Temat: Cisco 1921 + VPN

Witam Wszystkich,
Jako że w VPN jestem nowicjuszem mam proste pytanie - czy to normalne by w połączeniu szyfrowanym ( czy siła szyfrowania ma znaczenie ? )- w moim przypadku DES pobór plików rzędu naście-mega trwał tak opornie i długo ? czy to jest kwestia samej konfiguracji "wydajności" - ustawień VPN ? obciążenie routera w maksymalnych momentach póki co mam 40-50% - więc router wg mnie daje rade spokojnie, po stronie klienta - klient Cisco też komputer nie ma obciążeń więcej niż 20% w maxymalnych skokach ( czy po stronie klienta procesor ma znaczenie ? - tu mamy 2.10 GHZ Core 2Duo ) , z góry mówię że łącza są tu symetryczne wiec wąskiego gardła nie ma ...
Dziekuje z góry za sugestie i pomoc.
Leszek Rutkowski

Temat: Cisco 1921 + VPN

Leszek R.:

Dziekuje z góry za sugestie i pomoc.

Niestety dokument "Router Performance" by Cisco nie obejmuje modelu 1921 a jedynie bliski mu 1941 jednakże Cisco podaje, że 1921 ma wydajność o jakieś 10-15% niższą od 1941. A dla modelu 1941 dane są następujące - 299000pps/153 Mbps. Czyli 1921 spokojnie ciągnie ruch w okolicach 125 Mbps w optymalnych warunkach.

Kolejne co nas interesuje to "Embedded hardware encryption acceleration is enhanced to provide higher scalability, which, combined with an optional Cisco IOS Security license, enables WAN link security and VPN services (Both IPSec and SSL acceleration)." Czyli szyfrowanie jest realizowane na dedykowanym osobnym ASICu a nie w sofcie i nie obciąża CPU.

I rzecz kolejna to o ile rośnie pakiet - możesz to policzyć jako ćwiczenie domowe jaki jest narzut IPSec'a na pakiecie IP.

Teraz zsumuj te informacje, zastanów się i wyciągnij wnioski. Nikt tego za Ciebie nie zrobi no chyba że ma szklaną kule i z niej dowie się coś więcej o Twojej sieci, Twoich łączach, Twojej konfiguracji routerów, etc.

Krzysztof

Temat: Cisco 1921 + VPN

NAPISZ na priv pomogę !!!

Temat: Cisco 1921 + VPN

Analizując kwestje sieci dochodzę do wniosku że za spowolnienie transferu odpowiada Adapter Cisco VPN - transmisja pakietów między ta kartą a macierzystą kartą sieciową w kompie. Czy miał ktoś taki przypadek - może kwestja dokonfigurowania Adaptera ?

Temat: Cisco 1921 + VPN

Leszek R.:
Analizując kwestje sieci dochodzę do wniosku że za spowolnienie transferu odpowiada Adapter Cisco VPN - transmisja pakietów między ta kartą a macierzystą kartą sieciową w kompie. Czy miał ktoś taki przypadek - może kwestja dokonfigurowania Adaptera ?

A czytałeś co napisałem wcześniej "... no chyba że ma szklaną kule i z niej dowie się coś więcej ...."? Jak ma Ci ktokolwiek pomóc jak Ty nie chcesz by Ci pomóc bo nawet nie pokusiłeś się o zamieszczenie konfiguracji routera.

Krzysztof

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Router#sh run
Building configuration...

Current configuration : 17863 bytes
!
! Last configuration change at 09:19:27 PCTime Mon Oct 10 2011 by admin
! NVRAM config last updated at 22:57:22 PCTime Tue Sep 27 2011 by zdalny
!
version 15.0
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 200000
no logging console
enable secret 5 xxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login EZVPN local
aaa authorization exec default local
aaa authorization network EZVPN local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 27 2011 2:00 Oct 30 2011 3:00
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.253
!
!
no ip domain lookup
ip domain name sae.pl
ip host xxxx IP_1
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect name FWOUT appfw FWOUT
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
ip inspect name FWOUT netshow
ip inspect name FWOUT rcmd
ip inspect name FWOUT realaudio
ip inspect name FWOUT rtsp
ip inspect name FWOUT esmtp
ip inspect name FWOUT sqlnet
ip inspect name FWOUT tftp
!
multilink bundle-name authenticated
!
!
crypto pki server IOSCA
database level complete
issuer-name CN=IOSCA.IOSCA.local C=PL
grant auto
lifetime ca-certificate 365
cdp-url http://IP_1/cgi-bin/pkiclient.exe?operation=GetCRL
!
crypto pki trustpoint IOSCA
subject-name OU=EZVPN_GROUP
revocation-check crl
rsakeypair IOSCA
!
crypto pki trustpoint saenet
enrollment mode ra
enrollment url http://IP_1:80
revocation-check none
!
crypto pki trustpoint test1
enrollment url http://IP_1:80
usage ike
serial-number
chain-validation continue IOSCA
revocation-check none
!
!
!
crypto pki certificate map EZVPN 10
issuer-name co iosca
!
crypto pki certificate chain IOSCA

certificate ca 01
// ciag klucza
quit
license udi pid CISCO1921/K9 sn FCZ1504CBWK
!
!
username xxx
!
redundancy
!
!
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
crypto isakmp policy 1
encr aes
group 2
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key haslo address IP_2
crypto isakmp identity dn
crypto isakmp keepalive 10
!
crypto isakmp client configuration group EZVPN_GROUP
dns 194.204.152.34 194.204.159.1
domain nazwa
pool VPN_POOL
acl EZVPN_SPLIT_TUNNEL
include-local-lan
netmask 255.255.254.0
crypto isakmp profile EZVPN_PROFILE
ca trust-point xxx
match identity group EZVPN_GROUP
match certificate EZVPN
client authentication list EZVPN
isakmp authorization list EZVPN
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS_WOLSZT_POWOD esp-des esp-md5-hmac
mode transport
crypto ipsec transform-set EZVPN_TS esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE
set transform-set EZVPN_TS
set isakmp-profile EZVPN_PROFILE
!
!
crypto map CM_ISAKMP_WOLSZT_POWOD 1 ipsec-isakmp
set peer IP_2
set transform-set TS_WOLSZT_POWOD
match address SiecIPSEC
!
!
!
!
!
interface Loopback0
no ip address
!
!
interface Tunnel0
ip address 192.168.254.1 255.255.255.252
tunnel source Serial0/0/0.1
tunnel destination IP_2
crypto map CM_ISAKMP_WOLSZT_POWOD
!
!
interface GigabitEthernet0/0
ip address 192.168.1.253 255.255.255.0
ip access-group 102 out
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Serial0/0/0
description Konfiguracja fizycznego interfejsu szeregowego
no ip address
encapsulation frame-relay
no fair-queue
no clock rate 2000000
frame-relay lmi-type ansi
!
!
interface Serial0/0/0.1 point-to-point
description Polaczenie Polpak-T do Internetu 2Mbit
ip address IP_1 netmask
ip access-group 101 in
ip nat outside
ip virtual-reassembly
no cdp enable
frame-relay interface-dlci 99 IETF
crypto map CM_ISAKMP_WOLSZT_POWOD
!
interface Virtual-Template1 type tunnel
ip unnumbered Serial0/0/0.1
tunnel source Serial0/0/0.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
!
!
router eigrp 1010
network 192.168.1.0
network 192.168.254.0 0.0.0.3
no eigrp log-neighbor-warnings
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.254
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
!
ip nat pool POOL_NAT IP_1 IP_1 netmask 255.255.255.252
ip nat inside source list 100 pool POOL_NAT overload
ip nat inside source static tcp 192.168.1.243 3389 interface Serial0/0/0.1 3389
ip route 0.0.0.0 0.0.0.0 80.50.164.217
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended EZVPN_SPLIT_TUNNEL
permit ip 192.168.0.0 0.0.1.255 any
ip access-list extended SPLIT_T
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SiecIPSEC
permit gre host IP_1 host IP_2
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any eq www any
access-list 101 permit tcp any host IP_1 eq 10000
access-list 101 permit tcp any 80.48.66.144 0.0.0.15
access-list 101 permit tcp any host IP_1 eq 4899
access-list 101 permit tcp any range 6000 6063 host IP_1 range 1433 1434
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 143
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 139
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any eq domain any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq ntp host IP_1 eq ntp
access-list 101 permit udp any host IP_1 eq non500-isakmp
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 permit udp host 194.204.152.34 eq domain any
access-list 101 permit udp host 194.204.152.34 any eq domain
access-list 101 permit udp host 194.204.159.1 eq domain any
access-list 101 permit udp host 194.204.159.1 any eq domain
access-list 101 permit udp any 80.48.66.144 0.0.0.15
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit gre any any
access-list 101 permit esp any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any eq www any
access-list 102 permit tcp any eq www any eq www
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any eq domain any
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any eq smtp any
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any eq pop3 any
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 3389
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 139
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq 445
access-list 102 permit tcp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 range 1433 1434
access-list 102 permit icmp any any echo-reply
access-list 102 permit udp 192.168.0.0 0.0.1.255 range netbios-ns netbios-dgm 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq domain
access-list 102 permit udp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255 eq snmp
access-list 102 permit udp host 194.204.152.34 eq domain any
access-list 102 permit udp host 194.204.152.34 any eq domain
access-list 102 permit udp host 194.204.159.1 eq domain any
access-list 102 permit udp host 194.204.159.1 any eq domain
access-list 102 permit udp 192.168.1.0 0.0.0.255 range netbios-ns netbios-dgm host 192.168.1.255 range netbios-ns netbios-dgm
access-list 102 permit udp 192.168.1.0 0.0.0.255 eq bootps 192.168.1.0 0.0.0.255 eq bootpc
access-list 102 permit udp 192.168.1.0 0.0.0.255 host 192.168.1.255 eq netbios-dgm
access-list 102 permit icmp 192.168.0.0 0.0.1.255 192.168.1.0 0.0.0.255
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip any any log
!
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 0xxx
line aux 0
line vty 0 4
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
line vty 5 15
exec-timeout 15 30
absolute-timeout 60
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp server IP_3
ntp server IP_4
end

Temat: Cisco 1921 + VPN

Przepraszam za powielenie, bad goldenlina :(