Scribd
Upload
230 views33 pages

Cisco Easy VPN Server

Cisco Easy VPN Server is used to configure a network on a cisco router. The following general tasks are used to configure the server: Create an IP address pool for connecting clients enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access.

Uploaded by

Itachi Kanade Eucliwood
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
230 views33 pages

Cisco Easy VPN Server

Cisco Easy VPN Server is used to configure a network on a cisco router. The following general tasks are used to configure the server: Create an IP address pool for connecting clients enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access.

Uploaded by

Itachi Kanade Eucliwood
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

Secured Connectivity

Cisco Easy VPN Server

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-1

Cisco Easy VPN Server General Configuration Tasks


The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router:
(Optional) Create IP address pool for connecting clients Enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access Define a group policy for mode configuration push Apply mode configuration and XAUTH Enable RRI for the client Enable IKE DPD Configure XAUTH (Optional) Enable the XAUTH Save Password feature

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-2

Create IP Address Pool


Remote Clients Pool Remote-Pool 10.0.1.100 to 10.0.1.150 R1

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150

Creating a local address pool is optional if you are using an external DHCP server.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-3

Configure Group Policy Lookup


Remote Clients
Group
VPN-REMOTE-ACCESS

R1

R1(config)# R1(config)# R1(config)# R1(config)#

aaa new-model aaa authentication login vpn-users local aaa authorization network vpn-group local username cisco password 0 cisco

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-4

Define Group Policy for Mode Configuration Push


Contains the following steps:
Step 1: Add the group profile to be defined. Step 2: Configure the ISAKMP pre-shared key. Step 3: Specify the DNS servers. Step 4: Specify the Microsoft WINS servers. Step 5: Specify the DNS domain. Step 6: Specify the local IP address pool.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-5

Add the Group Profile to Be Defined


Remote Clients
Primary DNS/ Microsoft WINS 10.0.1.13

R1

Secondary DNS/ Microsoft WINS 10.0.1.14

R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# dns 10.0.1.13 10.0.1.14 R1(config-isakmp-group)# wins 10.0.1.13 10.0.1.14 R1(config-isakmp-group)# domain cisco.com R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# save-password

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-6

Create ISAKMP Policy for Remote VPN Client Access


Remote Clients
Policy 10 Authentication: Pre-shared keys Encryption: 3-DES Diffie-Hellman: Group 2

R1

Other settings: Default

R1(config)# crypto R1(config)# crypto R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)#

isakmp enable isakmp policy 10 authentication pre-share encryption 3des group 2 end

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-7

Create Transform Sets

Remote Clients

VPNTRANSFORM esp-3des esp-sha-hmac

R1

R1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac R1(cfg-crypto-trans)# end

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-8

Create Dynamic Crypto Map with RRI


Contains the following steps:
Step 1: Create a dynamic crypto map. Step 2: Assign a transform set. Step 3: Enable RRI.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-9

Step 1: Create a Dynamic Crypto Map

Remote Clients

Dynamic-Map 10
transform-set VPNTRANSFORM reverse-route

R1

R1(config)# crypto dynamic-map Dynamic-Map 10 R1(config-crypto-map)# set transform-set VPNTRANSFORM R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-10

Apply Mode Configuration and XAUTH


Contains the following steps:
Step 1: Configure the router to respond to mode configuration requests. Step 2: Enable IKE querying for a group policy. Step 3: Enforce XAUTH Step 3: Apply the dynamic crypto map to the crypto map.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-11

Applying Mode Configuration


Remote Client

R1

R1(config)# R1(config)# R1(config)# R1(config)#

crypto crypto crypto crypto

map map map map

ClientMap ClientMap CLientMap ClientMap

client configuration address respond isakmp authorization list vpn-group client authentication list vpn-users 65535 ipsec-isakmp dynamic Dynamic-Map

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-12

Apply the Crypto Map to Router Outside Interface


Crypto map name ClientMP

Remote Client

Fa0/1

R1

R1(config)# interface ethernet0/1 R1(config-if)# crypto map ClinetMap R1(config-if)# end

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-13

Enable ISAKMP DPD


1) DPD Send: Are you there? Remote Client

R1

2)2) DPDReply:Yes, IIam here. DPD reply: Yes am here.

router(config)#

crypto isakmp keepalive secs retries R1(config)# crypto isakmp keepalive 20 10

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-14

Configure XAUTH
Step 1: Enable AAA login authentication. Step 2: Set the XAUTH timeout value. Step 3: Enable ISAKMP XAUTH for the dynamic crypto map.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-15

Step 1: Enable AAA Login Authentication


VPN user group VPNUSERS R1

Remote Client

R1(config)# aaa authentication login VPNUSERS local

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-16

Step 2: Set XAUTH Timeout Value

20 Seconds
Remote Client VPN user group VPNUSERS R1

R1(config)# crypto isakmp xauth timeout 20

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-17

Step 3: Enable ISAKMP XAUTH for Crypto Map

Remote Client

Crypto map name CLIENTMAP VPN user group R1 VPNUSERS

R1(config)# crypto map CLIENTMAP client authentication list VPNUSERS

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-18

(Optional) Enable XAUTH Save Password


Remote Client

R1

Group VPN-REMOTE-ACCESS

R1(config)# crypto isakmp client configuration group VPNREMOTE-ACCESS R1(config-isakmp-group)# save-password

This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration group command.
2007 Cisco Systems, Inc. All rights reserved. SNRS v2.04-19

Verify

Router# show crypto map interface ethernet 0 Router# show run

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-20

Configuring Cisco Easy VPN Remote for the Cisco VPN Client v4.x: General Tasks
Install Cisco VPN Client v4.x. Create a new client connection entry. Choose an authentication method. Configure transparent tunneling. Enable and add backup servers. Configure a connection to the Internet through dialup networking.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-21

Install Cisco VPN Client

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-22

Install Cisco VPN Client (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-23

Create a New Client Connection Entry

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-24

Create a New Client Connection Entry (Cont.)

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-25

Configure Client Authentication Properties

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-26

Mutual Group Authentication

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-27

Configure Transparent Tunneling

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-28

Routes Table

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-29

Enable and Add Backup Servers

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-30

Configure Connection to the Internet Through Dial-Up Networking

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-31

Summary
Cisco Easy VPN simplifies the configuration of VPNs using routers as Easy VPN servers and clients. An access router can be configured as a Cisco Easy VPM remote client. The Cisco Easy VPN Server feature allows a remote end user to communicate using IPsec with any Cisco IOS VPN gateway. The Cisco VPN Client is simple to deploy and operate.

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-32

2007 Cisco Systems, Inc. All rights reserved.

SNRS v2.04-33

You might also like