Sunday, June 1, 2014

Using a ASR for dynamic vpn access

In this post we will look at using a  ASR1K for dynamic ipsec-vpn. The steps for the configuration are broken down in the following order


1: Craft a dynamic ip_address pool

2nd define AAA authentication parameters


note: you could use radius

Next, we start the configuration. I'm using the  group concept with PSK+xauth

Now we need some crypto ike policy and transform sets




note: I'm using  very secured ciphers in the AES suite, this is fine for iPhone/Android and Window/MACOSX devices

Okay let wrap this all up, we need to build a dynamic crypto-map and then apply the  dynamic-map into our crypto map.

note: best practices calls for the crypto map sequence # to be the  highest in your pecking order

 
              

And the last action item that we need to accomplish is how do we negoiate and authenticate the clients. These lines apply the  authentication parameters


Key Points;


Ensure the  vpn pool network is routed within your network

( diagnostics )

  •   debug crypto isa aaa
  •   debug aaa authentication
  •   show crypto session brief


Ken Felix
Network & Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   -   - )=
        o
     /     \

No comments:

Post a Comment