|
|
This chapter includes sample configurations. The configuration is in the text file format, with section heads in brackets. See the "Using a Text Configuration File" section and the "Text File Formatting" section for more information about text configurations.
You can keep customer networks secure by binding each customer's VPN group to their Frame Relay DLCI. The following figure shows three customers connecting to the same concentrator HSSI or DS3 port over Frame Relay. Company A uses IP and IPX. User authentication is done through a RADIUS server.
[ General ] Password = mypassword DeviceName = mydevice [ IP WAN 0:0 ] mode = Routed IPAddress = 136.5.8.1 SubnetMask = 255.255.255.0 RIPVersion = V2 Numbered = On [IP WAN 1:0] mode = Routed IPAddress = 128.15.7.1 SubnetMask = 255.255.255.0 RIPVersion = V2 Numbered = On [ IPX WAN 0:0 ] mode = Routed Numbered = On Net = 18 [ IPX WAN 1:0 ] mode = Routed Numbered = On Net = 17 [ Link Config WAN 0:0 ] mode = framerelay [ Link Config WAN 1:0 ] mode = framerelay [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Domain Name Server ] PrimaryServer = 128.15.8.9 [ Time Server ] Enabled = On ServerAddress = 128.15.8.23 Adjust = -420 [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IP Static ] 0.0.0.0 0.0.0.0 128.15.7.2 1 [ RADIUS ] PrimAddress = radius.cisco.com Secret = Myradiussecret Challengetype = PAP PAPAuthSecret = MyPAPsecret [ VPN Group "CompanyA" ] Transform = esp(3des,md5) VPNgroupDLCI = 16 MaxConnections = 254 LocalIPNet = 10.1.2.0/24 ipnet = 10.1.1.0/24 LocalIPXNet = 21 [ VPN Group "CompanyB" ] Transform = esp(3des,md5) VPNgroupDLCI = 17 MaxConnections = 254 LocalIPNet = 10.2.2.0/24 ipnet = 10.2.1.0/24 [ VPN Group "CompanyC" ] Transform = esp(3des,md5) VPNgroupDLCI = 18 MaxConnections = 254 LocalIPNet = 10.3.2.0/24 ipnet = 10.3.1.0/24
The following figure shows an example VPN with two customer sites connecting to the ISP at two geographical locations. Remote users who connect to either server can access the networks at both customer sites.
The following configuration applies to the Denver VPN 5008 concentrator 1 connected to the Boulder site.
[ General ] Password = mypassword DeviceName = DenverVPN [ IP WAN 0:0 ] Mode = Routed IPAddress = 181.17.60.2 SubnetMask = 255.255.255.0 OSPFEnabled = On Numbered = On OSPFAreaID = 1 [ IP WAN 1:0 ] mode = Routed IPAddress = 181.17.55.10 SubnetMask = 255.255.255.0 Numbered = On OSPFenabled = On [ Link Config WAN 0:0 ] mode = framerelay [ Link Config WAN 1:0 ] mode = framerelay [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Domain Name Server ] PrimaryServer = 181.17.67.14 [ Time Server ] Enabled = On ServerAddress = 181.17.67.15 Adjust = -420 [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] Mode = Off [ IP Static ] 0.0.0.0 0.0.0.0 181.17.55.1 1 [ OSPF Area 1] OSPFAuthtype = None StubArea = On StubDefaultCost = 20 [ VPN Group "Denver" ] Transform = esp(3des,md5) MaxConnections = 254 LocalIPNet = 203.78.91.0/24 ipnet = 203.78.90.0/24 ipnet = 203.78.89.0/24 SecurIDRequired = On VPNGroupDLCI = 21 [ SecurID ] PrimaryServer = 181.17.67.13 BindTo = WAN 1:0 [ LDAP Auth Server ] LDAPAuthEnabled = On PrimaryServer = 181.17.67.12 PrimaryPassword = MyLDAPPassword base = "o=cisco.com" [ Tunnel Partner VPN 0:1 ] Partner = 176.100.25.3 BindTo = WAN 1:0 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off
The following configuration applies to the San Jose VPN 5008 concentrator 2 connected to the Los Altos site.
[ General ] Password = mypassword DeviceName = SanJoseVPN [ IP WAN 0:0 ] mode = Routed IPAddress = 176.100.25.3 SubnetMask = 255.255.255.0 OSPFenabled = On Numbered = On [ IP WAN 1:0 ] Mode = Routed SubnetMask = 255.255.255.0 OSPFEnabled = On Numbered = On IPaddress = 176.100.26.8 SubnetMask = 255.255.255.0 OSPFAreaID = 1 [ Link Config WAN 0:0 ] mode = framerelay [ Link Config WAN 1:0 ] mode = ppp [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Domain Name Server ] PrimaryServer = 176.100.27.7 [ Time Server ] Enabled = On ServerAddress = 176.100.27.8 Adjust = -480 [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] Mode = Off [ IP Static ] 0.0.0.0 0.0.0.0 176.100.25.1 1 [ OSPF Area 1 ] OSPFAuthtype = None StubArea = On StubDefaultCost = 20 [ VPN Group "SanJose" ] Transform = esp(3des,md5) MaxConnections = 254 LocalIPNet = 203.78.92.0/24 ipnet = 203.78.90.0/24 ipnet = 203.78.89.0/24 SecurIDRequired = On [ SecurID ] PrimaryServer = 181.17.67.13 BindTo = WAN 0:0 [ LDAP Auth Server ] LDAPAuthEnabled = On PrimaryServer = 181.17.67.12 PrimaryPassword = MyLDAPPassword base = "o=cisco.com" [ Tunnel Partner VPN 0:1 ] Partner = 181.17.55.10 BindTo = WAN 0:0 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off
The following example shows the VPN 5002 concentrator at the central site with remote users and remote offices connecting over the Internet. A larger remote office includes a VPN 5001 concentrator that connects to the central site over the internet using a LAN-to-LAN tunnel. Authentication is done using a SecurID system and a VPN User list.
[ General ] Password = mypassword DeviceName = mydevice IPsecGateway = 136.5.5.2 [IP Ethernet 0:0] mode = Routed IPAddress = 10.1.1.1 SubnetMask = 255.255.255.0 RIPVersion = V2 [ IP Ethernet 1:0 ] mode = Routed IPAddress = 136.5.5.1 SubnetMask = 255.255.255.0 [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Domain Name Server ] PrimaryServer = 10.1.1.3 [ Time Server ] Enabled = On ServerAddress = 10.1.1.4 Adjust = -480 [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] mode = off [ IP Static ] 0.0.0.0 0.0.0.0 10.1.1.2 1 [ Tunnel Partner VPN 1 ] Partner = 215.67.89.2 BindTo = Ethernet 1:0 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off [ VPN Group "SmallRemoteOffice" ] Transform = esp(3des,md5) LocalIPNet = 10.1.2.0/24 ipnet = 10.1.1.0/24 SecurIDRequired = On [ VPN Group "RemoteUsers" ] Transform = esp(3des,md5) LocalIPNet = 10.1.3.0/24 ipnet = 10.1.1.0/24 SecurIDRequired = On [ SecurID ] Enabled = On PrimAddress = SecurID.company.com BindTo = Ethernet 0:0 [ VPN Users ] #Use a single user name for each group to assign #the group name. AUser Config="SmallRemoteOffice" SharedKey="Amykey1" BUser Config="RemoteUsers" SharedKey="Bmykey1"
[ General ] Password = mypassword DeviceName = mydevice [IP Ethernet 0] mode = Routed IPAddress = 215.67.89.2 SubnetMask = 255.255.255.0 RIPVersion = V2 [ IP Ethernet 1 ] mode = Off [ IKE POLICY ] Protection = MD5_DES_G1 [ Logging ] Level = Debug LogToAuxPort = On [ Appletalk Default ] # Default sets the value for all ports unless # otherwise specified. mode = off [ IPX Default ] mode = off [ IP Static ] 0.0.0.0 0.0.0.0 215.67.89.1 1 [ Tunnel Partner VPN 1 ] Partner = 136.5.5.1 BindTo = Ethernet 0 SharedKey = Mysecret [ IP VPN 1 ] mode = routed RIPVersion = V2 Numbered = Off
The following example shows a LAN-to-LAN tunnel connecting Sites A and B over the Internet. Site A uses a VPN 5002 concentrator while Site B uses a Cisco IOS device that supports IPsec.
[ General ] IPSecGateway = 210.30.1.1 [ IP Ethernet 0:0 ] Mode = Routed SubnetMask = 255.255.255.0 IPAddress = 192.168.1.5 [ IP Ethernet 1:0 ] SubnetMask = 255.255.255.0 IPAddress = 210.30.1.5 Mode = Routed [ IKE Policy ] # This value must match the IOS crypto isakmp policy command for hash # (md5 or sha). IOS uses DES and G1 by default. Protection = MD5_DES_G1 [ IP Static ] 0.0.0.0 0.0.0.0 210.30.1.1 1 [ Tunnel Partner VPN 1 ] BindTo = Ethernet 1:0 Peer = 192.168.3.0/24 # The Transform keyword must match a transform in the IOS # crypto ipsec transform-set command. Transform = esp(md5,des) SharedKey = "letmein" Mode = Main KeyManage = Auto LocalAccess = 192.168.1.0/24 Partner = 210.30.2.5 [ IP VPN 1 ] Numbered = Off Mode = Routed
The following example shows the output of the more command. See the VPN 5002 configuration for comments about values that must match between the two devices.
version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cisco-3640 ! enable password letmein ! ! ! ! ! ip subnet-zero ip cef no ip domain-lookup ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key letmein address 210.30.1.5 ! ! crypto ipsec transform-set compatible esp-des esp-md5-hmac ! crypto map compatible-crypt 1 ipsec-isakmp set peer 210.30.1.5 set transform-set compatible match address 101 ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 210.30.2.5 255.255.255.0 duplex auto speed auto crypto map compatible-crypt ! interface FastEthernet0/1 ip address 192.168.3.5 255.255.255.0 duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 210.30.2.1 no ip http server ! access-list 101 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 tftp-server slot0 tftp-server system ! line con 0 transport input none line aux 0 line vty 0 4 password letmein login ! end
Posted: Wed Sep 27 10:21:04 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.