VPN con PIX

Cateva chestii putin mai avansate, pentru cei care se lovesc de asa ceva in retelistica. Promit sa nu mai fac si sa  explic de la 0 totul…

Split Tunneling: Este optiunea prin care clientul, in incercarea de a se conecta prin VPN, nu are acces la Internet:
int e0
ip address 192.168.40.51 255.255.255.0
sh int ip brief

FASA 1
crypto isakmp policy 20
authentication pre-shared
encryption 3des
hash md5
group 2

FASA II
crypto ipsec transform-set ESP_DES_SHA esp-des esp-sha-hmac
ip local pool VPNPOOL 11.0.0.1-11.0.0.20 <– pentru IP-ul clientilor de vpn

group policy clientgroup internal
group-policy clientgroup attributes
vpn-idle-timeout 20

Informatia trimisa clientului de VPN

dns-server value 192.168.1.20
split-tunnel-policy tunnel-all

username xxxxxx password xxxxxx

tunnel-group CISCO type ipsec-ra
tunnel-group CISCO general-attributes
address-pol VPNPOOL
default-group-policy clentgroup
authorization-server-group LOCAL <- Propriul PIX il cere de forma automatica in local
authentication-server-group LOCAL

tunnel-group CISCO ipsec-attributes
pre-shared-key xxxxxxxxx

Cream un dinamic map in loc de crypto map

crypto dynamic-map DYNMAP 20 set transform-set ESP_DES_SHA
crypto map VPN 20 ipsec-isakmp dynamic DYNMAP
crypto map VPN interface outside <- se aloca unei interfete

isakmp enable outside
isakmp identity address

username user1 password passsword1

COMPATIBILITATEA PROTOCOALELOR INTRE FAZA I SI II
In Faza I:

Cu aes folosim SHA
cu aes nu folosim niciodata MD5
Cu DEs nu folosim  SHA

In Faza II:

Cu 3des si Sha incompatibil
Cu aes si md5 incompatibil
cu aes si Sha sunt compatibile

TUNEL DINAMIC (urmatorii pasi in tunelul creat anterior)

crypto MAP MAPA 20 ipsec-isakmp dynamic DYN
tunnel-group CISCO type ipssc-va

tunnel-group CISCO general-attributes

group-policy clientegroup attributes
password-storage enable <- permite salvarea parolei pentru conexiuni posterioare.

…numai pentru cine intelege…