Introduction
The Cisco Easy VPN server allows a remote user to connect the corporate network using an IPSec tunnel. Easy VPN servers can be deployed in a Cisco IOS router or an ASA appliance. To connect with the VPN server, we use a Cisco VPN client software that can be installed on an operating system. The Easy VPN feature minimizes the configuration requirement at a remote location where we can put all the configuration on a VPN server and push the access policies upon a VPN tunnel connection from a Cisco VPN server.
Configuration Tasks
1.) Enabling AAA on the router
AAA is enabled using the 'aaa newmodel' command. We can either define the AAA locally on a router or point out an external TACACS+ or RADIUS server for authentication, authorization and accounting. AAA identifies the level of access that has been granted to each user and monitor the user activity to produce accounting information. In this example I am configuring AAA locally on a router.
Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Router(config)#aaa authentication login VPN-USER-AUTH local
Router(config)#aaa authorization exec default local
Router(config)#aaa authorization network VPN-GROUP local
2.) Creating User Account
Router(config)#username tony privilege 15 password mypassword
3.) Configuring IKE Policy
Here we enable the IKE Policy configuration where you can specify the parameters that are used during an IKE negotiation or Phase 1 policy negotiation.
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 2
4.) Defining Group Policy information
We have to create a group and configure all the parameters that need to be pushed into the client as soon as it successfully authenticate to the group. The parameters defined in this example are:
Pre-shared key : The key is used for authentication to the group.
DNS & Wins server : Users authenticating to this group will get this DNS and WINS server IP.
Max-Users : Maximum number of users allowed to connect simultaneously.
Router(config)# crypto isakmp client configuration group vpngroup
Router(config-isakmp-group)# key 6 mysecurekey
Router(config-isakmp-group)# dns 10.0.0.10
Router(config-isakmp-group)# wins 10.0.0.10
Router(config-isakmp-group)# pool VPN-POOL-1
Router(config-isakmp-group)# max-users 20
Router(config-isakmp-group)# netmask 255.255.255.0
Router(config-isakmp-group)# domain tony.com
The pool should contain the IP's that is distributed to the VPN clients as soon as it establish a connection to the VPN server. (Note: The pool should contain a different subnet of IP's than your internal LAN.) Create the pool using the below command:
Router(config)#ip local pool VPN-POOL-1 192.168.1.1 192.168.1.20
5.) Configure Phase 2 policy
a.) IPSec Transform-set
IPSec Transform-set is defined for data encryption and phase 2 authentication. The actual data encryption is happening in this phase. Create a transform-set using the below command:
Router(config)#crypto ipsec transform-set VPN-TRANSFORM-SET esp-3des esp-sha-hmac
Router(cfg-crypto-trans)#exit
b.) Creating ISAKMP Profile
Create an ISAKMP profile that will match the client group (vpngroup) and mention the authentication and authorization used by the profile.
Router(config)#crypto isakmp profile ISAKMP-PROFILE-1
Router(conf-isa-prof)#match identity group vpngroup
Router(conf-isa-prof)#client authentication list VPN-USER-AUTH
Router(conf-isa-prof)#isakmp authorization list VPN-GROUP
Router(conf-isa-prof)#client configuration address respond
Router(conf-isa-prof)#virtual-template 2
Now apply this transform-set to a VPN profile named VPN-PROFILE
Router(config)#crypto ipsec profile VPN-PROFILE
Router(ipsec-profile)#set transform-set VPN-TRANSFORM-SET
Router(ipsec-profile)#set isakmp-profile ISAKMP-PROFILE-1
6.) Binding the configuration with a Virtual Interface
The last step is to bind all the configurations to a virtual interface that will receive all the incoming VPN client connections. The virtual interface should be unnumbered to a physical interface, usually to the internal LAN interface.
Router(config)#interface virtual-template 2 type tunnel
Router(config-if)#ip unnumbered GigabitEthernet0/0
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VPN-PROFILE
Easy VPN and NAT exemption
Now we need to exempt NAT for the VPN users. We need to put a 'no NAT' statement for the VPN traffic, that means if there is a VPN traffic then do not NAT. We have to put the below configuration to achieve the same:
ip nat inside source list 120 interface GigabitEthernet0/1 overload (Gi0/1 is the Internet facing interface)
access-list 120 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.255.255.255 any
Here the access-list 120 will deny the local subnet (LAN subnet) to access the VPN users and allow all other traffic.
There we finish our Easy VPN server configuration. Now you can download and install a Cisco VPN client software on your operating system and configure it by referring the below screenshot.
Cisco VPN client download link : https://docs.google.com/folder/d/0BzwBbyVriGKkSGVXTmJJd0xCOVU/edit
Enter the correct user credentials in order establish the VPN connection successfully with Easy VPN server from your computer.
Easy VPN and Zone Based Firewall
For more information about how to allow Easy VPN server through a Zone Based Firewall refer Using IPSec VPN with Zone-Based Policy Firewall
Verification and Troubleshooting of Easy VPN
Verification Command List :
You can also find the configuration example of Cisco IPSec Site-to-site VPN in http://yadhutony.blogspot.in/2012/12/cisco-ipsec-site-to-site-vpn.html
The Cisco Easy VPN server allows a remote user to connect the corporate network using an IPSec tunnel. Easy VPN servers can be deployed in a Cisco IOS router or an ASA appliance. To connect with the VPN server, we use a Cisco VPN client software that can be installed on an operating system. The Easy VPN feature minimizes the configuration requirement at a remote location where we can put all the configuration on a VPN server and push the access policies upon a VPN tunnel connection from a Cisco VPN server.
- This document will show you how to configure an Easy VPN Server on a Cisco IOS Router.
Configuration Tasks
- Enable AAA on the router.
- Create a User account.
- Configure IKE Policy.
- Define Group policy information.
- Configure Phase 2 policy (IPSec Transform-set)
- Bind IPSec configuration with a Virtual Interface.
1.) Enabling AAA on the router
AAA is enabled using the 'aaa newmodel' command. We can either define the AAA locally on a router or point out an external TACACS+ or RADIUS server for authentication, authorization and accounting. AAA identifies the level of access that has been granted to each user and monitor the user activity to produce accounting information. In this example I am configuring AAA locally on a router.
Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Router(config)#aaa authentication login VPN-USER-AUTH local
Router(config)#aaa authorization exec default local
Router(config)#aaa authorization network VPN-GROUP local
2.) Creating User Account
Router(config)#username tony privilege 15 password mypassword
3.) Configuring IKE Policy
Here we enable the IKE Policy configuration where you can specify the parameters that are used during an IKE negotiation or Phase 1 policy negotiation.
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 2
4.) Defining Group Policy information
We have to create a group and configure all the parameters that need to be pushed into the client as soon as it successfully authenticate to the group. The parameters defined in this example are:
Pre-shared key : The key is used for authentication to the group.
DNS & Wins server : Users authenticating to this group will get this DNS and WINS server IP.
Max-Users : Maximum number of users allowed to connect simultaneously.
Router(config)# crypto isakmp client configuration group vpngroup
Router(config-isakmp-group)# key 6 mysecurekey
Router(config-isakmp-group)# dns 10.0.0.10
Router(config-isakmp-group)# wins 10.0.0.10
Router(config-isakmp-group)# pool VPN-POOL-1
Router(config-isakmp-group)# max-users 20
Router(config-isakmp-group)# netmask 255.255.255.0
Router(config-isakmp-group)# domain tony.com
The pool should contain the IP's that is distributed to the VPN clients as soon as it establish a connection to the VPN server. (Note: The pool should contain a different subnet of IP's than your internal LAN.) Create the pool using the below command:
Router(config)#ip local pool VPN-POOL-1 192.168.1.1 192.168.1.20
5.) Configure Phase 2 policy
a.) IPSec Transform-set
IPSec Transform-set is defined for data encryption and phase 2 authentication. The actual data encryption is happening in this phase. Create a transform-set using the below command:
Router(config)#crypto ipsec transform-set VPN-TRANSFORM-SET esp-3des esp-sha-hmac
Router(cfg-crypto-trans)#exit
b.) Creating ISAKMP Profile
Create an ISAKMP profile that will match the client group (vpngroup) and mention the authentication and authorization used by the profile.
Router(config)#crypto isakmp profile ISAKMP-PROFILE-1
Router(conf-isa-prof)#match identity group vpngroup
Router(conf-isa-prof)#client authentication list VPN-USER-AUTH
Router(conf-isa-prof)#isakmp authorization list VPN-GROUP
Router(conf-isa-prof)#client configuration address respond
Router(conf-isa-prof)#virtual-template 2
Now apply this transform-set to a VPN profile named VPN-PROFILE
Router(config)#crypto ipsec profile VPN-PROFILE
Router(ipsec-profile)#set transform-set VPN-TRANSFORM-SET
Router(ipsec-profile)#set isakmp-profile ISAKMP-PROFILE-1
The last step is to bind all the configurations to a virtual interface that will receive all the incoming VPN client connections. The virtual interface should be unnumbered to a physical interface, usually to the internal LAN interface.
Router(config)#interface virtual-template 2 type tunnel
Router(config-if)#ip unnumbered GigabitEthernet0/0
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VPN-PROFILE
Easy VPN and NAT exemption
Now we need to exempt NAT for the VPN users. We need to put a 'no NAT' statement for the VPN traffic, that means if there is a VPN traffic then do not NAT. We have to put the below configuration to achieve the same:
ip nat inside source list 120 interface GigabitEthernet0/1 overload (Gi0/1 is the Internet facing interface)
access-list 120 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.255.255.255 any
Here the access-list 120 will deny the local subnet (LAN subnet) to access the VPN users and allow all other traffic.
There we finish our Easy VPN server configuration. Now you can download and install a Cisco VPN client software on your operating system and configure it by referring the below screenshot.
Cisco VPN client download link : https://docs.google.com/folder/d/0BzwBbyVriGKkSGVXTmJJd0xCOVU/edit
Host : Public IP address of the Easy VPN Server
Group Authentication:
Name: 'group name'
Password: 'group password'
Save the configuration and click connect to establish the VPN connection. You will be prompted for a username and password as below.
Enter the correct user credentials in order establish the VPN connection successfully with Easy VPN server from your computer.
Easy VPN and Zone Based Firewall
For more information about how to allow Easy VPN server through a Zone Based Firewall refer Using IPSec VPN with Zone-Based Policy Firewall
Verification and Troubleshooting of Easy VPN
Verification Command List :
- show crypto ipsec sa
- show crypto ipsec spi-lookup
- show crypto isakmp profile
- show crypto isakmp policy
- show crypto isakmp sa
- show crypto isakmp peers
- show crypto engine connections active
- debug crypto isakmp —Displays errors during Phase 1.
- debug crypto isakmp —Displays errors during Phase 2.
- debug crypto isakmp —Displays information from the crypto engine.
- clear crypto connection connection-id [slot | rsm | vip] —Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. (Use the show crypto cisco connections command to see the connection-id value.)
- clear crypto isakmp —Clears the Phase 1 security associations.
- clear crypto sa —Clears the Phase 2 security associations.
You can also find the configuration example of Cisco IPSec Site-to-site VPN in http://yadhutony.blogspot.in/2012/12/cisco-ipsec-site-to-site-vpn.html
