- EzVPN clients will get addresses on the 2.0.0.0/24 network
- EzVPN clients will have access to only the 3.0.0.0/24 network
- The server will accept clients with certificates from the CA on host 1.2.3.4
- The server will allow users with OU=EZVPN
aaa new-model
aaa authentication login EZ_AUTHEN local
aaa authorization network EZ_AUTHOR local
!
username cisco password cisco1234
!
clock timezone GMT 0
ntp server 1.2.3.4
!
crypto pki trustpoint CA
enrollment url http://1.2.3.4
subject-name ROUTER.example.com
revocation-check none
!
crypto pki authenticate CA
crypto pki enroll CA
!
crypto isakmp policy 1
encryption 3DES
hash SHA
authentication rsa-sig
group 2
!
crypto isakmp identity dn
!
ip local pool EZ_POOL 2.0.0.1 2.0.0.254
!
ip access-list extended EZ_ROUTES
permit 3.0.0.0 0.0.0.255
!
crypto isakmp client configuration group EZVPN
pool EZ_POOL
acl EZ_ROUTES
!
crypto isakmp profile EZ_PROFILE
match identity group EZVPN
client authentication list EZ_AUTHEN
isakmp authorization list EZ_AUTHOR
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac
!
crypto ipsec profile EZ_IPSEC_PROFILE
set transform-set 3DES_SHA
set isakmp-profile EZ_PROFILE
!
interface Virtual-Template 1 type tunnel
ip unnumbered FastEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile EZ_IPSEC_PROFILE
!
Posted in CCIE Security, Cisco.
By Brian Landers
– August 12, 2010
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.