Scribd Logo
Upload

Welcome to Scribd!

  • Remote Access VPN

    Uploaded by

    Hoa Vô Khuyết
    13 views8 pages

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views8 pages

    Remote Access VPN

    Uploaded by

    Hoa Vô Khuyết

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 8

    Remote Access VPN - Trong bi vit ny s gii thiu vi cc bn nhng nhim c bn cu hnh mt IP-based, remote access VPN trn

    n mt Cisco 7200 Router. Trong trng hp Remote Access VPN business, mt remote user ang chy phn mm VPN client trn mt PC s thit lp mt kt ni n Cisco 7200 Rouer Headquarter. - Nhng cu hnh thc hin trong bi vit ny u da trn Cisco 7200 Router. Nu bn c mt Cisco 2600 series router hoc mt Cisco 3600 series router, th bn c th cu hnh khc i mt cht, thng thng s khc bit ny khng ng k. - Trong bi vit ny ch yu m t v nhng tnh nng c bn v cch thc cu hnh c s dng trong trng hp Remote Access VPN. Mt s nhng tnh nng ca Cisco IOS security software khng c gii thiu trong bi vit ny cng c th c s dng tng kh nng thc thi v m rng cho kt ni VPN ca bn. - Bi vit ny s bao gm nhng ch sau: + M t trng hp kt ni + Cu hnh mt Cisco IOS VPN Gateway s dng vi Cisco Secure VPN Client Software + Cu hnh mt Cisco IOS VPN Gateway s dng vi Microsoft Dial-up Networking + Cu hnh Cisco IOS Firewall Authentication Proxy + Cc v d cu hnh. I. M t trng hp kt ni - Hnh 1.1 hin th mng ca headquaters cung cp mt kt ni truy cp cho mt user t xa n corporate intranet. Trong trng hp ny, headquarters v remote user ang kt ni trc tip thng qua mt tunnel bo mt c thit lp da trn kin trc IP (chnh l Internet). Remote User c kh nng truy cp vo bn trong mng, truy cp vo cc trang web ni b v thi hnh mt s nhim v khc da trn IP. hnh 1.1

    - Hnh 1.2 s hin th cc thnh phn vt l trong trng hp ny. Mng Internet cung cp mt kt ni gia headquarter v remote user. Headquater ang s dng mt Cisco IOS VPN gateway (l: cisco 7200 series c tch hp mt module ISA hoc VAM) v remote user ang chy phn mm VPN Client ca Cisco trn mt PC. - Tunnel c cu hnh trn interface serial 1/0 ca Headquarter v cc router remote office. Interface Fast Ethernet 0/0 ca router Headquarter ang kt ni trc tip n mt server ni b ca corporate v Fast Ethernet 0/1 ang kt ni trc tip n Web Server. hnh 1.2

    - Cc bc cu hnh trong trng hp ny l c thc hin trn Headquarter Router. Bng 1.3 l danh sch nhng tham s cu hnh cn thit cho cc thnh phn vt l ca Headquarter Router v Remote User. hnh 1.3

    II. Cu hnh mt Cisco IOS VPN Gateway s dng vi Cisco Secure VPN Client Software

    - S dng phn mm Cisco Secure VPN client, mt remote user c th truy cp vo mng Corporate Headquarter thng qua mt Secure IPSec tunnel. Mc d Cisco IOS VPN Gateway c kh nng h tr phn mm Cisco Secure VPN Client, nhng trong bi vit ny khng cp n phng php cu hnh gateway ca bn cho vic s dng n. III. Cu hnh mt Cisco IOS VPN Gateway s dng vi Microsoft Dial-up Networking. - S dng Microsoft Dial-up Networking (DUN), c tch hp sn vi Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT 4.0, Microsoft Windows 200, XP, mt remote user c th s dng Point-to-Point Tunneling Protocol (PPTP) vi Microsoft Point-to-Point Encryption (MPPE) truy cp vo mng ca Corporate Headquater thng qua mt tunnel bo mt.

    - S dng PPTP/MPPE, cc user c th s dng mi ti khon ca cc ISP khc nhau v a ch IP Internet-routeable truy cp vo edge ca Enterprise Network. Ti edge, th cc gi tin IP s c detunneled v di a ch IP ca Enterprise s c s dng truyn d liu trong Interna Network. MPPE s cung cp mt dch v m ha bo v cc lung d liu c truyn trn Internet. MPPE c kh nng m ha vi di l 40bit, v 128 bit.

    - Nh mt s la chn, mt Remote User vi mt phn mm client c tch hp sn vo h iu hnh Microsoft Windows 2000 hoc XP c th s dng Layer 2 Tunneling Protocol (L2TP) vi IPSec truy cp vo h thng mng Corporate Headquarter thng qua mt Tunnel bo mt. - Bi v L2TP l mt giao thc chun, nn cc Enterprise c th c nhiu la chn dng L2TP vi cc sn phm ca cc hng khc nhau. Trin khai L2TP l mt gii php cung cp mt tnh nng mm do, kh nng m rng cho mi trng mng truy cp t xa m khng cn bn tm nhiu n vn bo mt d liu truyn. - Trong phn ny s bao gm mt s ch quan trng sau: + Cu hnh PPTP/MPPE + Kim tra PPTP/MPPE + Cu hnh L2TP/IPSec 1. Cu hnh PPTP/MPPE -PPTP l mt giao thc cho php to ra mt ng truyn d liu bo mt ca data t mt remote client n mt private enterprise serser bng cch to mt VPN thng qua cc mng truyn d liu da trn TCP/IP. PPTP c kh nng h tr on-demand, nhiu giao thc, mng VPN trn cc mng public, nh Internet. - MPPE l mt cng ngh m ha c pht trin bi Microsoft m ha cc lin kt point-topoint. Nhng kt ni ny c th c to trn mt ng dialup hoc trn mt VPN Tunnel. MPPE lm vic nh mt tnh nng con ca giao thc Microsoft Point-to-Point Compression (MPPC).

    - MPPE s dng thut ton RC4 vi hai loi kha 40 v 128 bit. Tt c cc kha s c truyn di dng cleartext. RC4 l mt stream cipher; v vy, cc frame s c m ha v gii m u c kch thc nh nhau. Cisco trin khai giao thc MPPE cho php tng thch vi Microsoft v s dng tt c cc ty chn c th, bao gm ch Historyless. Ch Historyless c th lm tng thm thng lng thc s trong mi trng high-loss nh VPN. - Trong phn cu hnh PPTP/MPPE s bao gm nhng nhim v sau: + Cu hnh mt Virtual Template cho cc phin Dial-in + Cu hnh PPTP + Cu hnh MPPE a. Cu hnh Virtual Template cho cc phin Dial-in - S dng Virtual Templates, bn c th cu hnh cc interface virtual-access vi cc thng s cu hnh c nh ngha trc. cu hnh Cisco IOS VPN gateway to cc interface Virtual-access t mt Virtual Template cho cc cuc gi n ca PPTP, s dng nhng cu lnh di y bt u t ch global configuration:

    example: hq-sanjose(config)# interface virtual-template 1 hq-sanjose(config-if)# ip unnumbered fastethernet 0/0 hq-sanjose(config-if)# ppp authentication ms-chap hq-sanjose(config-if)# ip local pool default 10.1.3.10 10.1.3.100 hq-sanjose(config-if)# peer default ip address pool default hq-sanjose(config-if)# ip mroute-cache hq-sanjose(config-if)# ppp encrypt mppe 128 stateful

    b. Cu hnh PPTP - cu hnh mt Cisco 7200 Series router chp nhn cc kt ni tunneled PPP t mt client, s dng nhng cu lnh di y bt u t ch global configuration: example: hq-sanjose(config)# vpdn-enable hq-sanjose(config)# vpdn-group 1 hq-sanjose(config-vpdn)# accept dialin hq-sanjose(config-vpdn-acc-in)# protocol pptp hq-sanjose(config-vpdn-acc-in)# virtual-template 1 hq-sanjose(config-vpdn-acc-in)# exit hq-sanjose(config-vpdn)# local name hq-sanjose c. Cu hnh MPPE. - cu hnh MPPE trn Cisco 7200 Series router (vi module ISA), s dng nhng cu lnh bn di y trong ch global configuration: example: hq-sanjose(config)# controller isa 1/0 hq-sanjose(config-controller)# encryption mppe 2. Kim tra PPTP/MPPE - Sau khi bn hon thnh mt kt ni, bn c th nhp cu lnh: show vpdn tunnel hoc show vpdn session ch Privileged EXEC kim tra cu hnh PPTP v MPPE.

    3. Cu hnh L2TP/IPSec - L2TP l mt giao thc m rng ca Point-to-Point (PPP) v n thng l mt khi xy dng c bn cho VPN. L2TP kt hp nhng tnh nng tt nht ca hai giao thc Tunneling l: Layer 2 Forwarding (L2F) ca Cisco Systems v PPTP ca Microsfot. L2TP l mt chun ca IETF. - Phn cu hnh L2TP/IPSec s bao gm nhng nhim v sau: + Cu hnh Virtual Template cho cc phin Dial-in + Cu hnh L2TP

    + Cu hnh m ha v IPSec. a. Cu hnh mt Virtual Template cho cc phin Dial-In. - cu hnh Cisco 7200 Series Router to cc interface Virtual-Access t mt Virtual template cho cc cuc gi t L2TP, th cc bn c th xem li phn trn. b. Cu hnh L2TP - cu hnh mt Cisco 7200 Series router chp nhn cc phin kt ni Tunneled L2TP t mt client, s dng nhng cu lnh di y ch global configuration: example: hq-sanjose(config)# vpdn-enable hq-sanjose(config)# vpdn-group 1 hq-sanjose(config-vpdn)# accept dialin hq-sanjose(config-vpdn-acc-in)# protocol l2tp hq-sanjose(config-vpdn-acc-in)# virtual-template 1 hq-sanjose(config-vpdn-acc-in)# exit hq-sanjose(config-vpdn)# local name hq-sanjose - kim tra L2TP dng cu lnh: show vpdn tennel ch Privileged EXEC. c. Cu hnh m ha v IPSec. Nhng thng tin chi tit v cu hnh m ha v IPSec, mi cc bn c cc bi vit sau: - Cu hnh IKE Prolicies - Kim tra IKE Policies - To Crypto Access Lists - Kim tra Crypto Access Lists - nh ngha Transform Sets v Cu hnh IPSec Tunnel Mode - Kim tra Transform Sets v IPSec Tunnel Mode. - To Crypte Map Entries - Kim tra Crypto Map Entries - p dng Crypto Maps vo cc interface.

    IV. Cu hnh Cisco IOS Firewall Authenticaiton Proxy. - S dng tnh nng Cisco IOS firewall authentication proxy, ngi qun tr mng c th p dng cc chnh sch bo mt c bit cho tng user. Cc User c th c nh ngha v c cp quyn da trn cc chnh sch ca mi mt user, v cc quyn truy cp c bit trn mt ngi dng da trn kh nng ca ngi dng , trong trng hp khc th mt chnh sch c th c p dng cho nhiu user. - Vi tnh nng Authentication Proxy, cc user c th log vo mng hoc truy cp Internet thng qua HTTP, v cc chnh sch truy cp c bit s t ng c ly v v p dng t mt

    authentication server. Cc chnh sch ngi dng s c hot ng duy nht khi cc lu lng c hot ng t chnh cc user c xc thc. - Authentication Proxy c tch hp vi Network Address Translation (NAT), Context-Based Acces Controll (CBAC), IP Security (IPSec) encryption, v phn mm VPN Client. - Phn ny s bao gm cc bc cu hnh Cisco IOS Firewall Authentication Proxy: + Cu hnh Authentication, Authorization, v Accounting + Cu hnh HTTP Server + Cu hnh Authentication Proxy + Kim tra Authenticaiton Proxy 1. Cu hnh Authentication, Authorization, v Accounting - Bn c th cu hnh Authenticaiton Proxy cho cc dch v Authenticaiton, Authorization v Accouting (AAA). S dng nhng cu lnh bn di y ch global configuration enable Authorization v nh ngha cc phng thc Authorization: example hq-sanjose(config)# aaa new-model hq-sanjose(config)# aaa authentication login default raidus tacacs+ hq-sanjose(config)# aaa authorization auth-proxy default tacacs+ radius hq-sanjose(config)# tacacs-server host 172.31.54.143 hq-sanjose(config)# tacacs-server key vne hq-sanjose(config)# radius-server host 172.31.54.143 hq-sanjose(config)# radius-server key vne 2. Cu hnh HTTP server - s dng Authentication Proxy, bn s phi enable HTTP server trn firewall v cu hnh HTTP server authentication s dng phng thc AAA. Nhp nhng cu lnh bn di y ch global configuration thc hin cu hnh: example: hq-sanjose(config)# ip http server hq-sanjose(config)# ip http authentication aaa 3. Cu hnh Authentication Proxy. - cu hnh Authentication Proxy, s dng nhng cu lnh sau y ch global configuration: example: hq-sanjose(config)# ip auth-proxy auth-cache-time 60 hq-sanjose(config)# ip auth-proxy auth-proxy-banner hq-sanjose(config)# ip auth-proxy name VNE_User http hq-sanjose(config)# interface fa0/0 hq-sanjose(config-if)# ip auth-proxy VNE_User

    hq-sanjose(config)# exit hq-sanjose# copy run start - kim tra authentication proxy s dng cu lnh: show ip auth-proxy configuration.

    You might also like