Archive for October 31st, 2009
31
Oct
Cisco my love – take 2
And the solution was: folosesc porturile modulului de criptare hardware in mod trunk. Asociind mai multe vlan-uri per port de modul ipsec, pot folosi mai multe crypto-map-uri, fiecare pe cate un vlan. Binenteles, in felul asta va trebui sa folosesc mai multe porturi fizice pentru a face aceasta topologie, care pe Juniper se facea pe o singura interfata fizica. Dar macar am gasit workaround pentru limitarea de un crypto-map per interfata.
Configul este mai jos. Inca nu l-am convins pe Cisco sa faca site-to-site cu device-ul cu care testez eu, dar asta ar trebui sa fie o chestie pura de IPsec pe Cisco, nu de modalitati de a ocoli limitarile acestui minunat vendor.
1. am scos din config liniile de configurare a CA-ului si alte chestii irelevante pentru situatia de fata
2. dupa cum se vede, una din mape face remote-access cu certificate si xauth user+group, iar cealalta ar trebui ( 
) sa faca site-to-site cu certificate
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ra_xauth local
aaa authentication eou default group radius
aaa authorization network ragroup local
aaa authorization network IxVPN local
aaa authorization auth-proxy default group radius
aaa accounting network default start-stop group radius
aaa new-model
!
aaa authentication login default local
aaa authentication login ra_xauth local
aaa authorization network ragroup local
aaa accounting network default start-stop group radius
!
crypto pki trustpoint VPN
enrollment retry period 5
enrollment mode ra
enrollment url http://10.205.17.185:80/certsrv/mscep/mscep.dll
usage ike
serial-number
subject-name CN=231-6500IPSec
revocation-check none
rsakeypair ra_key
auto-enroll regenerate
!
crypto pki certificate map cert_map 10
subject-name co cn = peer
!
crypto pki certificate map cert_map_s2s 10
subject-name co cn = peer
!
crypto pki certificate chain VPN
…………..
crypto isakmp policy 4
encr 3des
hash md5
group 2
lifetime 300
!
crypto isakmp policy 5
encr aes
group 5
lifetime 300
crypto isakmp keepalive 60 30
crypto isakmp client configuration address-pool local ra_ipsecpool
!
crypto isakmp client configuration group ragroup_test
key ra_key
pool ra_ipsecpool
group-lock
max-users 5000
netmask 255.255.0.0
!
crypto isakmp peer address 0.0.0.0
!
crypto isakmp profile test
keyring default
ca trust-point VPN
match certificate cert_map
client authentication list ra_xauth
client configuration address respond
client configuration group ragroup_test
crypto isakmp profile s2s
keyring default
ca trust-point VPN
match identity address 0.0.0.0
match certificate cert_map_s2s
!
crypto ipsec security-association lifetime seconds 43200
!
crypto ipsec transform-set general_transform esp-3des esp-md5-hmac
!
crypto ipsec profile RA
set transform-set general_transform
set isakmp-profile test
!
crypto ipsec profile ipsec_s2s
set transform-set general_transform
set isakmp-profile s2s
!
crypto dynamic-map ra_dynamic_map 10
set transform-set general_transform
!
crypto dynamic-map s2s 10
set transform-set general_transform
crypto dynamic-map s2s 12
set isakmp-profile s2s
!
crypto map general_map client authentication list ra_xauth
crypto map general_map isakmp authorization list ragroup
crypto map general_map isakmp-profile test
crypto map general_map client configuration address respond
crypto map general_map 30 ipsec-isakmp dynamic ra_dynamic_map
!
crypto map test_s2s isakmp-profile s2s
crypto map test_s2s 30 ipsec-isakmp dynamic s2s
!
interface GigabitEthernet3/3
switchport
switchport access vlan 111
switchport mode access
!
interface GigabitEthernet3/4
ip address 171.253.253.4 255.255.255.0
!
interface GigabitEthernet3/5
switchport
switchport access vlan 121
switchport mode access
!
interface GigabitEthernet8/1/1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,110,120
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast edge trunk
!
interface GigabitEthernet8/1/2
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1
switchport mode trunk
mtu 9216
flowcontrol receive on
flowcontrol send off
spanning-tree portfast edge trunk
!
interface Vlan110
ip address 170.2.0.6 255.255.0.0
no mop enabled
crypto map general_map
crypto engine slot 8/1
!
interface Vlan111
no ip address
crypto connect vlan 110
!
interface Vlan120
ip address 170.3.0.6 255.255.255.0
no mop enabled
crypto map test_s2s
crypto engine slot 8/1
!
interface Vlan121
no ip address
crypto connect vlan 120
!
ip local pool ra_ipsecpool 94.94.0.1 94.94.0.254
!
ip route 61.211.0.0 255.255.0.0 171.253.253.2
ip route 94.0.0.0 255.0.0.0 170.2.0.2
ip route 120.0.0.0 255.255.255.0 173.2.0.1
ip route 149.1.0.0 255.255.0.0 170.2.0.2
ip route 157.11.0.0 255.255.0.0 149.1.0.13
ip route 157.12.0.0 255.255.0.0 149.1.0.13
!
!
radius-server attribute 8 include-in-access-req
radius-server host 60.60.60.1 auth-port 1645 acct-port 1646 key VAA
radius-server host 60.60.60.1 auth-port 1812 acct-port 1813 key VAA
radius-server retry method reorder
radius-server timeout 1000
radius-server key VAA
radius-server vsa send accounting
radius-server vsa send authentication