Hi,
Managed to make configuration for client to site:
- L2TP/IPSec -> Windows 10 compatible(ms-chap-v2)
- IKEv1 with preshared key(tunnel)
- IKEv2 with preshared key
Still i do not undestand the ACL's.
ISP on GE0/0 and local natted on GE0/1.
#
version 7.1.064, Release 0605P13
#
sysname normain
#
ip pool l2tp1 192.168.15.20 192.168.15.40
#
dhcp enable
dhcp server always-broadcast
#
dns proxy enable
#
password-recovery enable
#
vlan 1
#
object-group ip address l2tpkayttajat
#
object-group service http1
#
object-group service http2
#
object-group service https1
#
object-group service https2
#
object-group service icmp1
#
object-group service ikev1
#
object-group service l2tppavelut
#
dhcp server ip-pool GigabitEthernet0/1
gateway-list 192.168.16.2
network 192.168.16.0 mask 255.255.255.0
address range 192.168.16.230 192.168.16.250
dns-list 192.168.16.2
#
controller Cellular0/0
#
interface Aux0
#
interface Virtual-Template1
ppp authentication-mode ms-chap-v2
remote address pool l2tp1
ip address 192.168.15.2 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
description Multiple_Line
ip address dhcp-alloc
packet-filter ipv6 name GigabitEthernet0/0 inbound
packet-filter name GigabitEthernet0/0 inbound
packet-filter ipv6 name GigabitEthernet0/0 outbound
nat outbound
ipsec apply policy NorVPN
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.16.2 255.255.255.0
#
interface Tunnel9 mode ipv4-ipv4
#
security-zone name Local
#
security-zone name Trust
#
security-zone name DMZ
#
security-zone name Untrust
#
security-zone name Management
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
speed 115200
user-role network-admin
screen-length 512
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ssh server enable
#
acl advanced name GigabitEthernet0/0
rule 100 permit icmp
rule 101 permit tcp destination-port eq 443
rule 102 permit tcp destination-port eq 500
rule 102 comment VPN ike
rule 103 permit tcp destination-port eq 4500
rule 103 comment VPN ike nat
rule 104 permit udp destination-port eq 500
rule 104 comment VPN ike
rule 115 permit udp destination-port eq 4500
rule 120 permit 50
rule 130 permit udp destination-port eq 1701
rule 9999 deny ip
#
acl ipv6 advanced name GigabitEthernet0/0
rule 65534 deny ipv6
#
domain system
#
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$tRC9AKyVikQqchKp$eLmHWP/R5RKUgzdQSECq7iR1n7Xj5OKG5urFe7uU8Jhs5YrMc+0x/9Mv3UaKskSPn0g31dodFH9rq8RNg9rphQ==
service-type ssh telnet http https
authorization-attribute user-role network-admin
#
local-user testia class manage
authorization-attribute user-role network-operator
#
local-user salainen123 class network
password cipher $c$3$973UwDm7PF9vnF4YVJ/zfpq9ld56vpzcoJDd81oK
service-type ppp
authorization-attribute user-role network-operator
#
local-user testi class network
password cipher $c$3$jwA28TMl0+LJEvOprCTGTJKokp1WhZ/Q
service-type advpn
service-type ike
service-type lan-access
service-type portal
service-type ppp
service-type sslvpn
authorization-attribute acl 3000
authorization-attribute user-role network-operator
authorization-attribute sslvpn-policy-group norsslvpn
#
local-user testi123 class network
password cipher $c$3$9rX9i8moHKW8bQrzC8HtnNxmms39MZQtFJeB
service-type portal
authorization-attribute user-role network-operator
#
ipsec logging packet enable
ipsec logging negotiation enable
#
ipsec transform-set NorVPN
encapsulation-mode transport
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha1
ah authentication-algorithm sha256
#
ipsec transform-set NorVPNTrans1
esp encryption-algorithm aes-cbc-256
esp authentication-algorithm sha256
ah authentication-algorithm sha256
pfs dh-group2
#
ipsec policy-template NorVPN 65535
transform-set NorVPN NorVPNTrans1
ike-profile NorVPN
ikev2-profile norikev2
sa duration time-based 3600
sa duration traffic-based 1843200
tfc enable
#
ipsec policy NorVPN 65535 isakmp template NorVPN
#
l2tp-group 1 mode lns
allow l2tp virtual-template 1
undo tunnel authentication
tunnel name NorVPN
#
l2tp enable
#
ike logging negotiation enable
#
ike profile NorVPN
keychain NorVPN
keychain norikev2
local-identity address 0.0.0.0
match remote identity address 0.0.0.0 0.0.0.0
proposal 65535 65534
#
ike proposal 65534
encryption-algorithm aes-cbc-256
dh group2
authentication-algorithm sha256
sa duration 28800
#
ike proposal 65535
encryption-algorithm 3des-cbc
dh group2
sa duration 28800
#
ike keychain NorVPN
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$Ro0d6ttejVcVKYhJGSAcCdS418csOvQkbFhqdGY1
#
ip https enable
#
ips signature auto-update-url https://tmc.tippingpoint.com/TMC/msrIPSDVInfo
#
ikev2 keychain norikev2
peer norikev2
address 0.0.0.0 0.0.0.0
identity key-id 0.0.0.0
pre-shared-key ciphertext $c$3$qN1rqZZU91Vz37x+d3EWMQxuwJc6NxM8kNYmbH0f
#
ikev2 profile norikev2
authentication-method local pre-share
authentication-method remote pre-share
keychain norikev2
identity local key-id 0.0.0.0
match remote identity key-id 0.0.0.0
#
ikev2 proposal norikev2
encryption aes-cbc-256
integrity sha256
dh group2
#
ikev2 policy norikev2
priority 1
proposal norikev2
#
return
Any advices for me?
*Addresses, users and passworss are not final.