How to Configure Site-to-Site VPN in Cisco Routers July 3rd, 2010
When would you need this: When you want to create a secure tunnel to transfer data between two sites without the use of VPN concentrator or other security devices.
Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.
We will go through the steps to be done on one side and the same steps must be repeated on the other side too. The encryption of data will depend on a shared-key. This way, we will not need specialized CAs or RSA methodologies.
1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.
Router(config) #crypto isakmp policy 9
Router(config- isakmp)#hash md5
Router(config- isakmp)#authentication pre-share
2. Setup the shared key that would be used in the VPN,
Router(config) #crypto isakmp key VPNKEY address XXX.XXX.XXX. XXX
where,
VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.
XXX.XXX.XXX. XXX the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config) #crypto ipsec security-associatio n lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.
4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router(config) #access-list AAA permit ip SSS.SSS.SSS. SSS WIL.DCA.RDM. ASK DDD.DDD.DDD. DDD WIL.DCA.RDM. ASK
where,
AAA is the access-list number
SSS.SSS.SSS. SSS WIL.DCA.RDM. ASK is the source of the data allowed to use the VPN link.
DDD.DDD.DDD. DDD WIL.DCA.RDM. ASK is the destination of the data that need to pass though the VPN link.
5. Define the transformations set that will be used for this VPN connection,
Router(config) #crypto ipsec transform-set SETNAME BBBB CCCCC
where,
“SETNAME” is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config) #crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config- crypto-map) #set peer XXX.XXX.XXX. XXX
Router(config- crypto-map) #set transform-set SETNAME
Router(config- crypto-map) #match address AAA
where,
MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.
XXX.XXX.XXX. XXX the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 5
AAA is the number of the access-list that we created to define the traffic in step 4
7. The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config- if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 6.
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
Note: If you want to implement multiple VPN connections to multiple sites, you can do this by repeating the steps 2 to 7 (except step 3) for each VPN connection. The different crypto-maps and their assignments differentiate between the different VPN connections.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
source here
Posted in CISCO, Networking | No Comments »
Configure Cisco GRE tunnel June 25th, 2009
| Configure Cisco GRE tunnel |
| Written by Reza Behroozi | |
| Saturday, 04 August 2007 | |
RouterB Config on RouterA : ip route 192.168.2.0 255.255.255.0 Tunnel0 Config on RouterB : ip route 192.168.1.0 255.255.255.0 Tunnel0 Thanks to Author, orignal link http://www.en.persianadmins.com/article/cisco/Configure_Cisco_GRE_tunnel_2007080417.html |
Config cisco routers such as a VPN server June 20th, 2009
| Written by Reza Behroozi | |
| Monday, 23 July 2007 |
Create a VPDN group configured to PPTP, just like the Microsoft VPN client will use, by default:
PersianAdmins.com(config)# vpdn-group reza
PersianAdmins.com(config-vpdn)# accept-dialin
PersianAdmins.com(config-vpdn)# protocol pptp
PersianAdmins.com(config-vpdn)# virtual-template 1
PersianAdmins.com(config-vpdn)# exit
Here, we will configure our interfaces to match the diagram. Naturally, your IP address configuration will vary:
PersianAdmins.com(config)# interface ethernet0/0
PersianAdmins.com(config-if)# ip address 192.168.0.5 255.255.255.0
PersianAdmins.com(config-if)# no shutdown
Next, create your virtual-template that will apply to the inbound VPN connections. This template references the e0/0 interface for its IP address. It also references a pool of IP addresses that will be handed out to VPN clients. Finally, it configures the PPP encryption and authentication mechanisms to match what the Microsoft VPN client defaults to:
PersianAdmins.com(config)# interface Virtual-Template1
PersianAdmins.com(config-if)# ip unnumbered ethernet0/0
PersianAdmins.com(config-if)# peer default ip address pool behroozi
PersianAdmins.com(config-if)# ppp encrypt mppe auto required
PersianAdmins.com(config-if)# ppp authentication ms-chap ms-chap-v2
Now, create the pool of IP addresses. This pool should not already be in use on the internal network you are connecting to:
Router(config)# ip local pool behroozi 10.0.0.1 10.0.0.100
After that, create a test user:
Router(config)# username test password 0 rezabehroozi
[[ROUTER R1]]
image = \Program Files\Dynamips\images\c7200-advipservicesk9-mz.124-4.T1.bin
ram = 160
model = 7200
F0/0 = NIO_gen_eth:\Device\NPF_{45BB7A21-B13A-45BC-AC74-27F694FC0AC7}
pic 1
pic 2
pic 3
pic 4
pic 5
pic 6
pic 7
pic 8
pic 9
pic 10
Thanks to Author, orignal link http://www.en.persianadmins.com/article/cisco/
Config_cisco_routers_such_as_a_VPN_server_2007072314.html
Config Cisco Routers for Call Manager June 20th, 2009
We configure cisco router for Call Manager on this article.we can use following series :
2600 , 2800 , 3600 , 3700 , 3800 and 7200
config router 3725 for call manager :
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PersianAdmins
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
memory-size iomem 5
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ftp-server write-enable
!
!
interface FastEthernet0/0
ip address 192.168.0.5 255.255.255.0
duplex auto
speed auto
!
!
ip classless
!
ip http server
!
!
control-plane
!
!
telephony-service
max-ephones 2
max-dn 2
ip source-address 192.168.0.5 port 2000
max-conferences 8 gain -6
!
!
ephone-dn 1
number 3000
!
!
ephone-dn 2
number 4000
!
!
ephone 1
mac-address 00FF.A6F8.CBB5
type 7960
button 1:1
!
!
ephone 2
mac-address 000C.2907.82f1
type 7960
button 1:2
!
!
line con 0
line aux 0
line vty 0 4
login
!
!
end
VTGO-PC config :
for client we can use cisco IP-Phone 79XX series and also soft phone such as VTGO-PC-IPBlue.
on this article we use soft phone and config it , download trial version from here.
some cisco IP-Phone
Lab for dynamips :
[localhost]
[[ROUTER R1]]
image = \Program Files\Dynamips\images\c3725-ipvoice-mz.123-14.T7.bin
ram = 160
disk0 = 64
disk1 = 64
model = 3725
idlepc = 0x60a6ce04
F0/0 = NIO_gen_eth:\Device\NPF_{45BB7A21-B13A-45BC-AC74-27F694FC0AC7}
::::::::::::::::::::::::
Sorry for my English:)
