Shulou(Shulou.com)06/01 Report--

Previously, I wrote the IPSec virtual private network of Cisco router, and implemented the IPSec virtual private network on the ASA firewall of Cisco. These two blog posts are used to establish a virtual private network between the head office and the branch, so there is a lot of use, that is, travelers want to access the resources of the company's intranet? Because the traveler is only a single client, it is different from the first two blog posts, the first two blog posts. Da. Build. Emptiness. Imitate. Specialized. When using the network, the devices at both ends are routers or firewalls with fixed IP addresses, so it is impossible for business travelers to access them. The purpose of this blog is to enable travelers to access the company's intranet resources. This technology is called Easy virtual private network.

Portal:

IPSec Virtual Private Network of Cisco Router: https://blog.51cto.com/14227204/2448319

Implementing IPSec Virtual Private Network with Cisco ASA: https://blog.51cto.com/14227204/2448965

What needs to be configured to implement Easy virtual private network on the router? This blog post will write down how to implement Easy virtual private network on a router. If the gateway device is a Cisco ASA firewall, the configuration can be referred to:

1. XAUTH authentication

In the original IPSec protocol, there is no function of user authentication, so a draft of RFC-XAUTH is introduced. It is an enhanced feature of a virtual private network gateway that provides a user name and password to verify the user's identity. Because this process is completed between two connections, it is jokingly called "Phase 1.5" (for an introduction to the two phases, please refer to the IPSec Virtual Private Network of the Cisco router for details).

When it comes to user authentication, it naturally involves the storage of user names and passwords, which are usually done in two ways:

It is stored in the internal database of the virtual private network gateway device, which is easy to implement, and I use this method next; it is stored on a third-party device, such as an AAA server.

2. Group Policy

In order to realize the Easy virtual private network, some policies must be configured on the virtual private network devices, and then, when the client comes to connect the virtual private network devices, after authentication, the configured policy is actively pushed to the client in order to successfully establish the connection, then the policy that is configured in advance is called group policy.

The group policy contains the following:

(1) address pool: virtual private network devices can be made to "push" IP addresses for each authenticated client like a DHCP server. In this way, because the IP address of the client is dynamically assigned by the virtual private network gateway, the virtual private network equipment naturally knows which IP to establish a virtual private network connection with. The schematic diagram is as follows:

(2) DNS and gateway: like the DHCP server, besides assigning IP address to the client, the gateway and DNS are also assigned, so that the client has the necessary resources such as IP, gateway and DNS of the private network and really becomes a member of the private network, as shown below:

(3) Exchange of shared keys: in remote access virtual private networks, virtual private network gateways need to "share keys" with multiple groups of clients, so when configuring virtual private networks, it is necessary to set different shared keys for each group of clients. the client key is not pushed by the virtual private network gateway, but requires the user to configure it on the host through the client software. This process is generally implemented by the company's network administrator, so the key is naturally stored locally on the client host, which leads to the existence of "phase 1.5", as follows:

(4) separate tunneling: by default, after the client establishes a tunnel with the virtual private network gateway, it can only access the resources authorized by the private network. This is because the tunnel allows all traffic, that is, all traffic must go through the tunnel to reach the company's private network. Naturally, no traffic fang wen wai wang is allowed. For the client, fang wen wai wang is perfectly normal. Therefore, you need to configure ACL for remote access virtual private network to separate tunnels. By configuring ACL, all "permit" traffic is encrypted, all "deny" traffic is transmitted in clear text, and encrypted traffic is the traffic that accesses the company's private network through the tunnel, and the plaintext traffic is the traffic that accesses the Internet. You can apply this ACL to the group policy as follows:

(5) Separation of DNS: when the client host connects to the company's private network through remote access to the virtual private network, even after the tunnel is separated, the client needs to use the DNS resolution of the company's internal network when accessing the web server of the Internet, but this is not a reasonable process. If the client has to parse the DNS through the company's internal network every time they visit Baidu, it is actually unnecessary and a waste of resources. Therefore, when the client accesses the web server of the company's private network, it uses the DNS resolution of the company's private network. If it accesses Baidu, it uses the DNS of Internet. If you want to implement different domain names using different DNS, you need to use the separate DNS, as shown below:

3. Dynamic crypto map

Because we cannot specify the address of the client in the static crypto map of the virtual private network device (the address of the client is distributed by the DHCP service of the virtual private network, it is not fixed), so the parameters needed in the static crypto map need to be dynamically populated, and ISAKMP/IKE must be used to initiate negotiation when using dynamic crypto map. And when realizing remote access to virtual private network, static and dynamic crypto map are usually configured at the virtual private network gateway at the same time, because only one device with static configuration can initiate the tunnel of IPSec, and dynamic crypto map is rarely used for L2L (local area network to local area network) session establishment.

When implementing remote access to a virtual local area network, transform-set is generally configured first, because the specified transport set is independent of the IP address of the peer, and the transport set can be applied directly to the dynamic crypto map Since only one crypto map can be configured on the interface, and the virtual private gateway must have a static crypto map, you need to apply the dynamic crypto map to the static crypto map, and then the static crypto map to the interface. This is the general idea of configuring crypto map, as shown in the following figure:

Second, configure an example

1. The environment is as follows:

2. Environmental analysis:

(1) configure the virtual private network on the company gateway router, and the client (traveler) can connect to the virtual private network and access the DNS service and HTTP (www.test.com) service provided by the intranet (using this domain name, and the DNS in the intranet is responsible for resolving the domain name). In order to simplify the environment, it is integrated into a server.

(2) after connecting to the virtual private network, the client can also use Internet's DNS and HTTP services to simulate the www.baidu.com website service, and use the DNS service provided by the server on Internet to resolve the domain name.

(3) configure the correct router interface and the IP, gateway and route of each server (the server configures the corresponding gateway, router R1 only needs to configure interface IP and a default route points to R2 router, R2 router does not configure anything except interface IP, especially the routing table, otherwise it may not be able to test the effect of VPN).

(4) the client needs to install the client software provided by Cisco to connect.

3. Prepare before configuration:

(1) download the software used by the client and install it on the client to connect to the virtual private network (here is the client installation package for windows 7. If the client is Windows 10, please refer to the blog post: Windows 10 to install virtual private network client): https://blog.51cto.com/14154700/2431163

(2) configure the router interface IP address and routing by yourself (these basic configuration commands will not be displayed. I have written about it in my previous blog post, or do it on my own Baidu).

(3) configure the IP and gateway of each server and client.

(4) build web service and DNS service on relevant servers (these two services are not what this blog wants to introduce. I have simply set up one here. My previous blog posts have related services, you can check them yourself).

4. Start configuration

Corporate intranet router configuration (interface IP self-configuration):

Router (config) # ip route 0.0.0.0 0.0.0.0 200.0.0.1 # configure an outward default route Router (config) # aaa new-model # Open three A # the following is authentication and authorization for remote access to virtual private network clients. # "test1-authen" is a custom authentication name, "local" means local authentication, and # can also use "group radius". The router will forward it to the specified RADIUS server for verification. # use "local" here, which is convenient. Router (config) # aaa authentication login test-authen local # authenticated Router (config) # aaa authorization network test-author local # authorized Router (config) # username zhangsan secret 123123 # AAA authenticated user and password # below is "configure Virtual Private Network Phase 1", which is the relevant parameters for specifying the management connection Encryption algorithms, such as Router (config) # crypto isakmp policy 10Router (config-isakmp) # encryption 3desRouter (config-isakmp) # hash shaRouter (config-isakmp) # authentication pre-shareRouter (config-isakmp) # group phase 1, Router (config-isakmp) # exit# is now configured, and then "configuration phase 1.5" is required, which is the configuration that needs to be pushed to the client after the management connection is successfully established. # the following is to configure an address pool. The addresses in the pool are distributed to the client. The IP address of the address pool cannot use the same IP address range as the private network, otherwise the final communication Router (config) # ip local pool test-pool 192.168.1.200 192.168.1.21 is defined as a named ACL. This ACL is pushed to the client for use. Only the source address allowed by ACL is Router (config) # ip access-list extended split-acl# that can be accessed by the client. This ACL allows 192.168.0.0 to go to any address, and when pushed to the client, it will be reversed. # changed to allow any IP address to access 192.168.0.0. Because the source address here is from the point of view of the router. Router (config-ext-nacl) # permit ip 192.168.0.0 0.0.0.255 any# below is to create a user group Router (config) # crypto isakmp client configuration group test-groupRouter (config-isakmp-group) # key 321321 # user group password Router (config-isakmp-group) # pool test-pool # apply the just defined address pool Router (config-isakmp-group) # dns 192.168.0.10 # specify dnsRouter (config-isakmp-group) # acl split-acl # apply aclRouter (config-isakmp-group) # split-dns test.com # specify the domain name Router (config-isakmp-group) # exit # to be separated. # "configuration phase 2, that is, related configuration of data connection" Router (config) # crypto ipsec transform-set test-set esp-3des esp-sha-hmac # configure transfer set Router (cfg-crypto-trans) # exitRouter (config) # crypto dynamic-map test-dymap 1 # create dynamic map, "1" is the serial number Used to define priority Router (config-crypto-map) # set transform-set test-set # define transform-set (transmission set) Router (config-crypto-map) # exit# in dynamic crypto map the following is the configuration applied to static crypto map, since the static map,# of the same gateway device and branch virtual private network will also exist, it is recommended that the sequence number of virtual private network configuration in this way be a little later. Priority matching of virtual private network static map between branch and branch Here it is defined as 1000Router (config) # crypto map test-stamap 1000 ipsec-isakmp dynamic test-dymap # referencing the dynamic map# just created. The following configuration allows the client to initiate a connection Router (config) # crypto map test-stamap client authentication list test-authenRouter (config) # crypto map test-stamap isakmp authorization list test-authorRouter (config) # crypto map test-stamap client configuration address respondRouter (config) # int f 0/1Router (config-if) # crypto map test-stamap # to the interface

The configuration of the virtual private network on the company gateway router has been completed, and now you can use the client to install the dedicated software, connect to the virtual private network, and test the access.

The client configuration is as follows:

Use the client for access authentication:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.