Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Đây là một cấu hình từ CCO (not tested)

1. Yêu cầu:

- Một pool các Ip address để gán cho các VPN clients.
- Một nhóm có tên "3000client" có preshare key là 'cisco123"

2. Cấu hình:

hostname HeadQuater

!-- To enable extended authentication (Xauth) for user authentication,
!-- enable the aaa authentication commands.
!-- "Group local" specifies local user authentication.

username pc1 password cisco123
username 3000clients password cisco123

aaa authentication login userauthen group local
aaa authorization network groupauthor group local

!-- Create an Internet Security Association and
!-- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

crypto isakmp policy 3
encr des
authentication pre-share
group 2
!-- Create the Phase 2 policy for actual data encryption.
crypto ipsec transform-set myset esp-des esp-sha-hmac
!
!-- Create a dynamic map and
!-- apply the transform set that was created above.

crypto dynamic-map dynmap 10
set transform-set myset
!
!-- Create the actual crypto map,
!-- and apply the AAA lists that were created earlier.
!--- Create a group that will be used to specify the WINS, DNS servers' address
!--- to the client, along with the pre-shared key for authentication.

crypto isakmp client configuration group 3000client
key cisco123
dns 192.168.100.100
wins 192.168.100.100
domain cisco.com
pool ippool


crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface serial0/0
ip address 10.64.10.44 255.255.255.0
crypto map clientmap


!-- Create a pool of addresses to be assigned to the VPN Clients.

ip local pool ippool 192.168.100.150 192.168.100.200
ip route 0.0.0.0 0.0.0.0 10.64.10.43
!

Minh

Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Linh:

Cấu hình nguyên thủy của CCO.

Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Chào mọi người,

Với cấu hình anh Minh nói trên thì VPN Client login với username : 3000client password : cisco123.
Mà hình như phải thêm :
set peer 10.64.10.45
match address 100
access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

Thân.

Đây là cấu hình cho Branch Office

hostname branch

!--Tạo ISAKMP policy
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.64.10.44
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 10.64.10.44
set transform-set myset
match address 100

interface s0/0
ip address 10.64.10.45 255.255.255.0
crypto map mymap

access-list 100 permit ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255

Thân.

Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Chào mọi người,

Mô hình ở trên có thay đổi một chút cho giống với thực tế !!!

Xin cảm ơn.

Re: Configuring IPSec Router−to−Router with NAT Overload and Cisco Secure VPN Client

Chào mọi người,

Dưới đây là cấu hình đã được test chạy tốt với site-to-site transport mode.
Nhưng vẫn còn problem với vpn client remote access !!!
Xin các sư huynh chỉ giúp.


Cau hinh host Headquarter

hostname hq
!
!
username cisco123 password 0 cisco123
username 123cisco password 0 123cisco
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.64.20.45
crypto isakmp key 123cisco address 0.0.0.0
crypto isakmp client configuration address-pool local test-pool
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac
mode transport
!
crypto dynamic-map test-dynamic 10
set transform-set testset
!
crypto map test client configuration address initiate
crypto map test client configuration address respond
!
crypto map test 5 ipsec-isakmp
set peer 10.64.20.45
set transform-set testset
match address 115
!
crypto map test 10 ipsec-isakmp dynamic test-dynamic
!
interface FastEthernet0/0
ip address 192.168.100.1 255.255.255.0
no ip directed-broadcast
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
ip address 10.64.10.44 255.255.255.0
no ip directed-broadcast
ip nat outside
no fair-queue
crypto map test
!
ip local pool test-pool 192.168.1.1 192.168.1.254
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.64.10.43
ip http server
!
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
access-list 115 deny ip any 192.168.100.0 0.0.0.255
access-list 115 permit ip any any
!
route-map nonat permit 10
match ip address 110



Cau hinh host Internet

hostname Internet
!
ip subnet-zero
no ip domain-lookup
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
interface Serial0
ip address 10.64.20.42 255.255.255.0
no fair-queue
clockrate 64000
!
interface Serial1
ip address 10.64.10.43 255.255.255.0
clockrate 64000
!
ip classless
ip route 10.64.10.0 255.255.255.0 Serial1
ip route 10.64.20.0 255.255.255.0 Serial0
no ip http server



Cau hinh host Branch

hostname Branch
!
!
ip subnet-zero
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
crypto isakmp key cisco123 address 10.64.10.44
!
!
crypto ipsec transform-set testset esp-des esp-md5-hmac
mode transport
!
crypto map test 5 ipsec-isakmp
set peer 10.64.10.44
set transform-set testset
match address 115
!
!
!
interface Ethernet0
ip address 192.168.200.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
interface Serial0
ip address 10.64.20.45 255.255.255.0
no ip directed-broadcast
ip nat outside
crypto map test
!
ip nat inside source route-map nonat interface Serial0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 10.64.20.42
!
access-list 110 deny ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 115 deny ip any 192.168.200.0 0.0.0.255
access-list 115 permit ip any any
route-map nonat permit 10
match ip address 110

Anh Minh ơi, cho em hỏi một chút ạ.
Giữa 2 cái dynmap ở phần dưới nó có liên quan gì với nhau không ạ. Và ngoài cách cấu hình dynamic-map thì có thể có cách khác không hả anh.
Thanks anh ^_^!