Ipsec vpn routing

Ipsec vpn routing DEFAULT

Route-Based IPsec VPNs

[email protected]> ID: 131074 Virtual-system: root, VPN Name: VPN-to-Host2 Local Gateway: 172.16.13.1, Remote Gateway: 172.16.23.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0 Port: 500, Nego#: 26, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Tunnel events: Fri Jul 23 2021 10:46:34 -0700: IPSec SA negotiation successfully completed (23 times) Fri Jul 23 2021 09:07:24 -0700: IKE SA negotiation successfully completed (3 times) Thu Jul 22 2021 16:34:17 -0700: Negotiation failed with INVALID_SYNTAX error (3 times) Thu Jul 22 2021 16:33:50 -0700: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Thu Jul 22 2021 16:23:49 -0700: IPSec SA negotiation successfully completed (2 times) Thu Jul 22 2021 15:34:12 : IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Thu Jul 22 2021 15:33:25 -0700: IPSec SA negotiation successfully completed (1 times) Thu Jul 22 2021 15:33:25 : Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Thu Jul 22 2021 15:33:25 -0700: External interface's address received. Information updated (1 times) Thu Jul 22 2021 15:33:25 -0700: Bind-interface's zone received. Information updated (1 times) Thu Jul 22 2021 10:34:55 -0700: IKE SA negotiation successfully completed (1 times) Thu Jul 22 2021 10:34:46 -0700: No response from peer. Negotiation failed (16 times) Direction: inbound, SPI: 912f9063, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3302 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2729 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 71dbaa56, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3302 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2729 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64
Sours: https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/topic-map/security-route-based-ipsec-vpns.html

Setup a routed IPSec Tunnel¶

Most Site-to-Site VPNs are policy-based, which means you define a local and a remote network (or group of networks). Only traffic matching the defined policy is pushed into the VPN tunnel. As the demands for more complex and fault tolerant VPN scenarios growed over the years, most major router vendors implemented a kind of VPN, the route-based IPSec.

The difference is that local and remote network is just 0.0.0.0/0, so anything can travel through the tunnel, it just needs a route. A new Virtual Tunnel Interface (VTI) has to be used for this.

There are two benefits for this kind of VPN:

First, you can set up two tunnels to the same gateway and failover when one line goes down. Second, you can run dynamic routing protocols over the tunnel to create more redundant, or software-defined networks.

Note

For a stable setup, we highly advise using standard IPv4 / IPv6 addresses, although the web interface allows the use of fully qualified domain names (e.g. my.own.domain.xyz), this will have side affects (the tunnel device won’t react on name changes for example).

Before you start¶

Before starting with the configuration of an IPsec tunnel you need to have a working OPNsense installation wit a unique LAN IP subnet for each side of your connection (your local network needs a different one than the remote network).

Sample Setup¶

For the sample configuration we use two OPNsense boxes to simulate a site to site tunnel, with the following configuration:

Site A¶

Hostname

fw1

WAN IP

1.2.3.4/24

LAN IP

192.168.1.1/24

LAN DHCP Range

192.168.1.100-192.168.1.200


Site B¶

Hostname

fw2

WAN IP

4.3.2.1/24

LAN Net

192.168.2.0/24

LAN DHCP Range

192.168.2.100-192.168.2.200


Full Network Diagram Including IPsec Tunnel¶

IPsec Site-to-Site tunnel network¶

Firewall Rules Site A & Site B (part 1)¶

To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under ):

  • Protocol ESP

  • UDP Traffic on port 500 (ISAKMP)

  • UDP Traffic on port 4500 (NAT-T)

../../_images/ipsec_wan_rules.png

Note

You can further limit the traffic by the source IP of the remote host.

Step 1 - Phase 1 Site A¶

(Under Press +) We will use the following settings:

General information¶

Connection method

default

Default is “Start on traffic”

Key Exchange version

V2

Internet Protocol

IPv4

Interface

WAN

Choose the interface connected to the internet

Remote gateway

4.3.2.1

The public IP address of your remote OPNsense

Description

Site B

Freely chosen description

Phase 1 proposal (Authentication)¶

Authentication method

Mutual PSK

Using a Pre-shared Key

My identifier

My IP address

Simple identification for fixed IP

Peer identifier

Peer IP address

Simple identification for fixed IP

Pre-Shared Key

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)¶

Encryption algorithm

AES

For our sample we will use AES/256 bits

Hash algoritm

SHA512

Use a strong hash like SHA512

DH key group

14 (2048 bit)

2048 bit should be sufficient

Lifetime

28800 sec

Lifetime before renegotiation

Advanced Options¶

Install Policy

Unchecked

This has to be unchecked since we want plain routing

Disable Rekey

Unchecked

Renegotiate when connection is about to expire

Disable Reauth

Unchecked

For IKEv2 only re-authenticate peer on rekeying

NAT Traversal

Disabled

For IKEv2 NAT traversal is always enabled

Dead Peer Detection

Unchecked

Save your setting by pressing:

../../_images/btn_save.png

Step 2 - Phase 2 Site A¶

Press the button that says ‘+ Show 0 Phase-2 entries’

../../_images/ipsec_s2s_vpn_p1a_show_p2.png

You will see an empty list:

../../_images/ipsec_s2s_vpn_p1a_p2_empty.png

Now press the + at the right of this list to add a Phase 2 entry. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use and . These will be the gateway addresses used for routing

General information¶

Mode

Route-based

Select Route-based

Description

Local LAN Site B

Freely chosen description

Tunnel Network¶

Local Address

Local Tunnel IP

Set IP 10.111.1.1

Remote Address

Remote Tunnel IP

Set IP 10.111.1.2

Phase 2 proposal (SA/Key Exchange)¶

Protocol

ESP

Choose ESP for encryption

Encryption algorithms

AES / 256

For the sample we use AES 256

Hash algortihms

SHA512

Choose a strong hash like SHA512

PFS Key group

14 (2048 bit)

Not required but enhanced security

Lifetime

3600 sec

Save your settings by pressing:

../../_images/btn_save.png

Enable IPsec for Site A, select:

../../_images/ipsec_s2s_vpn_p1a_enable.png

Save:

../../_images/btn_save.png

And apply changes:

../../_images/ipsec_s2s_vpn_p1a_apply.png
../../_images/ipsec_s2s_vpn_p1a_success.png

You are almost done configuring Site A (only some firewall settings remain, which will be addressed later).We will now proceed setting up Site B.


Step 3 - Phase 1 Site B¶

(Under Press +) We will use the following settings:

General information¶

Connection method

Default

Default is ‘Start on traffic’

Key Exchange version

V2

Internet Protocol

IPv4

Interface

WAN

Choose the interface connected to the internet

Remote gateway

1.2.3.4

The public IP address of your remote OPNsense

Description

Site A

Freely chosen description

Phase 1 proposal (Authentication)¶

Authentication method

Mutual PSK

Using a Pre-shared Key

My identifier

My IP address

Simple identification for fixed ip

Peer identifier

Peer IP address

Simple identification for fixed ip

Pre-Shared Key

At4aDMOAOub2NwT6gMHA

Random key. CREATE YOUR OWN!

Phase 1 proposal (Algorithms)¶

Encryption algorithm

AES

For our sample we will use AES/256 bits

Hash algoritm

SHA512

Use a strong hash like SHA512

DH key group

14 (2048 bit)

2048 bit should be sufficient

Lifetime

28800 sec

Lifetime before renegotiation

Advanced Options¶

Install Policy

Unchecked

This has to be unchecked since we want plain routing

Disable Rekey

Unchecked

Renegotiate when connection is about to expire

Disable Reauth

Unchecked

For IKEv2 only re-authenticate peer on rekeying

NAT Traversal

Disabled

For IKEv2 NAT traversal is always enabled

Dead Peer Detection

Unchecked

Save your setting by pressing:

../../_images/btn_save.png

Step 4 - Phase 2 Site B¶

Press the button that says ‘+ Show 0 Phase-2 entries’

../../_images/ipsec_s2s_vpn_p1a_show_p2.png

You will see an empty list:

../../_images/ipsec_s2s_vpn_p1a_p2_empty.png

Now press the + at the right of this list to add a Phase 2 entry.

General information¶

Mode

Route-based

Select Route-based

Description

Local LAN Site A

Freely chosen description

Tunnel Network¶

Local Address

Local Tunnel IP

Set IP 10.111.1.2

Remote Address

Remote Tunnel IP

Set IP 10.111.1.1

Phase 2 proposal (SA/Key Exchange)¶

Protocol

ESP

Choose ESP for encryption

Encryption algorithms

AES / 256

For the sample we use AES 256

Hash algortihms

SHA512

Choose a strong hash like SHA512

PFS Key group

14 (2048 bit)

Not required but enhanced security

Lifetime

3600 sec

Save your setting by pressing:

../../_images/btn_save.png

Enable IPsec for Site B, Select:

../../_images/ipsec_s2s_vpn_p1a_enable.png

Save:

../../_images/btn_save.png

And apply changes:

../../_images/ipsec_s2s_vpn_p1a_apply.png
../../_images/ipsec_s2s_vpn_p1a_success.png

Firewall Rules Site A & Site B (part 2)¶

To allow traffic passing to your LAN subnet you need to add a rule to the IPsec interface (under ).

../../_images/ipsec_ipsec_lan_rule.png

IPsec Tunnel Ready¶

The tunnel should now be up and routing the both networks. Go to to see current status.

Step 5 - Define Gateways¶

Now that you have the VPN up and running you have to set up a gateway. Go to and add a new gateway.

Gateway Site-A¶

Name

VPNGW

Set a name for your gateway

Interface

IPSEC1000

Choose the IPsec interface

IP Address

10.111.1.2

Set the peer IP address

Far Gateway

Checked

This has to be checked as it is a point-to-point connection

Gateway Site-B¶

Name

VPNGW

Set a name for your gateway

Interface

IPSEC1000

Choose the IPsec interface

IP Address

10.111.1.1

Set the peer IP address

Far Gateway

checked

This has to be checked as it is a point-to-point connection

Step 5 - Add Static Routes¶

When gateways are set up you can add a route for the remote network pointing to the new gateway. On Site-A add a route to Site-B and vice versa. Go to .

Route Site-A¶

Network Address

192.168.2.0/24

Set the network of Site-B

Gateway

VPNGW

Select the VPN gateway

Gateway Site-B¶

Network Address

192.168.1.0/24

Set the network of Site-A

Gateway

VPNGW

Select the VPN gateway

Now you are all set!

Sours: https://docs.opnsense.org/manual/how-tos/ipsec-s2s-route.html
  1. Leaf disease detection api
  2. Stunning strike 5e
  3. Dj pro
  4. Madara mangekyou sharingan

Support

Table Of Contents

Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation

Configure a VPN

Configure the IKE Policy

Configure Group Policy Information

Enable Policy Lookup

Configure IPSec Transforms and Protocols

Configure the IPSec Crypto Method and Parameters

Apply the Crypto Map to the Physical Interface

Configure a GRE Tunnel

Configuration Example


Configuring VPNs Using an IPSec Tunnel and Generic Routing Encapsulation


The Cisco 850 and Cisco 870 series routers support the creation of virtual private networks (VPNs).

Cisco routers and other broadband devices provide high-performance connections to the Internet, but many applications also require the security of VPN connections which perform a high level of authentication and which encrypt the data between two particular endpoints.

Two types of VPNs are supported—site-to-site and remote access. Site-to-site VPNs are used to connect branch offices to corporate offices, for example. Remote access VPNs are used by remote clients to log in to a corporate network.

The example in this chapter illustrates the configuration of a site-to-site VPN that uses IPSec and the generic routing encapsulation (GRE) protocol to secure the connection between the branch office and the corporate network. Figure 7-1 shows a typical deployment scenario.

Figure 7-1 Site-to-Site VPN Using an IPSec Tunnel and GRE

1

Branch office containing multiple LANs and VLANs

2

Fast Ethernet LAN interface—With address 192.168.0.0/16 (also the inside interface for NAT)

3

VPN client—Cisco 850 or Cisco 870 series access router

4

Fast Ethernet or ATM interface—With address 200.1.1.1 (also the outside interface for NAT)

5

LAN interface—Connects to the Internet; with outside interface address of 210.110.101.1

6

VPN client—Another router, which controls access to the corporate network

7

LAN interface—Connects to the corporate network, with inside interface address of 10.1.1.1

8

Corporate office network

9

IPSec tunnel with GRE


GRE Tunnels

GRE tunnels are typically used to establish a VPN between the Cisco router and a remote device that controls access to a private network, such as a corporate network. Traffic forwarded through the GRE tunnel is encapsulated and routed out onto the physical interface of the router. When a GRE interface is used, the Cisco router and the router that controls access to the corporate network can support dynamic IP routing protocols to exchange routing updates over the tunnel, and to enable IP multicast traffic. Supported IP routing protocols include Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), Intermediate System-to-Intermediate System (IS-IS), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).


Note When IP Security (IPSec) is used with GRE, the access list for encrypting traffic does not list the desired end network and applications, but instead refers to the permitted source and destination of the GRE tunnel in the outbound direction. All packets forwarded to the GRE tunnel are encrypted if no further access control lists (ACLs) are applied to the tunnel interface.


VPNs

VPN configuration information must be configured on both endpoints; for example, on your Cisco router and at the remote user, or on your Cisco router and on another router. You must specify parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, and Network Address Translation (NAT).

Configuration Tasks

Perform the following tasks to configure this network scenario:

Configure a VPN

Configure a GRE Tunnel

A configuration example showing the results of these configuration tasks is provided in the "Configuration Example" section.


Note The procedures in this chapter assume that you have already configured basic router features as well as PPPoE or PPPoA with NAT, DCHP, and VLANs. If you have not performed these configurations tasks, see Chapter 1 "Basic Router Configuration,"Chapter 3 "Configuring PPP over Ethernet with NAT,"Chapter 4 "Configuring PPP over ATM with NAT," and Chapter 5 "Configuring a LAN with DHCP and VLANs," as appropriate for your router.


Configure a VPN

Perform the following tasks to configure a VPN over an IPSec tunnel:

Configure the IKE Policy

Configure Group Policy Information

Enable Policy Lookup

Configure IPSec Transforms and Protocols

Configure the IPSec Crypto Method and Parameters

Apply the Crypto Map to the Physical Interface

Configure the IKE Policy

Perform these steps to configure the Internet Key Exchange (IKE) policy, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

crypto isakmp policypriority

Example:

Router(config)# crypto isakmp policy 1

Creates an IKE policy that is used during IKE negotiation. The priority is a number from 1 to 10000, with 1 being the highest.

Also enters Internet Security Association and Key Management Protocol (ISAKMP) policy configuration mode.

Step 2 

encryption {des | 3des | aes | aes 192 | aes 256}

Example:

Router(config-isakmp)# encryption 3des

Specifies the encryption algorithm used in the IKE policy.

The example uses 168-bit Data Encryption Standard (DES).

Step 3 

hash {md5 | sha}

Example:

Router(config-isakmp)# hash md5

Specifies the hash algorithm used in the IKE policy.

The example specifies the Message Digest 5 (MD5) algorithm. The default is Secure Hash standard (SHA-1).

Step 4 

authentication {rsa-sig | rsa-encr | pre-share}

Example:

Router(config-isakmp)# authentication pre-share

Specifies the authentication method used in the IKE policy.

The example uses a pre-shared key.

Step 5 

group {1 | 2 | 5}

Example:

Router(config-isakmp)# group 2

Specifies the Diffie-Hellman group to be used in the IKE policy.

Step 6 

lifetimeseconds

Example:

Router(config-isakmp)# lifetime 480

Specifies the lifetime, 60-86400 seconds, for an IKE security association (SA).

Step 7 

exit

Example:

Router(config-isakmp)# exit

Exits IKE policy configuration mode, and enters global configuration mode.

Configure Group Policy Information

Perform these steps to configure the group policy, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

crypto isakmp client configuration group {group-name | default}

Example:

Router(config)# crypto isakmp client configuration group rtr-remote
Router(config-isakmp-group)#

Creates an IKE policy group that contains attributes to be downloaded to the remote client.

Also enters Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode.

Step 2 

key name

Example:

Router(config-isakmp-group)# key secret-password
Router(config-isakmp-group)#

Specifies the IKE pre-shared key for the group policy.

Step 3 

dns primary-server

Example:

Router(config-isakmp-group)# dns10.50.10.1
Router(config-isakmp-group)#

Specifies the primary Domain Name Service (DNS) server for the group.

Note You may also want to specify Windows Internet Naming Service (WINS) servers for the group by using the wins command.

Step 4 

domain name

Example:

Router(config-isakmp-group)# domain company.com
Router(config-isakmp-group)#

Specifies group domain membership.

Step 5 

exit

Example:

Router(config-isakmp-group)# exit

Exits IKE group policy configuration mode, and enters global configuration mode.

Step 6 

ip local pool {default | poolname} [low-ip-address [high-ip-address]]

Example:

Router(config)# ip local pool dynpool 30.30.30.20 30.30.30.30

Specifies a local address pool for the group.

For details about this command and additional parameters that can be set, see the Cisco IOS Dial Technologies Command Reference.

Enable Policy Lookup

Perform these steps to enable policy lookup through AAA, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

aaa new-model

Example:

Router(config)# aaa new-model

Enables the AAA access control model.

Step 2 

aaa authentication login {default |list-name}method1[method2...]

Example:

Router(config)# aaa authentication login rtr-remote local

Specifies AAA authentication of selected users at login, and specifies the method used.

This example uses a local authentication database. You could also use a RADIUS server for this. See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details.

Step 3 

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} [method1[method2...]]

Example:

Router(config)# aaa authorization network rtr-remote local

Specifies AAA authorization of all network-related service requests, including PPP, and the method used to do so.

This example uses a local authorization database. You could also use a RADIUS server for this. See the Cisco IOS Security Configuration Guide and the Cisco IOS Security Command Reference for details.

Step 4 

usernamename {nopassword | passwordpassword | password encryption-typeencrypted-password}

Example:

Router(config)# username cisco password 0 cisco

Establishes a username-based authentication system.

This example implements a username of cisco with an encrypted password of cisco.

Configure IPSec Transforms and Protocols

A transform set represents a certain combination of security protocols and algorithms. During IKE negotiation, the peers agree to use a particular transform set for protecting data flow.

During IKE negotiations, the peers search in multiple transform sets for a transform that is the same at both peers. When such a transform set is found, it is selected and applied to the protected traffic as a part of both peers' configurations.

Perform these steps to specify the IPSec transform set and protocols, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

crypto ipsec transform-set transform-set-name transform1 [transform2] [transform3] [transform4]

Example:

Router(config)# crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

Defines a transform set—An acceptable combination of IPSec security protocols and algorithms.

See the Cisco IOS Security Command Reference for detail about the valid transforms and combinations.

Step 2 

crypto ipsec security-association lifetime {secondsseconds | kilobyteskilobytes}

Example:

Router(config)# crypto ipsec security-association lifetime seconds 86400

Specifies global lifetime values used when negotiating IPSec security associations.

See the Cisco IOS Security Command Reference for details.


Note With manually established security associations, there is no negotiation with the peer, and both sides must specify the same transform set.


Configure the IPSec Crypto Method and Parameters

A dynamic crypto map policy processes negotiation requests for new security associations from remote IPSec peers, even if the router does not know all the crypto map parameters (for example, IP address).

Perform these steps to configure the IPSec crypto method, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

crypto dynamic-mapdynamic-map-name dynamic-seq-num

Example:

Router(config)# crypto dynamic-map dynmap 1
Router(config-crypto-map)#

Creates a dynamic crypto map entry, and enters crypto map configuration mode.

See the Cisco IOS Security Command Reference for more detail about this command.

Step 2 

set transform-set transform-set-name [transform-set-name2...transform-set-name6]

Example:

Router(config-crypto-map)# set transform-set vpn1
Router(config-crypto-map)#

Specifies which transform sets can be used with the crypto map entry.

Step 3 

reverse-route

Example:

Router(config-crypto-map)# reverse-route
Router(config-crypto-map)#

Creates source proxy information for the crypto map entry.

See the Cisco IOS Security Command Reference for details.

Step 4 

exit

Example:

Router(config-crypto-map)# exit

Enters global configuration mode.

Step 5 

crypto map map-name seq-num [ipsec-isakmp] [dynamicdynamic-map-name] [discover] [profileprofile-name]

Example:

Router(config)# crypto map static-map 1 ipsec-isakmp dynamic dynmap

Creates a crypto map profile.

Apply the Crypto Map to the Physical Interface

The crypto maps must be applied to each interface through which IPSec traffic flows. Applying the crypto map to the physical interface instructs the router to evaluate all the traffic against the security associations database. With the default configurations, the router provides secure connectivity by encrypting the traffic sent between remote sites. However, the public interface still allows the rest of the traffic to pass and provides connectivity to the Internet.

Perform these steps to apply a crypto map to an interface, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

interface type number

Example:

Router(config)# interface fastethernet 4

Enters interface configuration mode for the interface to which you want to apply the crypto map.

Step 2 

crypto map map-name

Example:

Router(config-if)# crypto map static-map

Applies the crypto map to the interface.

See the Cisco IOS Security Command Reference for more detail about this command.

Step 3 

exit

Example:

Enters global configuration mode.

Configure a GRE Tunnel

Perform these steps to configure a GRE tunnel, beginning in global configuration mode:

 

Command or Action

Purpose

Step 1 

interface type number

Example:

Router(config)# interfacetunnel 1

Creates a tunnel interface and enters interface configuration mode.

Step 2 

ip addresssubnet mask

Example:

Router(config-if)# ip address 10.62.1.193255.255.255.255

Assigns an address to the tunnel.

Step 3 

tunnel sourceinterface-type number

Example:

Router(config-if)# tunnel source fastethernet 0

Specifies the source endpoint of the router for the GRE tunnel.

Step 4 

tunnel destination default-gateway-ip-address

Example:

Router(config-if)# tunnel destination 192.168.101.1

Specifies the destination endpoint of the router for the GRE tunnel.

Step 5 

crypto mapmap-name

Example:

Router(config-if)# crypto map static-map

Assigns a crypto map to the tunnel.

Note Dynamic routing or static routes to the tunnel interface must be configured to establish connectivity between the sites. See the Cisco IOS Security Configuration Guide for details.

Step 6 

exit

Example:

Exits interface configuration mode, and returns to global configuration mode.

Step 7 

ip access-list {standard | extended}access-list-name

Example:

Router(config)# ip access-list extended vpnstatic1

Enters ACL configuration mode for the named ACL that is used by the crypto map.

Step 8 

permitprotocolsource source-wildcard destination destination-wildcard

Example:

Router(config-acl)# permit gre host 192.168.100.1 host 192.168.101.1

Specifies that only GRE traffic is permitted on the outbound interface.

Step 9 

exit

Example:

Returns to global configuration mode.

Configuration Example

The following configuration example shows a portion of the configuration file for a VPN using a GRE tunnel scenario described in the preceding sections.

aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
username cisco password 0 cisco
ip address 10.62.1.193 255.255.255.252
tunnel source fastethernet 0
tunnel destination interface 192.168.101.1
ip route 20.20.20.0 255.255.255.0 tunnel 1
crypto isakmp client configuration group rtr-remote
dns 10.50.10.1 10.60.10.1
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 86400
crypto dynamic-map dynmap 1
crypto map static-map 1 ipsec-isakmp dynamic dynmap
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
! Defines the key association and authentication for IPSec tunnel.
crypto isakmp key cisco123 address 200.1.1.1
! Defines encryption and transform set for the IPSec tunnel.
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
! Associates all crypto values and peering address for the IPSec tunnel.
crypto map to_corporate 1 ipsec-isakmp
! VLAN 1 is the internal interface
ip address 10.1.1.1 255.255.255.0
ip inspect firewall in ! Inspection examines outbound traffic.
! FE4 is the outside or Internet-exposed interface
ip address 210.110.101.21 255.255.255.0
! acl 103 permits IPSec traffic from the corp. router as well as
! denies Internet-initiated traffic inbound.
crypto map to_corporate ! Applies the IPSec tunnel to the outside interface.
! Utilize NAT overload in order to make best use of the
! single address provided by the ISP.
ip nat inside source list 102 interface Ethernet1 overload
ip route 0.0.0.0 0.0.0.0 210.110.101.1
! acl 102 associated addresses used for NAT.
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! acl 103 defines traffic allowed from the peer for the IPSec tunnel.
access-list 103 permit udp host 200.1.1.1 any eq isakmp
access-list 103 permit udp host 200.1.1.1 eq isakmp any
access-list 103 permit esp host 200.1.1.1 any
! Allow ICMP for debugging but should be disabled because of security implications.
access-list 103 permit icmp any any
access-list 103 deny ip any any ! Prevents Internet-initiated traffic inbound.
! acl 105 matches addresses for the IPSec tunnel to or from the corporate network.
access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.255.255
Sours: https://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/vpngre.html
IPsec VPN with NAT configuration

Route based vs Policy based VPNs

 

 

Most firewalls support policy based and route based VPN models. Which one we are supposed to use in most cases doesn't really matter, but there are a couple of things to consider as to the use cases and differences as described below.

A route based VPN creates a virtual IPsec interface, and whatever traffic hits that interface is encrypted and decrypted according to the phase 1 and phase 2 IPsec settings.

Static routes are required for a route based VPN, so anything destined to the remote network must go through the virtual IPsec interface which was created when specifying this within the Phase 1 settings. Security policies will be created to permit access between the source and destination addresses over the VPN tunnel in the standard way.

In a policy based VPN, the VPN tunnel is specified within the security policy itself with a special action of "IPsec or Encrypt" or an action of something similar dependant on the firewall technology used. Typically, for policy based VPN, only one policy is required. A route based VPN is created with two or more policies, one for inbound and another for outbound with a normal "Accept" action.

Route based VPN vs Policy based VPN

A route based VPN is required when there is a requirement for redundant VPN connections, or there is a need for dynamic routing within a VPN tunnel. A route based VPN only works in route (layer 3) mode, where policy based VPN works in both route and transparent mode, and a policy based VPN is simpler to create.

 

Conclusion

A route based VPN is more flexible, more powerful and recommended over policy based VPN. However a policy based VPN is usually simpler to create.

If your requirement is to create redundant VPN connections and\or need to run dynamic routing and your firewall is in route\NAT(layer 3) mode (99% of the time it is) then use a route based VPN model. If you don’t require redundant VPN connections or dynamic routing, then you can use a policy based VPN. There are other reasons to use one or the other as well but they are rarely required.

 

 


Sours: http://www.internet-computer-security.com/VPN-Guide/Policy-based-vs-Route-based-VPN.html

Routing ipsec vpn

.

IPSec VPN concepts and basic configuration in Cisco IOS router

.

Similar news:

.



399 400 401 402 403