Tuesday, February 5, 2008

[Cisco] Config Router ให้สามารถรับ L2TP over IPSec จาก windows client

aaa new-model
aaa authentication ppp L2TP local
!
username cisco password cisco
!
vpdn enable
!
vpdn-group PPPTP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 10
no l2tp tunnel authentication
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key PRESHARED address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set VPN-CLIENT esp-3des esp-sha-hmac
mode transport
crypto ipsec df-bit clear
!
crypto dynamic-map VPN-DYNAMIC-MAP 10
description ## dyanmic crypto map for VPN Users ##
set nat demux
set transform-set VPN-CLIENT
!
!
crypto map VPN-DYNAMIC-CLIENT 10 ipsec-isakmp dynamic VPN-DYNAMIC-MAP
!
interface G0/1
des ### Internet ###
crypto map VPN-DYNAMIC-CLIENT
!
!
interface Virtual-Template10
ip unnumbered Loopback0
peer default ip address pool L2TP_POOL
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2 L2TP
!
ip local pool L2TP_POOL 192.168.1.1 192.168.1.10

#######
Windows XP Setup
1. Start -> Control Panel -> Network Connections
2. Menu File --> New Connection
3. Next --> Select: Connection to the network at my workspace --> Next
4. Select: Virtual Private Network Connection --> Next
5. Enter connection name
6. Select: Do not dial the initial connection --> Next
7. Enter IP Address of VPN Server --> Next --> Finish
8. Show dialog --> Properties --> Security Tab
9. Select: Advanced (customer settings)
10. IPSec Settings --> Use pre-shared key for authentication --> Enter pre-share key --> OK (ex. PRESHARED
11. Enter username,password then Connect (ex. username cisco, password cisco)

[Cisco] ต้องการให้ user ใน LAN ต้อง authentication ก่อนการใช้งาน internet

conf t

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization auth-proxy default local

ip auth-proxy auth-proxy-banner http ^C
Please authentication first before access internet !!!
^C
ip auth-proxy name PROXY_AUTH http inactivity-time 10
!
int f0/0
des ## LAN ##
ip access-group FW in
ip auth-proxy PROXY_AUTH
no sh
!
ip http server
ip http access-class 55
access-list 55 deny any
!
ip access-list extended FW
deny ip any any

##
sh ip access-list FW <-- เมื่อ authen ผ่าน acl จะสร้างโดยอัติโนมัติ
sh ip auth-proxy cache
!
!
User ต้องเรียก web อะไรก็ได้จากนั้นจะถูก redirect page เพื่อไป authentication และเมื่อ username และ password ถูกก็จะสามารถใช้งาน internet ได้