[[:start|Torna all'inizio]] | [[cisco:index|Torna su]]

====== Cisco Crypto MAP IPSec VPN Client ======

Quando si vuole dare l'accesso tramite Cisco VPN Client seguire queste indicazioni che riporto senza modificare, in quanto, mai testate.

  aaa new-model
  !
  
  !--- In order to enable Xauth for user authentication, 
  !--- enable the aaa authentication commands.
  
  aaa authentication login userauthen local
  aaa authorization network groupauthor local
  
  !
  aaa session-id common
  !
  resource policy
  !
  !
  
  !--- For local authentication of the IPsec user, 
  !--- create the user with a password.
  
  
  username user password 0 cisco
  !
  !
  !
  
  !--- Create an Internet Security Association and
  !--- Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
  
  
    
  crypto isakmp policy 3
   encr 3des
   authentication pre-share
   group 2
  
  
  !--- Create a group that is used to specify the
  !--- WINS and DNS server addresses to the VPN Client, 
  !--- along with the pre-shared key for authentication.
  
  
  crypto isakmp client configuration group vpnclient
   key 1z2x3c4v5b6n7m8
   dns 195.72.193.1 195.72.193.2
   pool VPNPOOL
  !
  !
  !
  !--- Create the Phase 2 Policy for actual data encryption.
  crypto ipsec transform-set VPNClients-transformset esp-3des esp-md5-hmac
  !
  !
  !
  !
  !
  !--- Create a dynamic map and apply 
  !--- the transform set that was created earlier.
  !
  crypto dynamic-map dynmap 10
   set transform-set VPNClients-transformset
   reverse-route
  !
  !--- Create the actual crypto map,
  !--- and apply the AAA lists that were created earlier.
  !
  crypto map clientmap client authentication list userauthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  !
  !
  !
  !
  !
  !--- Create the loopback interface for the VPN user traffic
  interface Loopback0
   description Loopback per VPN Client Traffic
   ip address 10.11.0.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  !
  !
  !
  !
  !--- Apply the crypto map on the interface.
  interface Ethernet0
   ip policy route-map VPN-Client
   crypto map clientmap
  !
  !
  !
  !
  !--- Create a pool of addresses to be 
  !--- assigned to the VPN Clients.
  !
  ip local pool ippool 192.9.201.1 192.9.201.254
  !
  !
  !
  !--- Interesting traffic used for policy route.
  !
  ip access-list extended IP4_VPN_TRAFFIC
   permit ip 192.9.201.0 0.0.0.255 any
  !
  !
  !--- Configures the route map to match the interesting traffic (access list 144)
  !--- and routes the traffic to next hop address 10.11.0.2.
  !
  !
  route-map VPN-Client permit 10
   match ip address IP4_VPN_TRAFFIC
   set ip next-hop 10.11.0.2
  !
  !
  end