Simple Virtual Private Network

Others 2020-04-13 09:43:32 views: null

Simple Virtual Private Network

Overview

The purpose of setting up such a virtual private network is to satisfy more of the company's office personnel outside, and to allow external personnel (sales personnel / remote technicians) to securely access company resources (company documents, company IT infrastructure) via the Internet. Simple virtual private network is a B2C architecture, L2L virtual private network / GRE over IPsec / dynamic multi-point virtual private network is more of a B2B architecture.

The principle of a simple virtual private network is more complicated than that of a conventional virtual private network, and the configuration is more troublesome. Therefore, in order to simplify the client configuration, most commands are deployed on the server side, and the client only needs software to perform dialing.

Employees travel on business and need to access the company's intranet. Direct remote access is not secure and may be attacked, resulting in information leakage. At this time, if there is no router, a virtual private network needs to be established between the dynamic address of the employee's location and the company's fixed address to realize the secure transmission of data. The deployment of a simple virtual private network on the server side is complicated, but it is easy to use on the client side, and only need to install fixed software to achieve secure communication. Clients of the simple virtual private network are divided into software-based clients and hardware-based clients.

principle

Although the negotiation of the establishment of a simple virtual private network also belongs to IPsec negotiation, it is somewhat different from the IPsec virtual private network, and the negotiation phase is more.
Insert picture description here
1.5 stage:
mode config: mode configuration, used for the server to push the configuration to the client;
xauth: extended authentication, simple virtual private network authentication uses "two-factor" authentication, in addition to shared keys, group passwords are also required.

deploy

Create a loopback port on the computer , use the router in GNS3 to connect to the loopback port, check the loopback port address and set R1's f0 / 0 port to the same network segment, and ping each other.
Insert picture description here
Install dneupdate64.msi.
Insert picture description here
Install client_setup.msi.
Uninstall the loopback port DNE plug-in from the network card.
GNS3 rebuilds the environment and pings.
Open the virtual private network client, if you can open it, you can continue the configuration and deployment below.
Insert picture description here
EZVPN Server deployment:
R4
1.0阶段配置:
crypto isakmp policy 1
encrption 3des
authentication pre-share
hash sha
group 2

1.5 stage configuration: // Created three group policies, respectively for a, b different remote access personnel
crypto isakmp client configuration group agroup // configure group policies for different clients
key acisco // group key
dns 8.8.8.8 8.8 .4.4 // Assign DNS
domain cisco.com // Company domain name
pool apool // Assign addresses for users who dial successfully. The advantage of allocating addresses is that the headquarters can specify where the dial-in comes from, and the internal security firewall can do the security strategy. If you do not assign addresses, clients use private addresses and cannot manage them effectively.
acl splitacl // Separate list, separate Internet stream and encrypted stream, push interested ACL
save-password // Allow user to save password
netmask 255.255.255.0
ip local pool apool 172.16.1.1 172.16.1.100
ip access-list extended splitacl
permit ip 192.168 .45.0 0.0.0.255 any

crypto isakmp client configuration group bgroup
key bcisco
dns 8.8.8.8 8.8.4.4
domain cisco.com
pool bpool
acl splitacl
save-password
netmask 255.255.255.0
ip local pool bpool 172.16.2.1 172.16.2.100

2.0 stage configuration:
crypto ipsec transform-set eztrans esp- 3des esp-sha-hmac

Configure the AAA authentication list and authorization list
aaa new-model
aaa authentication login ezlogin local // define the authentication list ezlogin, if not found, then call the local username database
aaa authorization network ezauthor local
username auser password amima // create a personal username password
username buser password bmima

Dynamic map configuration:
crypto dynamic-map dymap 1
set transform-set eztrans
reverse-route // Turn on reverse routing, when the user dials successfully, the headquarters can learn the network segment of the branch LAN

Static map configuration and call dynamic map:
crypto map ezmap 1 ipsec-isakmp dynamic dymap discover // Call dynamic
crypto map ezmap client authentication list ezlogin // Enable client authentication, use local account password to authenticate clients
crypto map ezmap isakmp authorization list ezauthor // Enable client authorization. If the authentication is successful, authorize the IP address and other information.
crypto map ezmap client configuration address respond // Dynamic allocation of IP addresses for clients

interface f0 / 0
crypto map ezmap // Call under the interface

show crypto ipsec client ezvpn // Client view ezvpn information

EZVPN Client configuration:
R2
编写 EZVPN 配置
crypto ipsec client ezvpn aaaaa
connect auto
group agroup key acisco
mode client
peer 100.1.34.4
username auser password amima

Application policy set
int f1 / 0
crypto ipsec client ezvpn aaaaa outside
int f0 / 0
crypto ipsec client ezvpn aaaaa inside

Three modes of the ezvpn client:
1. Client mode: Obtain an address from the server, and all intranets use this address to communicate with the headquarters; the headquarters cannot actively access the branch. The headquarters can manage branch routers.
2. Expansion mode: There is no need to obtain an address from the server, but the headquarters and branches can directly access each other (L2L). The headquarters cannot manage branch routers.
3. Expansion enhanced mode: get the address from the server, but the headquarters and branches can directly access each other (L2L). The headquarters can manage branch routers.

After the configuration is complete, see the effect on R2:
Insert picture description here
all traffic passes through loopback:
Insert picture description here
even if NAT is not configured, a nat list will also be generated:
Insert picture description here
1.5 stage server and client interaction configuration information: the
Insert picture description here
above is to communicate with the headquarters server through hardware, the following This section describes the operation procedure of the software installation client communicating with the server.

Open the software, create a new connection, and fill in the specified information.
Insert picture description here
Save the information, establish a connection, and fill in the username and password.
Insert picture description here
Remember to open the virtual network card when using it.
Insert picture description here

Goallegoal
Published 43 original articles · Likes62 · Visits 1904
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_40644809/article/details/105443304
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com