03-06-2008 02:33 AM - edited 03-03-2019 09:00 PM
Hi,
Can any one help me to find out the VPN tunneling.What are the Steps for VPN tunneling. If possible please give one example with configuration
Thanks & Regards,
Sham
03-06-2008 03:17 AM
Hi,
There are multiple types of VPN.
- Site-to-Site VPN
- Remote Access VPN
- SSL VPN
There are multiple device that support VPN as well
- Cisco Router
- Cisco PIX/ASA Firewall
- Cisco VPN Concentrator
There are also multiple encryption
- SSL
- DES
- AES
Which of the above?
Cisco IOS (Router) Site-To-Site VPN configuration
http://www.cisco.com/en/US/docs/security/vpn_modules/6342/configuration/guide/6342site3.html
Cisco ASA/PIX Site-to-Site VPN Configuration
http://www.cisco.com/en/US/docs/security/asa/asa80/getting_started/asa5500/quick/guide/sitvpn.html
Regards,
Dandy
03-06-2008 04:43 AM
Hi,
Can you send the configuration for vpn ip sec for site to site.
Regards,
Sham.
03-06-2008 07:02 AM
Virtual Private Networks Tutorial
Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.
For Internet-based VPNs, packets in one of several VPN protocols are encapsulated within Internet Protocol (IP) packets. VPN protocols also support authentication and encryption to keep the tunnels secure.
In voluntary tunneling, the VPN client manages connection setup. The client first makes a connection to the carrier network provider (an ISP in the case of Internet VPNs). Then, the VPN client application creates the tunnel to a VPN server over this live connection.
In compulsory tunneling, the carrier network provider manages VPN connection setup. When the client first makes an ordinary connection to the carrier, the carrier in turn immediately brokers a VPN connection between that client and a VPN server. From the client point of view, VPN connections are set up in just one step compared to the two-step procedure required for voluntary tunnels.
Compulsory VPN tunneling authenticates clients and associates them with specific VPN servers using logic built into the broker device. This network device is sometimes called the VPN Front End Processor (FEP), Network Access Server (NAS) or Point of Presence Server (POS). Compulsory tunneling hides the details of VPN server connectivity from the VPN clients and effectively transfers management control over the tunnels from clients to the ISP. In return, service providers must take on the additional burden of installing and maintaining FEP devices.
VPN Tunneling Protocols
Several computer network protocols have been implemented specifically for use with VPN tunnels. The three most popular VPN tunneling protocols listed below continue to compete with each other for acceptance in the industry. These protocols are generally incompatible with each other.
Configuring PIX Firewall 1 with VPN Tunneling
Follow these steps to configure PIX Firewall 1:
Step 1 Define a host name:
hostname NewYork
Step 2 Configure an ISAKMP policy:
isakmp enable outside
isakmp policy 9 authentication pre-share
isakmp policy 9 encrypt des
Step 3 Configure a pre-shared key and associate with the peer:
crypto isakmp key cisco1234 address 209.165.200.229
Step 4 Configure the supported IPSec transforms:
crypto ipsec transform-set strong esp-des esp-sha-hmac
Step 5 Create an access list:
access-list 90 permit ip 192.168.12.0 255.255.255.0 10.0.0.0 255.0.0.0
This access list defines traffic from network 192.168.12.0 to 10.0.0.0. Both of these networks use unregistered addresses.
Note Steps 5 and 6 are not required if you want to enable NAT for all traffic.
Step 6 Exclude traffic between the intranets from NAT:
nat 0 access-list 90
This excludes traffic matching access list 90 from NAT. The nat 0 command is always processed before any other nat commands.
Step 7 Enable NAT for all other traffic:
nat (inside) 1 0 0
Step 8 Assign a pool of global addresses for NAT and PAT:
global (outside) 1 209.165.202.129-209.165.202.159
global (outside) 1 209.165.202.160
The pool of registered addresses are only used for connections to the public Internet.
Step 9 Define a crypto map:
crypto map toSanJose 20 ipsec-isakmp
crypto map toSanJose 20 match address 90
crypto map toSanJose 20 set transform-set strong
crypto map toSanJose 20 set peer 209.165.200.229
Step 10 Apply the crypto map to the outside interface:
crypto map toSanJose interface outside
Step 11 Specify that IPSec traffic be implicitly trusted (permitted):
sysopt connection permit-ipsec
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide