Page 1

Cisco Easy VPN Server:

An Easy VPN Server can serve a Site-to-Site VPN or a Remote Access VPN for Clients running VPN Client software on their machine.

You can do a Group-Password based authentication method or you can add an additional username/password method against a local database stored on the router and this is called X Auth or Extended Authentication.

Information Gathering: IP Addressing Scheme: o You need to get the Public IP addresses that are assigned to the interfaces when doing a Site-to-Site VPN Username/Password Policies: o We also need to think about how we are going to name are users and passwords o This will be configured in the local database of the router Crypto Systems: o We need to figure out what we are going to use for our encryption choices both Ike phase 1 and ike phase 2 policies o Easy VPN only supports ESP only Remote Clients Assigned Addresses: o We will have to assign our remote users an IP address from a range in order to get access to resources on our network. Access Control Policies: o We will create profiles for our remote users Client User Operating System Versions: o We need to know what OS versions our clients are running Should You Use SSL VPN Instead? o We would want to use SSL VPN for remote users if those users need direct IP access to corporate protective resources because it is easier for SSL VPN to transverse a firewall. It is more difficult to get an Easy VPN solution through a companys firewall.

Steps to Configure an Virtual Tunnel Interface Easy VPN Server: 1. 2. 3. 4. 5. 6. 7. 8. 9. 1. Set up an IP address pool Configure AAA method for VPN Clients Configure an IKE policy - OPTIONAL Configure an IPsec transform set and profile Configure a dynamic VTI template Create a configuration group Create an ISAKMP profile Configure a local AAA method and create local users and credentials Configure the ISAKMP profile to require user authentication

Set up an IP address pool. R1(config)# ip local pool EZPOOL 172.16.10.1 172.16.10.100 R1(config)# ip access-list ext EZSPLIT R1(config-ext-nacl)# permit ip 172.16.0.0 0.0.255.255 any Configure an AAA method for VPN Clients. (You can either configure a local database on the router if you are in a small organization, or you can configure it to communicate with a RADIUS server in a large organization. We will be using the local database on the router ro authorize users). R1(config)# aaa new-model R1(config)# aaa authorization network VPN_CLIENTS local

2.

Page 2

3.

Create the ISAKMP policies for VPN Clients. R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 100 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption aes 192 R1(config-isakmp)# group 2 If someone doesnt support the above policy we can create another one

R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 150 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption aes 128 R1(config-isakmp)# group 2 The third policy will be the least preferred policy

R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 200 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption 3des R1(config-isakmp)# group 2 Verify Policies:

R1# show crypto isakmp policy When the client dumps all of its algorithms onto the server telling it what algorithms it supports, the server will go through its list of policies that we just created, and will see if the client matches one of the policy standards we created.

4.

Configure an IPsec transform set and profile: R1(config)# crypto ipsec transform-set EZSET esp-aes esp-sha-hmac R1(cfg-crypto-trans)# exit R1(config)# crypto ipsec prof EZPROFILE R1(ipsec-profile)# set transform-set EZSET Configure a dynamic VTI template: R1(config)# interface virtual-template 1 type tunnel R1(config-if)# ip unnumbered fa0/0 R1(config-if)# tunnel mode ipsec ipv4 R1(config-if)# tunnel protection ipsec prof EZPROFILE Create a client configuration group R1(config)# crypto isakmp client configuration group EZGROUP R1(config-isakmp-group)# key RYAN R1(config-isakmp-group)# dns 8.8.8.8 R1(config-isakmp-group)# pool EZPOOL R1(config-isakmp-group)# acl EZSPLIT Create an ISAKMP profile: R1(config)# crypto isakmp profile EZISAPROFILE R1(config-isa-prof)# match identity group EZGROUP R1(config-isa-prof)# isak author list VPN_CLIENTS R1(config-isa-prof)# client config address respond R1(config-isa-prof)# client config group EZGROUP R1(config-isa-prof)# virtual-template 1 R1(config-isa-prof)# exit

5.

6.

7.

8.

Bind the configure ISAKMP Profile to the configure IPsec Profile: R1(config)# crypto ipsec prof EZPROFILE R1(ipsec-profile)# set isakmp-profile EZISAPROFILE R1(ipsec-profile)# exit

Page 3

9.

Configure a local AAA method and create local users and credentials: R1(config)# aaa authentication login LOCAL_AUTHEN local R1(config)# username Ryan privilege 15 secret cisco 10. Configure the ISAKMP profile to require user authentication:

R1(config)# crypto isak prof EZISAPROFILE R1(conf-isa-prof)# client authentication list LOCAL_AUTHEN Verify:

R1# show crypto session username Ryan

How to configure the Easy VPN Remote: Client Mode Net Extension Net Extension Plus R2(config)# interface virtual-template 1 type tunnel R2(config-if)# tunnel mode ipsec ipv4 R2(config-if)# crypto ipsec client ezvpn EZCLIENT R2(config-if)# exit R2(config)# crypto ipsec client ezvpn EZCLIENT R2(config-crypto-ezvpn)# group MYGROUP key cisco R2(config-crypto-ezvpn)# virtual-interface 1 R2(config-crypto-ezvpn)# peer 192.168.137.10 R2(config-crypto-ezvpn)# mode client R2(config-crypto-ezvpn)# username vpnuser password cisco R2(config-crypto-ezvpn)# exit R2(config)# int fa0/0 R2(config-if)# crypto ipsec client ezvpn EZCLIENT outside R2(config-if)# int fa0/1 R2(config-if)# crypto ipsec client ezvpn EZCLIENT inside

Page 4