Cisco Router as a

VPN Server
Agenda
VPN
Categories of VPN
Secure VPNs
Trusted VPN
Hardware / Software Requirement
Network Diagram
Basic Router Configuration
Configuring AAA Server
Virtual Template
VPDN
IPSec







What is VPN ?
A virtual private network (VPN) is a
computer network that is
implemented in an additional logical
layer (overlay) on top of an existing
network. It has the purpose of
creating a private scope of computer
communications or providing a
secure extension of a private
network into an insecure network
such as the Internet.
http://en.wikipedia.org/wiki/Virtual_private_network
Categories of VPN
VPN technologies may be classified
by many standards.

Two broad categories of VPN are:
Secure VPNs
Trusted VPNs
Secure VPNs
Provide mechanisms for authentication of the
tunnel endpoints and encryption of the traffic.
Provide remote access facilities to employees.
Connects multiple networks together securely
using the Internet to carry the traffic.
Secure VPN protocols include IPSec, SSL or
PPTP (with MPPE).
Doesn't provide Qos or routing.
Trusted VPNs
Created by carriers and large organizations on
large core networks.
Provides Quality of Service.
Trusted VPN protocols include MPLS, ATM or
Frame Relay.
Do not provide security features such as data
confidentiality through encryption.
Hardware / Software Req
Cisco integrated services router with
12.4 advance enterprise IOS.


Ethernet Cables (Cross Over).
PCs / Laptops.
Cisco VPN Client (v5.0.06.0110).
Cisco Security Device Manager (SDM
for GUI based configuration).
Java Runtime Environment (for SDM).

Network Diagram



Basic Router Configuration
Creating Local Login Users for VPN.
Router(config)# username [loginID] privilege [1-15] password 0 [password]
Configure Fast Ethernet Interfaces
Router#config t
Router(config)#int f0/0
Router(config-if)# description Internal LAN (192.168.0.0/24)
Router(config-if)#ip address 192.168.0.254 255.255.255.0
Router(config-if)#no shut
Router(config)#int f0/1
Router(config-if)# description VPN INT (10.1.1.0/24)
Router(config-if)#ip address 10.1.1.254 255.255.255.0
Router(config-if)#no shut






Basic Router Configuration (contd)
Configure Routing Protocol

Router#config t
Router(config)#router eigrp 1
Router(config-router)#network 192.168.0.0
Router(config-router)#network 172.16.1.0
Router(config-router)#network 10.0.0.0

IP Pool

Router(config)# ip local pool ip_pool 172.16.1.10 172.16.1.20
Configuring AAA
aaa-model
Enables the authentication, authorization, and accounting (AAA) access control
model.

Router(config)#aaa new-model
aaa session-id [common | unique]
Ensures that all session identification (ID) information that is sent out for a given
call will be made identical. The default behavior is common.

Router(config)#aaa session-id common


Configuring AAA (contd)
aaa authentication login [list-name] local
Sets (AAA) authentication at login. Local keyword tells the AAA to use local
username database for authentication.

Router(config)# aaa authentication login vpn_xauth local

aaa authorization network [list-name] local
Creates a list for authorization of all network-related service requests . Local
keyword tells the AAA to use local username database for authentication

Router(config)# aaa authorization network vpn_group local
Virtual Template
A virtual template interface is a logical entity that
are created, configured dynamically, used, and
then freed when no longer needed.
Requires the same amount of memory as a serial
interface.
Cisco routers support a maximum of 300 virtual
interfaces.


Benifts of Virtual Template
For easier maintenance, allows customized
configurations to be predefined.
For scalability, allows interface configuration to be
separated from physical interfaces.
For consistency and configuration ease, allows the
same predefined template to be used for all users.
For efficient router operation, frees the virtual
access interface memory for another dial-in use
when the user's call ends.


Configuring Virtual Template
Router#config t
Router(config)# interface Virtual-Template1
Router(config-if)# ip unnumbered FastEthernet0/1
Router(config-if)# no peer default ip address
Router(config-if)# ppp encrypt mppe auto required
Router(config-if)# ppp authentication ms-chap ms-chap-v2

VPDN
A virtual private dialup network (VPDN) allows a
private network dial in service to span across to
remote access servers (defined as the L2TP Access
Concentrator [LAC]).
LAC forwards the PPP session on to an L2TP
Network Server (LNS). The LNS then authenticates
the user and starts the PPP negotiation.
VPDN uses the Layer 2 Forwarding protocol (L2F)
which permits the tunneling of link level frames


Configuring VPDN


enable vpdn
Enables virtual private networking.

Router(config)#enable vpdn

vpdn-group [group name]
Ceates a vpdn group which specifies the protocol, dialup mode and interface

Router(config)# vpdn-group VPN_Server
Router(config)# accept-dialin
Router(config)# protocol pptp
Router(config)# virtual-template 1
IPSec


Internet Protocol Security (IPsec) is a protocol
suite for securing Internet Protocol (IP)
communications.
IPsec uses the following protocols to perform
various functions
Internet key exchange (IKE and IKEv2) to set up a security
association (SA)
Authentication Header (AH) to provide connectionless
integrity.
Encapsulating Security Payload (ESP) to provide
confidentiality.
Configuring IPSec based VPN

Defines an Internet Key Exchange (IKE) policy. IKE policies define a set of
parameters to be used during the IKE negotiation

Router(config)#crypto isakmp policy 1
Router(config-crypto-isakmp)# encr 3des
Router(config-crypto-isakmp)# authentication pre-share
Router(config-crypto-isakmp)# group 2
crypto isakmp policy [priority]
Configuring IPSec based VPN (contd)
sh crypto isakmp policy
Below command list the policy created as a result of last command (previous slide).

Router#sh crypto isakmp policy
Global IKE policy
Protection suite of priority 1
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit


Configuring IPSec based VPN (contd)
crypto isakmp client configuration group [name]
Specify which groups policy profile will be defined by defining key and ip address
pool.

Router(config)#crypto isakmp client configuration group ipsec_group
Router(config-crypto-isakmp )# key ipsec
Router(config-crypto-isakmp )# pool ip_pool
Router(config-crypto-isakmp )# netmask 255.255.255.255

Configuring IPSec based VPN (contd)
crypto ipsec transform-set
A transform set specifies the encryption and authentication algorithms used to
protect the data in the VPN Tunnel.

Router(config)#crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
Router(config-crypto-ipsec )#crypto dynamic-map DYNMAP 1
Router(config-crypto-ipsec )#set transform-set ESP-3DES-SHA

Transform Set:
Name:ESP-3DES-SHA1
ESP Encryption: ESP_3DES
ESP Integrity: ESP_SHA_HMAC


Configuring IPSec based VPN (contd)
crypto map
Creates a crypto profile that provides a template for configuration.

Router(config)#crypto map CMAP client authentication list vpn_auth
Router(config)#crypto map CMAP isakmp authorization list vpn_group
Router(config)#int f0/1
Router(config-if)#crypto map CMAP

Live Demonstration