!- These commands associate the AAA commands to the crypto map.Ĭrypto map dynmap isakmp authorization list hw-client-groupname crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! !- Apply the crypto map on the interface where !- traffic leaves the router. Username cisco password 0 cisco123 ! redundancy ! !- Create an Internet Security Association and !- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.Ĭrypto isakmp policy 1 authentication pre-share group 2 crypto isakmp client configuration address-pool local dynpool ! !- Create a group with the pre-shared key for IKE authentication.Ĭrypto isakmp client configuration group hw-client-groupname key hw-client-password !- Create the Phase 2 policy for actual data encryption.Ĭrypto ipsec transform-set transform-1 esp-des esp-sha-hmac ! !- Create a dynamic map and !- apply the transform set that was created earlier.Ĭrypto dynamic-map dynmap 1 set transform-set transform-1 reverse-route ! !- Create the actual crypto map, !- and apply the AAA lists that were created earlier. Configuration: (Redundancy configuration have been Server Configuration R1#show run Building configuration… Current configuration : 2631 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R1 ! boot-start-marker boot-end-marker ! security passwords min-length 1 !- Enable Authentication, Authorizing and Accounting (AAA) !- for user authentication and group authorization.Īaa new-model !- Enable the AAA commands in order !- to enable Xauth for user authentication.Īaa authorization network hw-client-groupname local !- Enable the AAA commands !- in order to enable group authorization.Īaa authorization network groupauthor local ! ! ! ! aaa session-id common clock timezone CST 8 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip source-route ! ip cef no ip domain lookup no ipv6 traffic interface-statistics no ipv6 cef ! multilink bundle-name authenticated !- Define the username and password to use for Xauth. R3 and R6 will be only used to do test ping with only default route and interface ip configured on them. This lab will show how to configure a basic easy vpn client / server set up. But TCP can cause a lot of slowdown, since the TCP session will back off under packet loss, affecting all traffic for that VPN link.R1 will be easy VPN server and R2 will be the client. TCP is OK where the firewall blocks UDP, doesnt keep session state for some reason, or where you have a poor connection (classic example for me is across a GPRS link). Given typical remote access VPN use with many users operating from corporates, or from home where address translation is part of the network border - you probably need it for most applications these days.įWIW UDP encap works best with reasonably good connectivity, and high speed links (eg a home broadband connection). So - UDP or TCP encap is going to be needed to allow the VPN3000 to "talk" to end points where the VPN client sessions cross an address translation point. I think it is the other way - if you are doing address translation on the ASA, then IPsec is not going to work (or at least the authentication part) - the reason is that the encryption includes the end point addresses, and NAT is going to change that (unless you are set to translate an address to the same address?)
0 Comments
Leave a Reply. |