vmware DHCP service and vmnetcfg.exe tool
Remote Access VPN - CLI | Link to YouTube Video |
---|---|
NCP-e client | https://www.ncp-e.com/en/login/exclusive-remote-access/
|
Configuration Steps | |
Step 1. Configure User access profile and IP Address Pool Step 2. Configure IPSec Phase 1 Step 3. Configure IPSec Phase 2 Step 4. Configure Dynamic VPN Parameters Step 5. Configure Security Policy Step 6. Verifying IPSec Connection | |
Configuration # Step 1. Configure User access profile and IP Address Pool # ---------------------------------------------------------- # IP Address Pool set access address-assignment pool RA-NCP-pool family inet network 192.168.100.0/24 set access address-assignment pool RA-NCP-pool family inet xauth-attributes primary-dns 8.8.8.8 # Client Access profile or end-user access profile: username and password + IP@ pool mapping set access profile RA-NCP-Profile client NCP-user1 firewall-user password lab123 set access profile RA-NCP-Profile address-assignment pool RA-NCP-pool # create Secure Tunnel interface or st0.1 set interface st0 unit 1 family inet # security zone allow ( ike not for st0.1 ) # Also st0.1 could be in a separate VPN Zone set security zone security-zone untrust host-inbound-traffic system-services ike set security zone security-zone untrust interfaces st0.1 set security zone security-zone untrust interfaces ge-0/0/2.0 # Step 2. Configure IKE or IPSec Phase 1 # -------------------------------- # Proposal set security ike proposal RA-NCP-IKE-Pro authentication-method pre-shared-keys set security ike proposal RA-NCP-IKE-Pro dh-group group19 set security ike proposal RA-NCP-IKE-Pro authentication-algorithm sha-256 set security ike proposal RA-NCP-IKE-Pro encryption-algorithm aes-256-cbc # Policy set security ike policy RA-NCP-IKE-Pol mode aggressive set security ike policy RA-NCP-IKE-Pol proposals RA-NCP-IKE-Pro set security ike policy RA-NCP-IKE-Pol pre-shared-key ascii-text juniper123 # Gateway set security ike gateway RA-NCP-GW ike-policy RA-NCP-IKE-Pol set security ike gateway RA-NCP-GW dynamic user-at-hostname "user@LB.net" set security ike gateway RA-NCP-GW dynamic ike-user-type shared-ike-id set security ike gateway RA-NCP-GW external-interface ge-0/0/2 set security ike gateway RA-NCP-GW aaa access-profile RA-NCP-Profile set security ike gateway RA-NCP-GW version v1-only # Step 3. Configure IPSec Phase 2 # -------------------------------- # Porposal set security ipsec proposal RA-NCP-IPsec-Pro encryption-algorithm aes-256-gcm # Policy set security ipsec policy RA-NCP-IPsec-Pol perfect-forward-secrecy keys group19 set security ipsec policy RA-NCP-IPsec-Pol proposal-set RA-NCP-IPsec-Pro # Step 4. Configure Dynamic VPN Parameters # ---------------------------------------- # vpn set security ipsec vpn RA-NCP-VPN bind-interface st0.1 set security ipsec vpn RA-NCP-VPN ike gateway RA-NCP-GW set security ipsec vpn RA-NCP-VPN ike ipsec-policy RA-NCP-IPsec-Pol set security ipsec vpn RA-NCP-VPN traffic-selector RA-NCP-TS local-ip 0.0.0.0/0 remote-ip 0.0.0.0/0 # Step 5. Configure Security Policy # --------------------------------- set security address-book Server address lubuntu 10.0.2.3/32 set security zones security-zone servers set security policies from-zone untrust to-zone servers policy RA-NCP-Access match source-address any destination-address Server application any set security policies from-zone untrust to-zone servers policy RA-NCP-Access then permit | |
enable policy from untrust to trust | |
on lubuntu | 1- enable SSH: lubuntu 20 live ssh and root remote access 2- add static route back to the windows client : ip route and static route sudo ip route add 192.168.100.0/24 via 10.0.2.2 dev ens38 add route lubuntu@lubuntu:~$ ip route default via 192.168.235.2 dev ens33 proto dhcp metric 102 10.0.2.0/24 dev ens38 proto kernel scope link src 10.0.2.3 metric 101 192.168.100.0/24 via 10.0.2.2 dev ens38 192.168.235.0/24 dev ens33 proto kernel scope link src 192.168.235.129 metric 102 |
NCP-e CLient setup | |
Create a New connect: Configuration > Profile: Add > name= RA-NCP-LB ( LB for Learning Byte) | |
Communication Medium: LAN (over IP) GW / tunnel endpoint: 10.0.3.2 no certiifcate for Authentication VPN user ID: NCP-user1 / lab123 | |
DFS-grpu: group19 local IDE (IKE): user@LB.net | |
Edit Profile | IPsec general Settings: Exch Mode: aggressive ( behind NAT modem ) IKE Policy: PSK IKEv2 DH Group: DH19 PFS Group: DH19 (prime256v1 ) |
Identities: Pre-shared key: secret: juniper123 | |
Show commands | |
show security ike security-associations 10.100.10.1 detail Exchange type: aggressive show security ipsec security-associations vpn-name RA-NCP-VPN phase 2 security assocation show security ike active-peer details Peer IKE-ID used | |
show security ike active-peer aaa-username bob | |
show subscribers client-type xauth show subscribers client-type xauth username bob <detail. | |