Yesterday, I configured VPN on my router CISCO 2811. I think , it’s a good exercise for me and for you too. P’ Berm , thank you so much for give good suggestion to me.
1. Enable IP Pool
| aoddy-router(config)#ip local pool TEST_VPN_POOL 192.168.0.1 192.168.0.99 |
2. Enable isakmp protocol
| aoddy-router(config)#crypto isakmp enable aoddy-router(config)#crypto isakmp policy 100 aoddy-router(config-isakmp)#encryption aes # AES – Advanced Encryption Standard. aoddy-router(config-isakmp)#hash sha aoddy-router(config-isakmp)#authentication pre-share |
pre-share Pre-Shared Key
rsa-encr Rivest-Shamir-Adleman Encryption
rsa-sig Rivest-Shamir-Adleman Signature
| aoddy-router(config-isakmp)#group 2 |
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
| aoddy-router(config-isakmp)#end |
3. Create group
| aoddy-router#configure terminal aoddy-router(config)#crypto isakmp client configuration group TEST_VPN_GROUP aoddy-router(config-isakmp-group)#key passwdgroup |
4. Set DNS server for client after connect to VPN
| aoddy-router(config-isakmp-group)#dns 192.168.0.1 aoddy-router(config-isakmp-group)#pool TEST_VPN_POOL endspy-gw(config-isakmp-group)#end |
5. Create crypto map for support connection from client.
| aoddy-router#configure terminal aoddy-router(config)#crypto ipsec transform-set VPN_TEST esp-aes esp-sha-hmac aoddy-router(cfg-crypto-trans)#end |
Type of encryption of IPSec
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
Type of tranform of encryption data
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
<cr>
5. Create crypto map for support connection from client.
| aoddy-router#configure terminal aoddy-router(config)#crypto dynamic-map VPN_DYNAMIC 100 # VPN_DM = Word of Dynamic crypto map template tag aoddy-router(config-crypto-map)#set transform-set VPN_TEST # VPN_TS = Word of Proposal tag aoddy-router(config-crypto-map)#reverse-route aoddy-router(config-crypto-map)#end |
6. Set type authentication
| aoddy-router#configure terminal aoddy-router(config)#aaa new-model aoddy-router(config)#aaa authentication login VPN_AUTHEN local aoddy-router(config)#aaa authorization network VPN_AUTHEN local |
7. Apply authentication&authorization to crypto map
| aoddy-router(config)#crypto map VPN_CM client configuration address respond aoddy-router(config)#crypto map VPN_CM isakmp authorization list VPN_AUTHEN aoddy-router(config)#crypto map VPN_CM client authentication list VPN_AUTHEN aoddy-router(config)#crypto map VPN_CM 65535 ipsec-isakmp dynamic VPN_DYNAMIC |
8. Set death pear detection
| aoddy-router(config)#crypto isakmp keepalive 30 5 |
9. Set time wait for input password
| aoddy-router(config)#crypto isakmp xauth timeout 30 |
10. Add user
| aoddy-router(config)#username aoddy password aoddy aoddy-router(config)#end |
11. Map config to interface
| aoddy-router#configure terminal aoddy-router(config)#interface serial 0/0/0 aoddy-router(config-if)#crypto map VPN_CM aoddy-router(config-if)#end aoddy-router#write |
Perfect !!
For those of you who have found this site, looking to configure a L2L vpn, this is not for you. This is for VPN Client access.
Great guide for client VPN
what VPN client should I use, I tryed to use Shrew so far and i couldn’t get it connected
This is excellent .Thank u …………….
Plz send me hw to configure ssl vpn on cisco routers.