1.Easy virtual private network problems to be solved
Phase 1 ---- an administrative connection
- How negotiation is an administrative connection
- Sharing key information by DH algorithm
- Peers to authenticate each other
Phase 2 ---- establish a data connection
- What is the definition of traffic between peer protection
- Defined security protocol used to protect data
- Definition of the transmission mode
2. do XAUTH user authentication
(1) XAUTH
IPsec 协议最初的设计并未考虑用户验证问题,所以IETF (internet Engineering Task Force , 因特网工程任务部) 引入了一个RFC的草案
---XAUTH, 它是一个虚拟专用网网管的增强特性,提供用户名和密码的方式来验证用户身份。
由于这个过程是在俩个连接建立之间完成的,所以被称为“阶段1.5”。
用户验证自然就会涉及用户名和密码的存储方式,通常情况下有两种:- Stored in the internal database virtual private network gateway device
- Stored on third-party devices
The definition (2) AAA is
AAA is the Authentication (verification), the Authorization (authorization), Acronym Accounting (statistics), which provides the basic framework for access control configuration on a network device
Authentication: Who is the user?
The legitimacy of the user is verified, the user authentication information including name, password, etc.
Authorization: The user can do?
After the user is authenticated, it can be used to specify the permissions for the user services
Statistics: what the user has done?
User authentication, authorization is successful, the record information such as the user's operation, for use in billing
AAA is the main server using the RADIUS protocol and TACACS + protocol
standard protocol RADIUS (Remote Authentication Dial-In User Service) is a fully open, vendor or user the flexibility to modify RADIUS
TACACS + (Terminal Access Controller Access Control System) is a Cisco proprietary protocol design
- Router open AAA
Router(config)# aaa new-model
3. Group Policy
-
The address pool
Client remote access virtual private network is the reason why it is difficult to establish a connection with the gateway virtual private network, because the client does not have a fixed IP address, in which case the "dynamic", the best way is to let the Virtual Private network devices such as the DHCP server as per "push" IP address by verifying clients. Thus, since the IP address of the client is dynamically allocated virtual private network gateways, virtual private network equipment and established naturally know what IP virtual private network connection.
- DNS and gateway
And DHCP servers, in addition to the IP address assigned to the client, but also the distribution gateway and DNS, the client will have the necessary resources to IP, gateway and DNS and other network and truly become a network of
- Shared Key
In the remote access virtual private network, a virtual private network gateway needs to "Shared Key" with groups of clients, so need to set different shared key for each group of clients when configuring a virtual private network, the client is not the key virtual private network gateway push, but it requires the user to configure on the host through the client software, and this process is normally provided by the network administrator to achieve, then the key is naturally stored in the client host local, so only the existence of "phase 1.5" of
- Split tunneling
By default, the client establishes a tunnel with a virtual private network gateways, network access to only authorized resources within, because the tunnel would allow all traffic, which means that all traffic must pass through the tunnel to the company, naturally, do not allow any traffic to, and for clients, so you need to configure ACL for remote access virtual private network tunnel to separate
- Separation DNS
When the client host connection through a remote access virtual private network to the company, even after the split tunneling, client access Internet web server, also need to use the company intranet DNS resolution, but this is not a rational process, if the client each when the visit Baidu, to go through the company intranet DNS resolution, in fact, is not necessary, a waste of resources, so to achieve the client to access the company's web server, using the company's intranet DNS resolution, if access Baidu, the DNS uses, if you want to achieve a different domain name using a different DNS, you need to use a separate DNS
4. Dynamic Crypto Map
We can not achieve the specified client in the static crypto map virtual private network device address (the client's address distributed by the DHCP service virtual private network, not fixed), it needs to be static crypto map in the required parameters are dynamically populated using dynamic crypto map must ISAKMP / IKE initiate negotiation, but also in the remote access virtual private networks typically If both static and dynamic crypto map on a virtual private network gateways, because only one device with static configuration can initiate the IPSec tunnel, it is also true, dynamic crypto map rarely used L2L (LAN to LAN) session establishment,
When remote access virtual local area network, will normally configured transform-set, because the IP address has nothing to do with the peer specified set of transmission, the transmission can be set directly applied to the dynamic crypto map; Because only configure a crypto map on the interface, and the virtual must have a static crypto map on the private network gateway, so need to be dynamic crypto map is applied to the static crypto map, then static crypto map to the interface, which is configured crypto map.
5. Configure Case
1. Configure IP except R4 and do all the other default route
Bridge is a 64-bit host, use a virtual private network client program
The R3 Configuration
R3(config)#int f0/0
R3(config-if)#ip add 192.168.0.10 255.255.255.0
R3(config-if)#no shutdown
R3(config)#ip route 0.0.0.0 0.0.0.0 192.168.0.1R1 configuration:
aaa configured as follows
R1(config)#aaa new-model
R1(config)#aaa authentication login bdqn-authen local
R1(config)#aaa authorization network bdqn-author local
R1(config)#username bdqn secret cisco //创建用户 加密Stage 1 is configured as follows
R1(config)#crypto isakmp policy 10
R1(config-isakmp)#encryption 3des
R1(config-isakmp)#hash sha
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#group 2
R1(config-isakmp)#exitStage 1.5 configured as follows
R1(config)#ip local pool bdqn-pool 192.168.1.200 192.168.1.210
//创建地址池
R1(config)#ip access-list extended split-acl
R1(config-ext-nacl)#permit ip 192.168.0.0 0.0.0.255 any
R1(config-ext-nacl)#exitCreate a Group Policy as follows
R1(config)#crypto isakmp client configuration group test-group
R1(config-isakmp-group)#key 123456
R1(config-isakmp-group)#pool bdqn-pool
R1(config-isakmp-group)#dns 192.168.0.10
R1(config-isakmp-group)#acl split-acl
R1(config-isakmp-group)#split-dns bdqn.com
R1(config-isakmp-group)#exitConfiguring Dynamic Map
R1(config)#crypto ipsec transform-set bdqn-set esp-3des esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#crypto dynamic-map bdqn-dymap 1
R1(config-crypto-map)#set transform-set bdqn-set
R1(config-crypto-map)#exit
R1(config)#crypto map bdqn-stamap 1000 ipsec-isakmp dynamic bdqn-dymap
R1(config)#crypto map bdqn-stamap client authentication list bdqn-authen
R1(config)#crypto map bdqn-stamap isakmp authorization list bdqn-author
R1(config)#crypto map bdqn-stamap client configuration address respond
//用于让客户端先发起连接
R1(config)#int f0/1
R1(config-if)#crypto map bdqn-stamap
//应用到外接口Install the client virtual private network
The first and second box just fill bit description information,
the third external interface block write R1 iP
written below Group Policy user name and password, the input password twice
Enter the account password aaa
Verify virtual machine ping
If the R1 change the firewall
Other configurations are the same
On the firewall configuration is as follows:
Into the outer Interface: nameif outside
into the interface: nameif Inside
ciscoasa (config) # route Outside 0 0 200.0.0.2 // firewall default route to go
ciscoasa(config)# username bdqn password 123456
ciscoasa(config)# crypto isakmp enable outside
ciscoasa(config)# crypto isakmp policy 10
ciscoasa(config-isakmp-policy)# encryption 3des
ciscoasa(config-isakmp-policy)# hash sha
ciscoasa(config-isakmp-policy)# authentication pre-share
ciscoasa(config-isakmp-policy)# group 2
ciscoasa(config-isakmp-policy)# exit
ciscoasa(config)# ip local pool bdqn-pool 192.168.1.200-192.168.1.210
ciscoasa(config)# access-list split-acl permit ip 192.168.0.0 255.255.255.0 any
ciscoasa(config)# group-policy test-group internal
ciscoasa(config)# group-policy test-group attributes
ciscoasa(config-group-policy)# split-tunnel-policy tunnelspecified
ciscoasa(config-group-policy)# split-tunnel-network-list value split-acl
ciscoasa(config-group-policy)# exit
ciscoasa(config)# tunnel-group bdqn-group type ipsec-ra
ciscoasa(config)# tunnel-group bdqn-group general-attributes
ciscoasa(config-tunnel-general)# default-group-policy test-group
ciscoasa(config-tunnel-general)# exit
ciscoasa(config)# tunnel-group bdqn-group ipsec-attributes
ciscoasa(config-tunnel-ipsec)# pre-shared-key bdqn-key
ciscoasa(config-tunnel-ipsec)# exit
ciscoasa(config)# crypto ipsec transform-set bdqn-set esp-3des esp-sha-hmac
ciscoasa(config)# crypto dynamic-map bdqn-dymap 1 set transform-set bdqn-set
ciscoasa(config)# crypto map bdqn-stamap 1000 ipsec-isakmp dynamic bdqn-dymap
ciscoasa(config)# crypto map bdqn-stamap int outside