From Internetworkpro

Jump to: navigation, search

This page or section provides device configuration instructions

Please note that the information on this page has not been checked for accuracy and is not intended as a replacement to documentation. Please ensure you understand your desired objectives before attempting to apply any examples listed.
See more examples at Category:Configuration

This page or section provides VPN Configuration examples

The collection of articles under the VPN Category help to describe simple and complex VPN setups. These are often confusing and complicated so the Internetworkpro Wiki is attempting to create examples for many VPN setups - Site to site, remote access, automatic, one-way, ipsec, pptp, gre, vpdn, easyvpn, ssl, etc. Please ensure you understand your desired objectives before attempting to apply any examples listed. Guidance can be provided on irc://freenode.net/cisco
See more examples at Category:Configuration
See more VPN configuration at Category:VPN

Example configuration for terminating a Cisco IOS L2L site-to-site vpn with a Juniper ScreenOS device. IOS 12.4T and ScreenOS 5.4 were used for this example. A GRE tunnel was used for this VPN due to the extreme complexity of the proxy-id configuration on non-ScreenOS Devices. We are encrypting the GRE tunnel and all contents - This reduces the proxy-id requirement for the ipsec phase 2 session to a single entry on both sides - rather than one entry for each many-to-many ipsec ospf vpn.

Both "Trusted" and the remote LAN interface share the same zone. This config may have scalability options and could be upgraded with a DMVPN due to the limited number of tunnel interfaces ScreenOS has available.

--Sartan 19:04, 8 April 2009 (CDT)

 (172.16.50.0/24) -- Trust [NS50] Untrust 10.0.51.11 ***GRE 172.16.1.0/30 GRE*** 10.0.51.3 [Router] -- (172.16.52.0/24)

1 Complete Configuration
- 1.1 Cisco
- 1.2 ScreenOS
2 Configure GRE tunnel
- 2.1 Cisco IOS
- 2.2 Screen OS
3 Add OSPF to the tunnel
- 3.1 Cisco IOS
- 3.2 ScreenOS
4 Build the VPN
- 4.1 Phase One
  - 4.1.1 Cisco IOS
  - 4.1.2 ScreenOS
- 4.2 Phase Two
  - 4.2.1 Cisco
  - 4.2.2 ScreenOS
5 Verification
- 5.1 Cisco
- 5.2 ScreenOS

[edit] Complete Configuration

[edit] Cisco

   interface tunnel0
     ip address 172.16.1.2 255.255.255.252
     tunnel source FastEthernet3/0
     tunnel destination 100.0.51.11
     ip ospf 1 area 0
   !
   interface FastEthernet3/0
     ip address 10.0.100.3 255.255.255.0
     crypto map NSFW
   !
   router ospf 1
   !
   crypto isakmp policy 10
     encryption 3des
     authentication pre-share
     group 2
     hash sha
     lifetime 28800
   !
   crypto isakmp key VPN address 100.0.51.11
   crypto ipsec transform-set NSFW esp-3des esp-sha-hmac
     mode transport
   !
   ip access-list extended GRE
     permit ip host 100.0.51.3 host 100.0.51.11
   !
   crypto map NSFW 10 ipsec-isakmp
     set peer 100.0.51.11
     set transform-set NSFW
     match address GRE
   !

[edit] ScreenOS

   set vrouter "trust-vr" protocol ospf enable
   set interface "tunnel.1" zone "Trust"
   set interface tunnel.1 ip 172.16.1.1/30
   set interface tunnel.1 tunnel encap gre
   set interface tunnel.1 tunnel local-if ethernet3 dst-ip 10.0.51.3
   set interface tunnel.1 protocol ospf area 0.0.0.0
   set interface tunnel.1 protocol ospf enable
   set ike gateway "R3" address 100.0.51.3 Main outgoing-interface "ethernet3" preshare "VPN" proposal "pre-g2-3des-sha"
   set vpn "To-R3" gateway "R3" no-replay transport idletime 0 proposal "g2-esp-3des-sha"
   set vpn "To-R3" bind interface tunnel.1
   set vpn "To-R3" proxy-id local-ip 100.0.51.11/32 remote-ip 100.0.51.3/32 "ANY"

[edit] Configure GRE tunnel

[edit] Cisco IOS

   interface tunnel0
   ip address 172.16.1.2 255.255.255.252
   tunnel source FastEthernet3/0
   tunnel destination 100.0.51.11

[edit] Screen OS

   set interface "tunnel.1" zone "Trust"
   set interface tunnel.1 ip 172.16.1.1/30
   set interface tunnel.1 tunnel encap gre
   set interface tunnel.1 tunnel local-if ethernet3 dst-ip 100.0.51.3

[edit] Add OSPF to the tunnel

[edit] Cisco IOS

     router ospf 1
     !Create the process ID
     !
     interface tunnel0
       ip ospf 1 area 0
     !

[edit] ScreenOS

   set interface tunnel.1 protocol ospf area 0.0.0.0
   set interface tunnel.1 protocol ospf enable
   set vrouter "trust-vr" protocol ospf enable

[edit] Build the VPN

[edit] Phase One

[edit] Cisco IOS

 crypto isakmp policy 10
   encryption 3des
   authentication pre-share
   group 2
   hash sha
   lifetime 28800
 !
 crypto isakmp key VPN address 100.0.51.11

Note: Crypto key configured above is Cisco IOS 12.4T style. Previously, crypto keys were configured under tunnel-groups.

 tunnel-group 100.0.51.11 type ipsec-l2l
 tunnel-group 100.0.51.11 ipsec-attributes
  pre-shared-key VPN

[edit] ScreenOS

 set ike gateway "R3" address 100.0.51.3 Main outgoing-interface "ethernet3" preshare "VPN" proposal "pre-g2-3des-sha"

Note: Multiple transform sets for phase one are available. See get ike p1-proposal for details. VPNs can also be authenticated using RSA and DSA keys.

[edit] Phase Two

Since we're putting GRE inside of OSPF, we need to change the mode to transport and not the default tunnel mode. Our VPN tunnel will be using 3DES-CBAC, SHA-MAC.

[edit] Cisco

 crypto ipsec transform-set NSFW esp-3des esp-sha-hmac
   mode transport
 !
 ip access-list extended GRE
   permit ip host 100.0.51.3 host 100.0.51.11
 !

A wide-sweeping IP-IP access list is used here, you may want to refine the protocol to just GRE. (Untested /w proxy maps on ScreenOS)

 crypto map NSFW 10 ipsec-isakmp
   set peer 100.0.51.11
   set transform-set NSFW
   match address GRE
 !

[edit] ScreenOS

 set vpn "To-R3" gateway "R3" no-replay transport idletime 0 proposal "g2-esp-3des-sha"
 set vpn "To-R3" bind interface tunnel.1
 set vpn "To-R3" proxy-id local-ip 100.0.51.11/32 remote-ip 100.0.51.3/32 "ANY"

We need to bind the VPN to the tunnel interface here, so the router will allow the GRE packets to become encrypted.

[edit] Verification

[edit] Cisco

 #show crypto isakmp sa
 dst             src             state          conn-id slot status
 100.0.51.3      100.0.51.11     QM_IDLE              3    0 ACTIVE
 100.0.51.3      100.0.51.11     QM_IDLE              2    0 ACTIVE
 100.0.51.3      100.0.51.11     QM_IDLE              1    0 ACTIVE
 debug crypto isakmp
 debug crypto engine

[edit] ScreenOS

 -> get sa active
 Total active sa: 1
 total configured sa: 1
 HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
 00000006<      100.0.51.3  500 esp:3des/sha1 e4c3b385  2098  389M A/-    -1 0
 00000006>      100.0.51.3  500 esp:3des/sha1 a18fd4b5  2098  389M A/-    -1 0
 
 debug ike detail
 get dbuf stream

LAN-to-LAN IPSec VPN between IOS and ScreenOS

From Internetworkpro

Contents

[edit] Complete Configuration

[edit] Cisco

[edit] ScreenOS

[edit] Configure GRE tunnel

[edit] Cisco IOS

[edit] Screen OS

[edit] Add OSPF to the tunnel

[edit] Cisco IOS

[edit] ScreenOS

[edit] Build the VPN

[edit] Phase One

[edit] Cisco IOS

[edit] ScreenOS

[edit] Phase Two

[edit] Cisco

[edit] ScreenOS

[edit] Verification

[edit] Cisco

[edit] ScreenOS

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Categories

quick links

Toolbox