use VPN only when transmitting special applications, instead of simply determining the Source IP and Destination IP.

(2) mobile users are used to connect to their own company's servers.

(3) It is used in the form of communication between subsidiaries and parent companies.

8. Benefits of Using VPN

(1) cost saving, because you only need to use existing VroYou can.

(2) ImplementationTo ensure the security of important data during transmission.

(3) high flexibility. If the user passes VroTo access the Internet, you can configure your own security. But it is not very useful for ISPs.

9. VPN application example:

In VroThe configuration on R1 is as follows:

No crypto isakmp enable

Crypto ipsec transform-set encry-des esp-des

Crypto map vpntest 8 ipsec-manual

Set peer 202.106.185.2

Set security-association inbound esp 1000 cipher 21 authenticator 01

Set security-association outbound esp 1001 cipher 12 authenticator 01

Set transform-set encry-des match address 101

Interface Ethernet0/0

Ip address 192.168.0.1 255.255.255.0

Interface Ethernet0/1

Ip address 202.106.185.1 255.255.255.0

Crypto map vpntest

Ip route 0.0.0.0 0.0.0.0 202.106.185.2

Access-list 101 permit ip host 192.168.0.1 host 192.168.1.1

In VroThe configuration on R2 is as follows:

No crypto isakmp enable

Crypto ipsec transform-set encry-des esp-des

Crypto map vpntest 8 ipsec-manual set peer 202.106.185.1

Set security-association inbound esp 1001 cipher 12 authenticator 01

Set security-association outbound esp 1000 cipher 21 authenticator 01

Set transform-set encry-des match address 101

Interface Ethernet0/0

Ip address 192.168.1.1 255.255.255.0

Interface Ethernet0/1

Ip address 202.106.185.2 255.255.255.0

Crypto map vpntest

Ip route 0.0.0.0 0.0.0.0 202.106.185.1

Access-list 101 permit ip host 192.168.1.1 host 192.168.0.1

IKE MethodOf Implementation

1. IKE uses UPD 500

2. Support for CA

3. Support for mobile users

IKE components:

1. DES

2. Diffie-Hellman-preshare key

3. RSA signatures (CA) and RSA encrypted nonces

IKE configuration content:

1. enable IKE-default enable

2. accesslist

3. transformset

4. crypto map

5. binding interface

IKE Policy-numbers on both sides can be different. Matching:

Authentication, hash, diff-herman, encrytpion, and lifetime (minimum value)

1. authentication

(1) RSA signature

(2) RSA non

(3) Preshare Key

2. encryption

IKE Configuration

(1) Configure accesslist

(2) crypto isakmp enable (enabled by default, but write it to avoid it)

(3) crypto isakmp policy 10

A) encryption algorithm: DES

B) hash algorithm: SHA1

C) authentication method: RSA sig

D) Diffie-Hellman group: 1

E) Lifetime: 86400

(4) crypto isakmp key test address 202.106.100.2

(5) crypto ipsec transform-set set2 ah-sha-hmac

Esp-des esp-sha-hmac

(6) crypto map IKE ipsec-isakmp

A) set peer remote IP

B) set transform-set

C) set pfs group2

D) match address

(7) dir

Use RSA-encr Method

Ip domain-name

Crypto key generate rsa

Sh crypto key mypubkey rsa

Crypto key pubkey-chain rsa

Key-string

When to use Manual MethodWhen to use IKE Method