Je cherche un ou des exemple de configuration VPN avec cryptage IPSec avec routeur ou PIX Cisco
www.cisco.com
exemple : http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html
, Stephane
Christophe D
Hello,
Sur un PIX, utilise le PDM de base (release 6.0 mini) et tout est fait automatiquement, c'est ce qu'il y a de mieux.
Sur un routeur, un exemple de conf sur un 1720 equipé de l'IOS IP FW / IDS / VPN 3DES :
hostname cisco ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip source-route ! ... ip inspect max-incomplete high 1100 ip inspect max-incomplete low 900 ip inspect one-minute high 1100 ip inspect one-minute low 900 ip inspect name ingressfw http alert on audit-trail on timeout 3600 ip inspect name ingressfw fragment maximum 8192 timeout 30 ip inspect name ingressfw tcp alert on audit-trail on ip audit notify log ip audit po max-events 100 ip audit name ingressIDS info action alarm ip audit name ingressIDS attack action alarm drop ip ssh time-out 60 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key maclefdifficilleatrouver address 197.0.0.1 <<<<<<<<< adresse du PIX en face par exemple ! crypto isakmp peer address 197.0.0.1 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set 3DES esp-3des esp-md5-hmac ! crypto map cm-cryptomap 1 ipsec-isakmp set peer 197.0.0.1 set security-association lifetime seconds 86400 set transform-set 3DES match address 120 ! ! ! ! interface ATM0 description Interface ADSL-ATM pour accès Net1 512Kb bandwidth 512 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode splitterless hold-queue 224 in ! interface FastEthernet0 description Connected to EthernetLAN ip address 192.168.1.254 255.255.255.0 ip access-group FromLan in ip access-group ToLan out ip nat inside no ip mroute-cache no cdp enable ! interface Dialer1 description connected to Internet bandwidth 512 ip address negotiated previous ip access-group inboundfilters in ip access-group outboundfilters out ip accounting access-violations ip nat outside ip inspect ingressfw in ip audit ingressIDS in encapsulation ppp no ip route-cache no ip split-horizon no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname monLoginProvider ppp chap password monPasswordProvider crypto map cm-cryptomap ! ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! ! ip access-list extended FromLan permit ip host 192.168.1.1 any <<<< poste de l'admin ou du PAPA permit ip host 192.168.1.250 any <<<< le proxy pour les autres ... deny ip any any ... ip access-list ToLan deny udp any eq ntp any time-range BOOTYEAR permit ip any any ... ip access-list extended inboundfilters remark les ports ouverts par défaut en entrée sur l'interface Dialer permit ip host 197.0.0.1 any permit udp any eq domain any permit icmp any any echo-reply permit icmp any any time-exceeded log permit udp any eq ntp any evaluate udptraffic evaluate tcptraffic evaluate icmptraffic ... ip access-list extended outboundfilters remark les permissions de sortie sur l'interface Dialer permit ip host 192.168.1.1 any permit tcp host 192.168.1.250 any reflect tcptraffic permit udp host 192.168.1.250 any reflect udptraffic permit icmp any any reflect icmptraffic permit udp any any eq domain permit udp any any eq ntp ! logging history debugging logging trap debugging logging facility local4 logging source-interface FastEthernet0 logging 192.168.1.250 ! access-list 2 permit 192.168.1.0 0.0.0.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 <<<<<<<<< les réseaux qui se parlent via VPN access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 130 permit ip 192.168.1.0 0.0.0.255 any ... dialer-list 1 protocol ip permit no cdp run ! route-map nonat permit 10 description Traffic a travers le VPN donc sans NAT match ip address 130 ! snmp-server community public RO 1 snmp-server location Christophe's Home snmp-server contact Christophe Decombe snmp-server enable traps tty bridge 1 protocol ieee ! line con 0 exec-timeout 120 0 line aux 0 line vty 0 4 access-class 2 in exec-timeout 120 0 password monPassword login local transport input ssh ! no scheduler allocate ntp clock-period 17179853 ntp source Dialer1 ntp server 62.4.16.80 ntp server 134.214.100.6 ntp server 129.240.64.3 ntp server 138.195.130.71 ntp server 194.2.0.58 ntp server 194.2.0.28 ntp server 212.37.192.31 time-range BOOTYEAR absolute start 00:00 01 January 1993 end 23:59 31 December 1993 ! end
Voilà,
j'espère avoir éclairé ta lanterne...et comme j'ai modifié la conf qui tourne à la main ... j'espère n'avoir rien oublié ..
Christophe D
"Stephane T." a écrit dans le message de news:3fbd85d7$0$9299$
Nadir wrote:
Je cherche un ou des exemple de configuration VPN avec cryptage IPSec avec
Sur un PIX, utilise le PDM de base (release 6.0 mini) et tout est fait
automatiquement, c'est ce qu'il y a de mieux.
Sur un routeur, un exemple de conf sur un 1720 equipé de l'IOS IP FW / IDS
/ VPN 3DES :
hostname cisco
!
clock timezone MET 1
clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip source-route
!
...
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect name ingressfw http alert on audit-trail on timeout 3600
ip inspect name ingressfw fragment maximum 8192 timeout 30
ip inspect name ingressfw tcp alert on audit-trail on
ip audit notify log
ip audit po max-events 100
ip audit name ingressIDS info action alarm
ip audit name ingressIDS attack action alarm drop
ip ssh time-out 60
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key maclefdifficilleatrouver address 197.0.0.1 <<<<<<<<<
adresse du PIX en face par exemple
!
crypto isakmp peer address 197.0.0.1
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set 3DES esp-3des esp-md5-hmac
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 197.0.0.1
set security-association lifetime seconds 86400
set transform-set 3DES
match address 120
!
!
!
!
interface ATM0
description Interface ADSL-ATM pour accès Net1 512Kb
bandwidth 512
no ip address
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode splitterless
hold-queue 224 in
!
interface FastEthernet0
description Connected to EthernetLAN
ip address 192.168.1.254 255.255.255.0
ip access-group FromLan in
ip access-group ToLan out
ip nat inside
no ip mroute-cache
no cdp enable
!
interface Dialer1
description connected to Internet
bandwidth 512
ip address negotiated previous
ip access-group inboundfilters in
ip access-group outboundfilters out
ip accounting access-violations
ip nat outside
ip inspect ingressfw in
ip audit ingressIDS in
encapsulation ppp
no ip route-cache
no ip split-horizon
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname monLoginProvider
ppp chap password monPasswordProvider
crypto map cm-cryptomap
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
ip access-list extended FromLan
permit ip host 192.168.1.1 any <<<< poste de l'admin ou du PAPA
permit ip host 192.168.1.250 any <<<< le proxy pour les autres ...
deny ip any any
...
ip access-list ToLan
deny udp any eq ntp any time-range BOOTYEAR
permit ip any any
...
ip access-list extended inboundfilters
remark les ports ouverts par défaut en entrée sur l'interface Dialer
permit ip host 197.0.0.1 any
permit udp any eq domain any
permit icmp any any echo-reply
permit icmp any any time-exceeded log
permit udp any eq ntp any
evaluate udptraffic
evaluate tcptraffic
evaluate icmptraffic
...
ip access-list extended outboundfilters
remark les permissions de sortie sur l'interface Dialer
permit ip host 192.168.1.1 any
permit tcp host 192.168.1.250 any reflect tcptraffic
permit udp host 192.168.1.250 any reflect udptraffic
permit icmp any any reflect icmptraffic
permit udp any any eq domain
permit udp any any eq ntp
!
logging history debugging
logging trap debugging
logging facility local4
logging source-interface FastEthernet0
logging 192.168.1.250
!
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
<<<<<<<<< les réseaux qui se parlent via VPN
access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
...
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
description Traffic a travers le VPN donc sans NAT
match ip address 130
!
snmp-server community public RO 1
snmp-server location Christophe's Home
snmp-server contact Christophe Decombe
snmp-server enable traps tty
bridge 1 protocol ieee
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 120 0
password monPassword
login local
transport input ssh
!
no scheduler allocate
ntp clock-period 17179853
ntp source Dialer1
ntp server 62.4.16.80
ntp server 134.214.100.6
ntp server 129.240.64.3
ntp server 138.195.130.71
ntp server 194.2.0.58
ntp server 194.2.0.28
ntp server 212.37.192.31
time-range BOOTYEAR
absolute start 00:00 01 January 1993 end 23:59 31 December 1993
!
end
Voilà,
j'espère avoir éclairé ta lanterne...et comme j'ai modifié la conf qui
tourne à la main ... j'espère n'avoir rien oublié ..
Christophe D
"Stephane T." <see-marklevdotcom@readwhatsontheleft.com> a écrit dans le
message de news:3fbd85d7$0$9299$626a54ce@news.free.fr...
Nadir wrote:
Je cherche un ou des exemple de configuration VPN avec cryptage IPSec
avec
Sur un PIX, utilise le PDM de base (release 6.0 mini) et tout est fait automatiquement, c'est ce qu'il y a de mieux.
Sur un routeur, un exemple de conf sur un 1720 equipé de l'IOS IP FW / IDS / VPN 3DES :
hostname cisco ! clock timezone MET 1 clock summer-time MEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip source-route ! ... ip inspect max-incomplete high 1100 ip inspect max-incomplete low 900 ip inspect one-minute high 1100 ip inspect one-minute low 900 ip inspect name ingressfw http alert on audit-trail on timeout 3600 ip inspect name ingressfw fragment maximum 8192 timeout 30 ip inspect name ingressfw tcp alert on audit-trail on ip audit notify log ip audit po max-events 100 ip audit name ingressIDS info action alarm ip audit name ingressIDS attack action alarm drop ip ssh time-out 60 ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key maclefdifficilleatrouver address 197.0.0.1 <<<<<<<<< adresse du PIX en face par exemple ! crypto isakmp peer address 197.0.0.1 ! crypto ipsec security-association lifetime seconds 28800 ! crypto ipsec transform-set 3DES esp-3des esp-md5-hmac ! crypto map cm-cryptomap 1 ipsec-isakmp set peer 197.0.0.1 set security-association lifetime seconds 86400 set transform-set 3DES match address 120 ! ! ! ! interface ATM0 description Interface ADSL-ATM pour accès Net1 512Kb bandwidth 512 no ip address no ip mroute-cache no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode splitterless hold-queue 224 in ! interface FastEthernet0 description Connected to EthernetLAN ip address 192.168.1.254 255.255.255.0 ip access-group FromLan in ip access-group ToLan out ip nat inside no ip mroute-cache no cdp enable ! interface Dialer1 description connected to Internet bandwidth 512 ip address negotiated previous ip access-group inboundfilters in ip access-group outboundfilters out ip accounting access-violations ip nat outside ip inspect ingressfw in ip audit ingressIDS in encapsulation ppp no ip route-cache no ip split-horizon no ip mroute-cache dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname monLoginProvider ppp chap password monPasswordProvider crypto map cm-cryptomap ! ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ! ! ip access-list extended FromLan permit ip host 192.168.1.1 any <<<< poste de l'admin ou du PAPA permit ip host 192.168.1.250 any <<<< le proxy pour les autres ... deny ip any any ... ip access-list ToLan deny udp any eq ntp any time-range BOOTYEAR permit ip any any ... ip access-list extended inboundfilters remark les ports ouverts par défaut en entrée sur l'interface Dialer permit ip host 197.0.0.1 any permit udp any eq domain any permit icmp any any echo-reply permit icmp any any time-exceeded log permit udp any eq ntp any evaluate udptraffic evaluate tcptraffic evaluate icmptraffic ... ip access-list extended outboundfilters remark les permissions de sortie sur l'interface Dialer permit ip host 192.168.1.1 any permit tcp host 192.168.1.250 any reflect tcptraffic permit udp host 192.168.1.250 any reflect udptraffic permit icmp any any reflect icmptraffic permit udp any any eq domain permit udp any any eq ntp ! logging history debugging logging trap debugging logging facility local4 logging source-interface FastEthernet0 logging 192.168.1.250 ! access-list 2 permit 192.168.1.0 0.0.0.255 access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 <<<<<<<<< les réseaux qui se parlent via VPN access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 130 permit ip 192.168.1.0 0.0.0.255 any ... dialer-list 1 protocol ip permit no cdp run ! route-map nonat permit 10 description Traffic a travers le VPN donc sans NAT match ip address 130 ! snmp-server community public RO 1 snmp-server location Christophe's Home snmp-server contact Christophe Decombe snmp-server enable traps tty bridge 1 protocol ieee ! line con 0 exec-timeout 120 0 line aux 0 line vty 0 4 access-class 2 in exec-timeout 120 0 password monPassword login local transport input ssh ! no scheduler allocate ntp clock-period 17179853 ntp source Dialer1 ntp server 62.4.16.80 ntp server 134.214.100.6 ntp server 129.240.64.3 ntp server 138.195.130.71 ntp server 194.2.0.58 ntp server 194.2.0.28 ntp server 212.37.192.31 time-range BOOTYEAR absolute start 00:00 01 January 1993 end 23:59 31 December 1993 ! end
Voilà,
j'espère avoir éclairé ta lanterne...et comme j'ai modifié la conf qui tourne à la main ... j'espère n'avoir rien oublié ..
Christophe D
"Stephane T." a écrit dans le message de news:3fbd85d7$0$9299$
Nadir wrote:
Je cherche un ou des exemple de configuration VPN avec cryptage IPSec avec
