Scribd Logo
Upload

Welcome to Scribd!

  • Fasitec

    Uploaded by

    IgoFernandes
    106 views3 pages
    dasdfasdfasdf

    Original Title

    Fasitec - Copia

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    dasdfasdfasdf

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    106 views3 pages

    Fasitec

    Uploaded by

    IgoFernandes
    dasdfasdfasdf

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    !

    Microsoft Corporation
    ! ------------------------------------------------------------------------------
    ! Sample VPN tunnel configuration template for Cisco IOS-based devices
    !
    ! ##############################################################################
    ! !!! Search for "REPLACE" to find the values that require special
    ! !!! considerations
    ! !!!
    ! !!! (1) ACL/access-list rule numbers
    ! !!! (2) Tunnel interface number
    ! !!! (3) Tunnel interface IP address
    ! !!! (4) BGP routes to advertise (if BGP is enabled)
    ! !!! (5) BGP peer IP address on the device - loopback interface number
    ! ##############################################################################
    !
    ! [0] Device infomration
    !
    ! > Device vendor: Cisco
    ! > Device family: IOS-based (ASR, ISR)
    ! > Firmware version: IOS 15.1 or beyond
    ! > Test platform: Cisco ISR 2911, version 15.2
    !
    ! [1] Network parameters
    !
    ! > Connection name: Fasitec
    ! > VPN Gateway name: 50d94b01-f2ed-48ed-a111-1aa4902b56c5
    ! > Public IP addresses:
    ! + Public IP 1: 191.239.252.85
    ! > Virtual network address space:
    ! + CIDR: 192.168.1.0/24
    ! - Prefix: 192.168.1.0
    ! - Netmask: 255.255.255.0
    ! - Wildcard: 0.0.0.255
    ! > Local network gateway: IPEmpresa
    ! > On-premises VPN IP: 179.181.133.99
    ! > On-premises address prefixes:
    ! + CIDR: 192.168.2.0/24
    ! - Prefix: 192.168.2.0
    ! - Netmask: 255.255.255.0
    ! - Wildcard: 0.0.0.255
    !
    ! [2] IPsec/IKE parameters
    !
    ! > IKE version: IKEv2
    ! + Encryption algorithm: aes-cbc-256
    ! + Integrityalgorithm: sha1
    ! + Diffie-Hellman group: 2
    ! + SA lifetime (seconds): 3600
    ! + Pre-shared key: Map1243245456567@
    ! + UsePolicyBasedTS: False
    !
    ! > IPsec
    ! + Encryption algorithm: esp-gcm 256
    ! + Integrity algorithm:
    ! + PFS Group: none
    ! + SA lifetime (seconds): 3600
    !
    ! [3] BGP parameters - Azure VPN gateway
    !
    ! > Azure virtual network
    ! + Enable BGP: False
    ! + Azure BGP ASN: VNG_ASN
    ! > On-premises network / LNG
    ! + On premises BGP ASN: LNG_ASN
    ! + On premises BGP IP: LNG_BGPIP
    !
    ! ------------------------------------------------------------------------------
    ! ACL rules
    !
    ! Some VPN devices require explicit ACL rules to allow cross-premises traffic:
    !
    ! 1. Allow traffic between on premises address ranges and VNet address ranges
    ! 2. Allow IKE traffic (UDP:500) between on premises VPN devices and Azure VPN
    gateway
    ! 3. Allow IPsec traffic (Proto:ESP) between on premises VPN devices and Azure VPN
    gateway

    access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    ! ==============================================================================
    ! Internet Key Exchange (IKE) configuration
    ! - IKE Phase 1 / Main mode configuration
    ! - Encryption/integrity algorithms, Diffie-Hellman group, pre-shared key

    crypto ikev2 proposal Fasitec-proposal


    encryption aes-cbc-256
    integrity sha1
    group 2
    exit

    crypto ikev2 policy Fasitec-policy


    proposal Fasitec-proposal
    match address local 179.181.133.89
    exit

    crypto ikev2 keyring Fasitec-keyring


    peer 191.239.252.54
    address 191.239.252.54
    pre-shared-key Map251234134674@
    exit
    exit

    crypto ikev2 profile Fasitec-profile


    match address local 179.181.133.67
    match identity remote address 191.249.252.45 255.255.255.255
    authentication remote pre-share
    authentication local pre-share
    lifetime 3600
    keyring local Fasitec-keyring
    exit

    ! ------------------------------------------------------------------------------
    ! IPsec configuration
    ! - IPsec (or IKE Phase 2 / Quick Mode) configuration
    ! - Transform Set: IPsec encryption/integrity algorithms, IPsec ESP mode

    crypto ipsec transform-set Fasitec-TransformSet esp-gcm 256


    mode tunnel
    exit

    crypto ipsec profile Fasitec-IPsecProfile


    set transform-set Fasitec-TransformSet
    set ikev2-profile Fasitec-profile
    set security-association lifetime seconds 3600
    exit

    ! ------------------------------------------------------------------------------
    ! Tunnel interface (VTI) configuration
    ! - Create/configure a tunnel interface
    ! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
    ! other address on this device. This is not visible from the Azure gateway.
    ! * REPLACE: Tunnel interface number and APIPA IP address below
    ! * In active-active configuration, there will be two tunnel interfaces below

    int tunnel 11
    ip address 169.254.0.1 255.255.255.252
    tunnel mode ipsec ipv4
    ip tcp adjust-mss 1350
    tunnel source 179.181.133.123
    tunnel destination 191.239.252.23
    tunnel protection ipsec profile Fasitec-IPsecProfile
    exit

    ! ------------------------------------------------------------------------------
    ! BGP configuration
    ! - BGP configuration if enabled for the connection
    ! * REPLACE: Loopback interface number(s)
    ! * REPLACE: Local routes and netmasks to advertise - LOCAL_ROUTE and LOCAL_MASK

    ! ------------------------------------------------------------------------------
    ! Static routes
    ! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
    ! * REPLACE: Tunnel interface number(s)

    ip route 192.168.1.0 255.255.255.0 Tunnel 11

    You might also like