Shulou(Shulou.com)06/01 Report--

The detailed explanation of the principle and configuration of IPSec virtual private network through the blog CIsco router can realize the establishment of virtual private network between the two Lans, but in the real environment, Easy virtual private network is more commonly used. It mainly solves the problem that traveling employees can access the intranet through virtual private network. When implementing Easy virtual private network on a router, it will involve the following basic concepts: XAUTH, group policy, dynamic Crypto Map and so on!

Blog outline:

1. Problems to be solved in Easy virtual private network

What does it need to configure to implement Easy virtual private network on the router?

1. Use XAUTH for user authentication

two。 Group policy

3. Dynamic Crypto Map

Case of configuring Easy virtual private network on Cisco router

1. Problems to be solved in Easy virtual private network

To realize the principle and configuration of IPSec virtual private network through CIsco router, we know that when implementing IPSec virtual private network, we need to go through two important stages.

1. Phase 1: establish a management connection; negotiate how to establish a management connection; share key information through the DH algorithm; authenticate peers to each other; 2. Phase 2-establishing a data connection defines what kind of traffic is protected between peers; defines the security protocol used to protect data; defines the transmission mode

There is no problem in establishing IPSec virtual private network according to the above process, but there will be a lot of problems if we use the above method to establish Easy virtual private network. For example:

Generally speaking, one end of remote access virtual private network is hardware devices, such as routers, firewalls, etc., and the other end is client devices, such as notebook computers. At this time, there will be some problems with the security of the client side. Just imagine, the security management level of the company's gateway-level devices is definitely different from that of PC, not to mention that many employees access the company's resources through the Internet, which will bring great security risks. The essence of establishing the encrypted transmission of IPSec virtual private network is the pre-shared key configured on the device in advance, once the key is leaked, the whole IPSec virtual private network has no meaning; when establishing IPSec virtual private network, both sides have a fixed IP address, so that we can configure ACL and peers. Obviously, it is impossible to establish an IPSec virtual private network according to the idea of configuring Easy virtual private network. What does it need to configure to implement Easy virtual private network on the router? 1. Use XAUTH for user authentication (1) XAUTH

XAUTH is an enhanced feature of a virtual private network gateway that provides a user name and password to authenticate users. Because this process is done between two connections, it is also known as "phase 1.5".

Referring to user authentication naturally involves how usernames and passwords are stored, and there are usually two situations:

Stored in the internal database of virtual private network gateway devices; stored on third-party devices, such as an AAA server

Although the verification process of user name and password has been added, if the laptop of the user who accesses the virtual private network remotely is lost, some illegal users can also use this laptop to obtain information within the company. The solutions to this problem are:

When a user uses a token card, the user name / password is different each time; the administrator of the virtual private network forces the client not to store the user name / password locally, and the user must enter the user name / password manually every time they log in

The second verification method is generally used in the actual environment!

(2) definition of AAA

AAA, which stands for Authentication, Authorization and Accounting, provides a basic framework for configuring access control on network devices.

To implement the AAA server, you only need to use the RADIUS protocol and the TACACS+ protocol:

RADIUS protocol: is a fully open standard protocol, any manufacturer and user can modify the RADIUS;TACACS+ protocol flexibly: it is a private protocol designed by Cisco; 2. Group policy

One of the key problems in configuring Easy virtual private network is that because there are so many clients connected to virtual private network, the IP address of Peer will not be fixed and Crypto ACL will not be unique. The best solution is to let the virtual private network "actively push" these policies to the client. But in many cases, these policies of the client are the same, so the concept of group is introduced in the Easy virtual private network, the clients with the same policy are divided into a group, and the policies are configured for a group of clients at the virtual private gateway at one time, which will greatly save the workload in the process of configuration and management.

Group Policy contains the following:

(1) address pool

The reason why the client accessing the virtual private network remotely is difficult to establish a connection with the gateway of the virtual private network is that the client does not have a fixed IP address. In this "dynamic" case, the best way is to make the virtual private network device "push" the IP address for each authenticated client like the DHCP server. In this way, because the IP address of the client is dynamically assigned by the virtual private network gateway, the virtual private network equipment naturally knows which IP to establish a virtual private network connection with.

The schematic diagram is as follows:

After the client has passed the previous AAA authentication, in order to establish an IPSec connection with the virtual private network gateway, the virtual private gateway will push the IP address to the client from the address pool in its own or third-party authentication server.

(2) DNS and Gateway

Like the DHCP server, besides assigning IP address to the client, it also assigns gateway and DNS, so that the client has the necessary resources such as IP, gateway and DNS of the intranet, and really becomes a member of the intranet.

The schematic diagram is as follows:

The client accesses the company's intranet through a virtual private network tunnel, just like being virtualized as a client within the company, so that some banned protocols on the public network can be applied. Like sharing.

(3) shared key

In the remote access virtual private network, the virtual private network gateway needs to "share the key" with multiple groups of clients, so when configuring the virtual private network, it is necessary to set a different shared key for each group of clients. the client key is not pushed by the virtual private network gateway, but requires the user to configure it on the host through the client software, and this process is generally implemented by the company's network administrator. Then the key is naturally saved locally on the client host, so there is the existence of "phase 1.5".

The schematic diagram is as follows:

(4) Separation tunnel

By default, after the client establishes a tunnel with the virtual private network gateway, it can only access the resources authorized by the private network. This is because the tunnel allows all traffic, that is, all traffic must go through the tunnel to reach the company's internal network. Naturally, no traffic is allowed to access the external network, and it is perfectly normal for the client to access the external network. Therefore, it is necessary to configure ACL for remote access virtual private network to separate tunnels.

By configuring ACL, all "permit" traffic is encrypted, all "deny" traffic is transmitted in plaintext, and encrypted traffic is the traffic that accesses the company's intranet through a tunnel, and plaintext traffic is the traffic that accesses the Internet. This ACL can be applied to the group policy.

The schematic diagram is as follows:

After the client has passed the authentication, the ACL will be pushed to the client host along with other group policies. In this case, the gateway of the host will become a public network gateway. If you look at the routing table of the host, you will find that there is a detailed route pointing to the virtual private network gateway. This detailed route is generated by the virtual private network client based on the pushed ACL.

(5) Separation of DNS

When the client host connects to the company's intranet through remote access to the virtual private network, even after the tunnel is separated, the client needs to use the DNS resolution of the company's internal network when accessing the web server of the Internet, but this is not a reasonable process. If the client has to parse the DNS through the company's intranet every time they visit Baidu, it is actually unnecessary and too wasteful of resources. Therefore, when the client accesses the web server of the company's intranet, it uses the DNS resolution of the company's intranet. If it accesses Baidu, it uses the DNS of the external network. If you want to implement different domain names using different DNS, you need to use separate DNS.

The schematic diagram is as follows:

3. Dynamic Crypto Map

Because we cannot specify the address of the client in the static crypto map of the virtual private network device (the address of the client is distributed by the DHCP service of the virtual private network, it is not fixed), so the parameters needed in the static crypto map need to be dynamically populated, and ISAKMP/IKE must be used to initiate negotiation when using dynamic crypto map. And when realizing remote access to virtual private network, static and dynamic crypto map are usually configured at the virtual private network gateway at the same time, because only one device with static configuration can initiate the tunnel of IPSec, and dynamic crypto map is rarely used for L2L (local area network to local area network) session establishment.

When implementing remote access to a virtual local area network, transform-set is generally configured first, because the specified transport set is independent of the IP address of the peer, and the transport set can be applied directly to the dynamic crypto map Because only one crypto map can be configured on the interface, and the virtual private gateway must have a static crypto map, it is necessary to apply the dynamic crypto map to the static crypto map and then the static crypto map to the interface, which is the general idea of configuring crypto map.

The schematic diagram is as follows:

Configure the Easy virtual private network case on the Cisco router (1) case environment

(2) case requirements

(1) the client accesses the internal website normally using the domain name (www.yinuo.com) through the Easy virtual private network

(2) the client uses the domain name (www.xiaojiang.com) to access the public network website normally.

(3) according to the IP address in the topology diagram, R1 router needs to configure a default route to R2, R2 only configures IP address, and builds related services for testing.

(4) the client downloads virtual private network software (for Windows 7 only)

(3) case implementation 1. Configuration of internal gateway router R1: R1 (config) # aaa new-model / / enable AAAR1 (config) # aaa authentication login lv-authen local / / Authentication R1 (config) # aaa authorization network lv-author local / / Authorization / / "lv-authen" is the custom authentication name, "lv-author" is the custom authorization name / / "local" indicates the local authentication method You can also use "group radius", and the router will forward it to the designated RADIUS server for authentication / / experimental environment. For simplicity, use the local method R1 (config) # username lv secret zhenjiang// to configure the username and password for client connection. "secret" means to encrypt the password / / you can also configure multiple usernames and passwords. For the router to authenticate with multiple groups of clients R1 (config) # crypto isakmp policy 10R1 (config-isakmp) # encryption 3desR1 (config-isakmp) # hash shaR1 (config-isakmp) # authentication pre-share R1 (config-isakmp) # group 2 / / the DH key group number 1R1 (config-isakmp) # exit stage 1 configuration is complete! R1 (config) # ip local pool lv-pool 192.168.2.10 192.168.2.50 pool IP address of the IP address pool. The address in the pool is distributed to the client and cannot use the same IP address range as the intranet. Otherwise, it will affect the final communication R1 (config) # ip access-list extended lv-acl// to create a named ACLR1 (config-ext-nacl) # permit ip 192.168.1.0 0.0.255 any// this ACL allows 192.168.1.0 to go to any address, and when pushed to the client, it will be reversed. / / to allow any IP address to access 192.168.1.0. Because the source address here is from the point of view of the router. R1 (config) # crypto isakmp client configuration group lv-group// create user groups The group name is lv-groupR1 (config-isakmp-group) # key lv-key / / the user group key is lv-keyR1 (config-isakmp-group) # pool lv-pool / / call the just defined address pool R1 (config-isakmp-group) # dns 192.168.1.100 / / specify the internal DNS server R1 (config-isakmp-group) # acl lv-acl / / for the client. ACLR1 (config-isakmp-group) # split-dns yinuo.com// specifies the domain name that needs to be separated (the domain name of the intranet server) stage 1.5 configuration is complete! R1 (config) # crypto ipsec transform-set lv-set esp-3des esp-sha-hmac / / specifies the encryption and authentication of the transport set. You cannot use the AH algorithm to verify R1 (cfg-crypto-trans) # exitR1 (config) # crypto dynamic-map lv-dymap 1 hand / create a dynamic map, with "1" indicating the sequence number, which is used to define the priority R1 (config-crypto-map) # set transform-set lv-set// to call the transfer set R1 (config-crypto-map) # exit Phase 2 that has just been defined. R1 (config) # crypto map lv-stamap 1000 ipsec-isakmp dynamic lv-dymap// creates a static map with the serial number as low as possible Give priority to matching the private static map// of the IPSec virtual private network and call the dynamic mapR1 (config) # crypto map lv-stamap client authentication list lv-authenR1 (config) # crypto map lv-stamap isakmp authorization list lv-author// just defined to call the authentication and authorization R1 (config) # crypto map lv-stamap client configuration address respond / / for the client to initiate the connection in the AAA manner just defined. In response to the client request R1 (config) # int f2/0R1 (config-if) # crypto map lv-stamap// applies the defined static map to the extranet interface 2 of the corporate gateway router. The client installs the client software of virtual private network

Use the windows 7 system for testing here! If you use windows 10 system friends, it will be relatively troublesome to install client tools. You can refer to the blog Windows 10 system to install virtual private network client tools.

Next, mindless, the next step is! After installation is complete

After the connection is successful, check the IP address of the generated VPN

Access to the company's internal, public network server test access!

The visit was successful!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.