Creating a VPN Between a Workstation and a Router
Problem
You want to make a VPN from a remote workstation to a router.
Solution
There are several steps to configuring a router to accept IPSec VPN connections from remote PCs. The following discussion doesn't include requirements for the PC's software configuration, just the router's configuration. You should refer the software vendor's documentation for information about configuring the workstation software:
Router1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router1(config)#aaa new-model
Router1(config)#aaa authentication login default group tacacs+
Router1(config)#aaa authentication enable default group tacacs+
Router1(config)#tacacs-server host 172.25.1.1
Router1(config)#tacacs-server key COOKBOOK
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
Router1(config-isakmp)#exit
Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac esp-3des
Router1(cfg-crypto-trans)#mode tunnel
Router1(cfg-crypto-trans)#exit
Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS
Router1(config-crypto-map)#exit
Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any
Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#ip address 172.25.1.5 255.255.255.0
Router1(config-if)#crypto map CRYPTOMAP
Router1(config-if)#exit
Router1(config)#exit
Router1#
Discussion
The first few lines in this example are the aaa and tacacs-server commands, which are described in more detail in Chapter 4. This simply sets up username authentication for all incoming VPN connections, and allows you to get these authentication credentials from a central server running the TACACS+ protocol.
We are using AAA and TACACS+ in this configuration to supply the pre-shared keys that ISAKMP will use to set up its SA for this VPN. This is similar to the use of pre-shared keys in Recipe 12.3, but here we expect to have a large number of remote VPN users, so it is administratively easier if we manage them from the TACACS+ server instead of on the router.
Then we set up the ISAKMP policy as follows:
Router1(config)#crypto isakmp policy 10
Router1(config-isakmp)#encryption 3des
Router1(config-isakmp)#authentication pre-share
Router1(config-isakmp)#group 2
This defines the policy for authentication and encryption keys, and is identical to the ISAKMP policy we used in Recipe 12.3. We selected these particular policy parameters because they are required for the Cisco Easy VPN Remote software. If you are using different client software, you may need to use different settings. This policy is also identical to the one we used in Recipe 12.3.
After doing this, we need to define the IPSec VPN properties. We begin by defining the transform set that we want to use for these VPN connections. We will call this transform set VPN-TRANSFORMS:
Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac esp-3des
Router1(cfg-crypto-trans)#mode tunnel
The VPN will use the esp-sha-hmac and esp-3des transforms. This transform set is almost the same as the one in Recipe 12.3, but this time we have specified that this VPN should use tunnel mode with the mode command. In Recipe 12.3, IPSec was used to encrypt traffic in a GRE tunnel. However, here we are dealing with VPNs that terminate on a user workstation, so it is not possible to create a GRE tunnel before establishing the connection. So this example uses tunnel mode, which is actually the default.
Because the workstation could in principle be anywhere on the Internet, we can't even define an IP address for it. But to use IPSec on a Cisco router, we need to create a crypto map, which is a template for the Security Association (SA) that IPSec will use for this session. Fortunately, Cisco provides the ability to create dynamic crypto maps for precisely these types of situations:
Router1(config)#crypto dynamic-map VPN-USER-MAP 50
Router1(config-crypto-map)#description A dynamic crypto map for VPN users
Router1(config-crypto-map)#match address 115
Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS
This creates a dynamic map called VPN-USER-MAP. The number, 50, on the end of the line is a sequence number, similar to the sequence numbers used in route map statements. The router will look at all map entries in sequence until it finds a match. In this case, the match is decided by the match address command, which compares the IP addresses of packets to access-list 115. If the access-list matches the addresses in the packet header, it will then apply the transform set that we created earlier.
The access-list here blocks any packets whose destination addresses are either multicasts or local broadcasts. Obviously, this type of traffic cannot possible be associated with a VPN:
Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255
Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0
Router1(config)#access-list 115 permit any any
In practice, you may want to use a more restrictive access-list.
We can then build the actual crypto map that references this dynamic map. In the following command, we create a crypto map called, appropriately enough, CRYPTOMAP. This command is sequence number 10 in the definition of the map. In fact, it's the only command in the map's definition, but there could easily be others, including static crypto maps similar to the ones we discussed in Recipes 12.3 and 12.6. Usually, you actually want to put any dynamic maps at the end of your crypto map. This is because dynamic maps work best as catch-all conditions for unknown IP addresses. So if there are any known IP addresses that require special attention, you need to configure them first before the dynamic map statements.
You apply the crypto map to the interface that will be receiving the VPN requests:
Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP
Router1(config)#interface FastEthernet0/1
Router1(config-if)#crypto map CRYPTOMAP