Настройка VPN между маршрутизаторами Cisco

И так, нужен vpn сервер (Я выбрал cisco 1801 с K-9 и аппаратным шифрованием), на другом конце могут быть практически любой маршрутизатор cisco или pix.

Server config.

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp key yourpassword address 223.223.223.222

crypto ipsec transform-set branch esp-3des esp-md5-hmac

crypto map branch 1 ipsec-isakmp
description Tunnel to223.223.223.222
set peer 223.223.223.222
set transform-set branch
match address 100

interface FastEthernet0
description VPN INTERFACE MASTER
ip address 111.111.111.112 255.255.255.240
crypto map branch

interface Vlan1
description INTERNAL INTERFACE
ip address 192.168.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 111.111.111.111

access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Client config. (IOS)

crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key yourpassword address 111.111.111.112

crypto ipsec transform-set office esp-3des esp-md5-hmac

crypto map toCentral 1 ipsec-isakmp
description Tunnel to111.111.111.112
set peer 111.111.111.112
set transform-set office
match address 100

interface FastEthernet4
description EXTERNAL
ip address 223.223.223.222 255.255.255.224
crypto map toCentral

interface Vlan1
description INTERNAL
ip address 192.168.2.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 223.223.223.221

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Client config. (PIX)

access-list outside_cryptomap_20 permit ip 192.168.2.0 255.255.255.0 111.111.111.112 255.255.255.255

ip address outside 223.223.223.222 255.255.255.240
ip address inside 192.168.2.1 255.255.255.0

route outside 0.0.0.0 0.0.0.0 223.223.223.221 1

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 111.111.111.112
crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 111.111.111.112 netmask 255.255.255.255 no-xauth no-config-mode

isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

Более защищенный вариант

Server config.

crypto isakmp policy 1
encription 3des
hash md5
authentication pre-share
group 2

crypto isakmp key ***** address 172.16.2.2

crypto ipsec transform-set TunnelIPSEC esp-3des esp-md5-hmac

crypto map BRANCH local-address FastEthernet0/0
crypto map BRANCH 1 ipsec-isakmp
set peer 172.16.2.2
set transform-set TunnelIPSEC
match address tunnel-to-branch

interface Tunnel1
description Tunnel to Branch
ip address  192.168.1.1 255.255.255.252
tunnel source 172.16.1.2
tunnel destination 172.16.2.2

interface FastEthernet0/0
description Link to Internet
ip address 172.16.1.2 255.255.255.252
ip access-group Inet-IN in
ip access-group Inet-OUT out
crypto map BRANCH

interface FastEthernet0/1
description Link to LAN
ip address 10.1.1.0 255.255.255.0

ip route 172.16.2.2 255.255.255.255 172.16.1.1

ip access-list extended Inet-IN
permit esp host 172.16.2.2 host 172.16.1.2
permit udp host 172.16.2.2 eq isakmp host 172.16.1.2 eq isakmp
deny   ip any any log

ip access-list extended Inet-OUT
permit esp host 172.16.1.2 host 172.16.2.2
permit udp host 172.16.1.2 eq isakmp host 172.16.2.2 eq isakmp
deny   ip any any log

ip access-list extended tunnel-to-branch
permit gre host 172.16.1.2 host 172.16.2.2

Client config.

crypto isakmp policy 1
encription 3des
hash md5
authentication pre-share
group 2

crypto isakmp key ***** address 172.16.1.2

crypto ipsec transform-set TunnelIPSEC esp-3des esp-md5-hmac

crypto map CO local-address FastEthernet0/0
crypto map CO 1 ipsec-isakmp
set peer 172.16.1.2
set transform-set TunnelIPSEC
match address tunnel-to-co

interface Tunnel1
description Tunnel to Central Office
ip address  192.168.1.2 255.255.255.252
tunnel source 172.16.2.2
tunnel destination 172.16.1.2

interface FastEthernet0/0
description Link to Internet
ip address 172.16.2.2 255.255.255.252
ip access-group Inet-IN in
ip access-group Inet-OUT out
crypto map CO

interface FastEthernet0/1
description Link to LAN
ip address 10.1.2.0 255.255.255.0

ip route 172.16.1.2 255.255.255.255 172.16.2.1

ip access-list extended Inet-IN
permit esp host 172.16.1.2 host 172.16.2.2
permit udp host 172.16.1.2 eq isakmp host 172.16.2.2 eq isakmp
deny   ip any any log

ip access-list extended Inet-OUT
permit esp host 172.16.2.2 host 172.16.1.2
permit udp host 172.16.2.2 eq isakmp host 172.16.1.2 eq isakmp
deny   ip any any log

ip access-list extended tunnel-to-branch
permit gre host 172.16.2.2 host 172.16.1.2

В моем случае безопасный вариант не подошел так как мне нужно было реализовать все это на двух интерфейсах с двумя провайдерами в виде резервного канала и с NAT-ом на клиентских маршрутизаторах, позже выложу описание как это реализовать при помощи NAT + IP SLA + BACKUP ISP.

Запись опубликована в рубрике Router. Добавьте в закладки постоянную ссылку.