|
Written by Alexei Spirin
|
|
Monday, 28 February 2011 13:35 |
sysopt connection permit-ipsec
crypto isakmp enable outside
crypto isakmp nat-traversal 60
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
crypto ipsec transform-set ts1 esp-aes-256 esp-sha-hmac
crypto dynamic-map crDM1 10 set pfs
crypto dynamic-map crDM1 10 set transform-set ts1
crypto dynamic-map crDM1 10 set security-association lifetime seconds 28800
crypto dynamic-map crDM1 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map crDM1 10 set reverse-route
crypto map crM1 10000 ipsec-isakmp dynamic crDM1
crypto map crM1 interface outside
!
access-list splitUsers extended permit ip 10.0.0.0 255.0.0.0 any
ip local pool vpnUsers 192.168.101.1-192.168.101.254 mask 255.255.255.128
!
group-policy vpnUsers internal
group-policy vpnUsers attributes
vpn-tunnel-protocol IPSec
password-storage disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value splitUsers
!
tunnel-group vpnUsers type remote-access
tunnel-group vpnUsers general-attributes
address-pool vpnUsers
authentication-server-group LOCAL
default-group-policy vpnUsers
!
tunnel-group vpnUsers ipsec-attributes
pre-shared-key PleaseChangeMe!
!
username User1 password PleaseChangeMe! privilege 0
|
Some notes:
User authentication done via local database
10.0.0.0/8 is considered as an address range for corporate network
192.168.101.240/28 is considered as VPN user address range
To successfully connect user must know group name and group key (vpnUsers and PLeaseChangeMe! in this example) and personal login and password (User1 and PLeaseChangeMe! in this example)
Cisco IOS router as an ezVPN Server
|
|
Last Updated on Monday, 28 February 2011 13:42 |
Comments
nat (inside) 0 access-list splitUsers
RSS feed for comments to this post