How to Configure Site-to-Site VPN in Cisco Routers July 3rd, 2010
When would you need this: When you want to create a secure tunnel to transfer data between two sites without the use of VPN concentrator or other security devices.
Special Requirements: The routers used must support IPSec. Most of Cisco routers do. Another need is that both sides use a static public IP address to connect to the Internet.
We will go through the steps to be done on one side and the same steps must be repeated on the other side too. The encryption of data will depend on a shared-key. This way, we will not need specialized CAs or RSA methodologies.
1. Create Internet Key Exchange (IKE) key policy. The policy used for our case is policy number 9, because this policy requires a pre-shared key.
Router(config) #crypto isakmp policy 9
Router(config- isakmp)#hash md5
Router(config- isakmp)#authentication pre-share
2. Setup the shared key that would be used in the VPN,
Router(config) #crypto isakmp key VPNKEY address XXX.XXX.XXX. XXX
VPNKEY is the shared key that you will use for the VPN, and remember to set the same key on the other end.
XXX.XXX.XXX. XXX the static public IP address of the other end.
3. Now we set lifetime for the IPSec security associations,
Router(config) #crypto ipsec security-associatio n lifetime seconds YYYYY
where YYYYY is the associations lifetime in seconds. It is usually used as 86400, which is one day.
4. Configure an extended access-list to define the traffic that is allowed to be directed through the VPN link,
Router(config) #access-list AAA permit ip SSS.SSS.SSS. SSS WIL.DCA.RDM. ASK DDD.DDD.DDD. DDD WIL.DCA.RDM. ASK
AAA is the access-list number
SSS.SSS.SSS. SSS WIL.DCA.RDM. ASK is the source of the data allowed to use the VPN link.
DDD.DDD.DDD. DDD WIL.DCA.RDM. ASK is the destination of the data that need to pass though the VPN link.
5. Define the transformations set that will be used for this VPN connection,
Router(config) #crypto ipsec transform-set SETNAME BBBB CCCCC
“SETNAME” is the name of the transformations set. You can choose any name you like.
BBBB and CCCCC is the transformation set. I recommend the use of “esp-3des esp-md5-hmac”. You can also use “esp-3des esp-sha-hmac”. Any one of these two will do the job.
6. After defining all the previous things, we need to create a cypto-map that associates the access-list to the other site and the transform set.
Router(config) #crypto map MAPNAME PRIORITY ipsec-isakmp
Router(config- crypto-map) #set peer XXX.XXX.XXX. XXX
Router(config- crypto-map) #set transform-set SETNAME
Router(config- crypto-map) #match address AAA
MAPNAME is a name of your choice to the crypto-map
PRIORITY is the priority of this map over other maps to the same destination. If this is your only crypto-map give it any number, for example 10.
XXX.XXX.XXX. XXX the static public IP address of the other end
SETNAME is the name of the transformations set that we configured in step 5
AAA is the number of the access-list that we created to define the traffic in step 4
7. The last step is to bind the crypto-map to the interface that connects the router to the other end.
Router(config- if)#crypto map MAPNAME
where MAPNAME is the name of the crypto-map that we defined in step 6.
Now, repeat these steps on the other end, and remember to use the same key along with the same authentication and transform set.
Note: If you want to implement multiple VPN connections to multiple sites, you can do this by repeating the steps 2 to 7 (except step 3) for each VPN connection. The different crypto-maps and their assignments differentiate between the different VPN connections.
For troubleshooting purposes, you can use the following commands,
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connections active
and show crypto map
Creating a radius based VPN with support for Windows clients June 6th, 2010
This article discusses setting up up an integrated IPSec/L2TP VPN using Radius and integrating it with Microsoft Windows clients.
Introduction and Planning
The software installed is going to be based on Debian packages as far as it is possible.
If we need to rely on a product not within Debian, then it’s source code will be retrieved and rebuilt.
Also sometimes the Debian packages are available, but have a compilation feature switched off (usually SSL support).
Where necessary that Debian package will need to be recompiled too.
The goal of this article is to set up a Linux based VPN server compatible with MS-Windows IPSec/L2TP clients, where users are authenticated against a RADIUS server.
Each main service in this document should have it’s own IP address assigned to it. That way services can be moved to different hosts in the future.
While the VPN server uses the ppp daemon as part of it’s solution, a separate IP needs to be allocated to that.
It is the point where the VPN tunnels terminate and route into the network.
For this document, the IP addresses assigned to the services follows.
Note that these will need to change based on your real-world rollout.Base Operating System: 10.10.0.216 MySQL Database Server: 10.10.0.217 FreeRADIUS Server: 10.10.0.218 IPSec VPN Server: 10.10.0.219 ppp Device: 10.10.0.220 Read the rest of this entry »
OpenVPN Server Setup on Linux June 4th, 2010
In this howto we will learn how to setup a SSL based secure VPN server on linux. We will achieve this through OpenVPN .OpenVPN is a free & open source virtual private network program for creating point-to-point or server-to-multiclient encrypted tunnels.
Let’s install and configure our vpn server. The first thing we have to ensure that we are login as root. Secondly OpenVPN is not in base repository of redhat/Centos/Fedora etc. We need (Dag Wieers) repository for OpenVPN.
rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
If you are installing OpenVPN from an RPM package, don’t forget to install an LZO package as well
Then issue following command to install OpenVPN