Written by Alexei Spirin
|
Wednesday, 16 July 2008 17:48 |
aaa authentication login aaaVPN local
aaa authorization network aaaVPN local
!
username UserTest privilege 0 secret PleaseChangeMe!
!
crypto isakmp policy 10
hash sha
encryption aes
authentication pre-share
group 2
!
crypto isakmp client configuration group grpVPN
netmask 255.255.255.0
pool poolVPN
acl aclSPLIT
dns 192.168.100.1 !Internal DNS-server
domain mycompany.local
split-dns mycompany.local
key PleaseChangeMe!
!
crypto isakmp profile ikePRF1
match identity group grpVPN
client authentication list aaaVPN
isakmp authorization list aaaVPN
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ts1 esp-aes 256 esp-sha-hmac
!
crypto ipsec profile crPRF1
set transform-set ts1
!
interface Loopback0
ip address 192.168.255.255 255.255.255.255
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile crPRF1
!
ip local pool poolVPN 192.168.101.240 192.168.101.254
!
ip access-list extended aclSPLIT
permit ip 192.168.100.0 0.0.0.255 192.168.101.240 0.0.0.15
|
Some notes:
User authentication done via local router database
192.168.100.0/24 is considered as an address range for corporate network
192.168.101.240/28 is considered as VPN user address range
To successfully connect user must know group name and group key (grpVPN and PLeaseChangeMe! in this example) and personal login and password (UserTest and PLeaseChangeMe! in this example)
Cisco ezVPN configuration examples
Cisco IOS Security Configuration Guide, Release 12.4T
|
Last Updated on Monday, 28 February 2011 13:33 |