martes, 8 de agosto de 2017

Cisco L2TP de punto a sitio

Fuente:
http://blogconfigs.blogspot.com.uy/2010/07/configure-l2tp-ipsec-vpn-server-on.html

Cisco router can be used as VPN server, using L2TP and IPSec, for client from internet accesing private network.

Below are steps for configuring L2TP IPSec on Cisco router,
1. Enable aaa authentication and create user,
aaa new-model 
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local 
user cisco password cisco 
2. Enable VPDN and configure VPDN group
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
3. Configure authentication methode.  Using pre-shared key is the best and simple methode.
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
4. Configure IPSec
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map 
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco 
5. Create Vitrual_Template
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
6. Create IP Pool for user
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
7. Test your configuration

Complete configuration on Cisco router:
L2TP-Server#sh run
Building configuration...

Current configuration : 5669 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L2TP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$WMq0$BZpIxsWnzmEI0fCvWADGd0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
ip domain name ipnetconfigs.com
ip name-server 192.168.0.1
ip ssh version 2
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 1
 no l2tp tunnel authentication
!
!
!
!
crypto pki trustpoint TP-self-signed-417945430
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-417945430
 revocation-check none
 rsakeypair TP-self-signed-417945430
!
!
crypto pki certificate chain TP-self-signed-417945430
 certificate self-signed 01
  30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313739 34353433 30301E17 0D313030 33313331 30303434
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3431 37393435
  34333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  CBB11B58 6E347C78 1FB62626 0FD03CCB 5AA26CC3 A0E17634 B905978F DF0FCA60
  2A8CD0EE 1BF4428A 53F23038 7BF8C209 B0FEF57B 08233D2C F49826BB 938113DE
  C6D25DD0 E8AA51B0 F4BAE931 0C4C19A6 7657EB6F 4A0CF980 92C54B48 F927BF00
  1E3F25E1 A28EA8F6 B941BC0A E6F2FA20 6A73F969 A8B523F0 0B25C927 85C649BD
  02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355
  1D110424 30228220 50504A2D 47572E6C 61646F6D 61696E2E 6C696E74 61736172
  74612E63 6F2E6964 301F0603 551D2304 18301680 14167006 97518BA4 E4F9BA7A
  82A17511 CE1A4870 8B301D06 03551D0E 04160414 16700697 518BA4E4 F9BA7A82
  A17511CE 1A48708B 300D0609 2A864886 F70D0101 04050003 8181006B D63609D0
  F61D11FF FB4CC38C 231FA679 B6A3AD68 DF7BEDC3 CCE85778 5D7E4FE7 ADFA6A8B
  4BBDED0F 20137B37 C445F0D9 14E55313 2553284B DCB49472 3E56BF3D 140F3E58
  047833BD 4F6D0719 29233D33 8F681B69 613FF4A5 B527E059 06B655E3 06BBFA37
  B3F43E6B 67DF84DF 5D3B0FC9 ECFB16E3 9AB4E1F1 D61D0523 A95A44
  quit
username root privilege 15 secret 5 $1$E1t3$.GKaPz1xFuph9r/fRqxTO.
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key cisco address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set ipnetconfig esp-3des esp-sha-hmac
 mode transport
!
crypto dynamic-map ipnetconfig-map 10
 set nat demux
 set transform-set ipnetconfig
!
!
crypto map cisco 10 ipsec-isakmp dynamic ipnetconfig-map
!
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
 crypto map cisco
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
!
!
interface Virtual-Template1
 ip unnumbered FastEthernet0/0
 peer default ip address pool poolipnetconfig
 ppp encrypt mppe 40
 ppp authentication ms-chap-v2
!
!
ip local pool poolipnetconfig 172.31.1.1 172.31.1.6
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
ip http server
ip http secure-server
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

L2TP-Server#



Otra fuente:
https://supportforums.cisco.com/document/9878401/l2tp-over-ipsec-cisco-ios-router-using-windows-8

Introduction
This document describes the process of configuring L2TP over IPSEC between Cisco IOS router and windows 8.

Prerequesites:  
This document requires a basic understanding of IPSec protocol. To learn more about IPSec, please refer to An Introduction to IP Security (IPSec) Encryption.

Components Used:
Cisco IOS® Software Release 12.4 
Cisco 2961 router
Windows 8 machine

Diagram:
1.jpg


Configuration on Cisco IOS router:

version 12.4
!
hostname L2TP
!
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
username cisco privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 86400
!
!
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac 
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2 L2TP-Set 
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map 
!
!
!
interface Loopback0
ip address 192.168.47.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Loopback1
description loopback for IPsec-pool
ip address 1.1.1.11 255.255.255.255
!
interface FastEthernet0/0
ip address 47.47.47.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map outside_map
!
!
interface Virtual-Template1 
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
!
!
ip local pool l2tp-pool 1.1.1.1 1.1.1.10
ip route 0.0.0.0 0.0.0.0 47.47.47.1
!

ip nat inside source list NAT interface FastEthernet0/0 overload
!
ip access-list extended NAT
deny ip 192.168.47.0 0.0.0.255 1.1.1.0 0.0.0.255
permit ip 192.167.47.0 0.0.0.255 any
!
!
!
End

No hay comentarios:

Publicar un comentario