Cisco Router VPN(L2L) Configuration

오늘은 시스코 라우터 2811 을 이용한 Site-2-Site(L2L) VPN Configuration 예제입니다.

VPN 은 일반적으로 보안장비와 함께 구동되는 경우가 일반적인데요.

Cisco 같은 경우 예전 PIX, 요즘 ASA 를 이용한 VPN 을 많이 사용하고, 

Juniper 의 경우엔 예전부터 사용하던 ScreenOS 인 SSG Series 나, JUNOS 기반의 SRX Series 가 있습니다.

이런 VPN 전용 장비가 있으면 상관없지만, 부족한 예산으로 재고장비를 이용해서 사이트를 구축해야 하는 상황이라면

Router 를 통해서 VPN 을 구성하기도 합니다.

 

간략한 구성도입니다.

 

본사에는 Cisco ASA 장비를 운영중이며, 신규 구축된 지사에 Router2811 을 이용해서 본사 네트웍과 VPN Tunnel 을 이용해 연결하기 위한 구성 입니다.

service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Branch_Office_VPN_R2811
!
boot-start-marker
boot-end-marker
!
enable secret 5 $8DzRdLHgu3bWqaRzaTxJJ.
!
aaa new-model
!
!
aaa authentication login default enable
!
!
aaa session-id common
clock timezone KST 9
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.5.169.1 10.5.169.10
!
ip dhcp pool ip_pool
   network 10.5.169.0 255.255.255.0
   default-router 10.5.169.1 
   dns-server 10.10.10.10 168.126.63.1 
   domain-name domain.com
   lease 0 0 30
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
username admin password 7 [password]
archive   
 log config
  hidekeys
! 
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 6 [password] address 211.211.211.211
!
!
crypto ipsec transform-set Proposal1 esp-3des esp-md5-hmac 
!
crypto map VPN_Crypto local-address FastEthernet0/0
crypto map VPN_Crypto 1 ipsec-isakmp 
 set peer 211.211.211.211
 set transform-set Proposal1 
 match address 100
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address dhcp
 ip nat outside
 ip nat enable
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map VPN_Crypto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!         
interface FastEthernet1/0
 switchport access vlan 10
!
interface FastEthernet1/1
 switchport access vlan 10
!
interface FastEthernet1/2
 switchport access vlan 10
!
interface FastEthernet1/3
 switchport access vlan 10
!
interface FastEthernet1/4
 switchport access vlan 10
!
interface FastEthernet1/5
 switchport access vlan 10
!
interface FastEthernet1/6
 switchport access vlan 10
!
!
interface GigabitEthernet1/0
!
interface Vlan1
 no ip address
!
interface Vlan10
 ip address 10.5.169.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
!
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.5.0.0 0.0.127.255
access-list 100 permit ip 10.5.169.0 0.0.0.255 10.6.128.0 0.0.31.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.2.0.0 0.0.255.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.3.0.0 0.0.255.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.4.0.0 0.0.255.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.5.0.0 0.0.127.255
access-list 110 deny ip 10.5.169.0 0.0.0.255 10.6.128.0 0.0.31.255
access-list 110 permit ip 10.5.169.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
 match ip address 110
!
!
!
!
control-plane
!
!
!
banner motd ^C
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%  Use of this Special System            %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ^C
!
line con 0
line aux 0
line vty 0 4
 password 7 103E001146241DC51F
line vty 5 15
 password 7 103E001146241DC51F
!
scheduler allocate 20000 1000
ntp clock-period 17179891
ntp server 211.211.211.230 source FastEthernet0/0 prefer
!
end

 

본사 메인 VPN 장비와 Crypto Key 나 Encryption 방식만 맞춰주시고, 

VPN Tunnel 을 태울 네트웍 대역은 NoNAT 처리한다는 부분만 유념하시면 될 것 같습니다.