How to configure IOS Easy VPN 
Easy VPN Overview
The Cisco Easy VPN client feature eliminates much of the tedious configuration work by implementing the Cisco Unity Client protocol. This protocol allows most VPN parameters, such as internal IP addresses, internal subnet masks, DHCP server addresses, WINS server addresses, and split-tunneling flags, to be defined at a VPN server that is acting as an IPSec server.
An Easy VPN server-enabled device can terminate VPN tunnels initiated by mobile and remote workers who are running Cisco Easy VPN Remote software on PCs. Easy VPN server-enabled devices allow remote routers to act as Easy VPN Remote nodes.
The Cisco Easy VPN client feature can be configured in one of two modes—client mode or network extension mode. Client mode is the default configuration and allows only devices at the client site to access resources at the central site. Resources at the client site are unavailable to the central site. Network extension mode allows users at the central site to access network resources on the client site.
Network Diagram
please refer to the attached jpg file
Configurations
Configuration below demonstrate Easy VPN in client mode with X-Authentication. Lines in old show configuration lines related to Easy VPN. Lines in red enable X-authentication and if removed client will connect with no X-Auth. Please note that this is only configured on the Easy VPN server side.
-
VPN_Hub configuration
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_hub ! boot-start-marker boot-end-marker ! ! aaa new-model ! ! aaa authentication login vpnuser local aaa authorization network vpngroup local ! aaa session-id common memory-size iomem 5 ip cef ! ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! no ip domain lookup ! username cisco password 0 cisco !
crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp invalid-spi-recovery crypto isakmp client configuration address-pool local VPNPOOL ! crypto isakmp client configuration group EzVPN key cisco123 dns 211.1.1.100 domain office.com pool VPNPOOL ! crypto ipsec transform-set IPSEC_set esp-3des esp-sha-hmac ! crypto dynamic-map DYN 1 set transform-set IPSEC_set reverse-route ! crypto map EzVPN client authentication list vpnuser crypto map EzVPN isakmp authorization list vpngroup crypto map EzVPN client configuration address respond crypto map EzVPN 10 ipsec-isakmp dynamic DYN ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 31.1.1.2 255.255.255.0 ip ospf network point-to-point speed 100 full-duplex crypto map EzVPN !
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0 duplex auto speed auto no keepalive ! ! router ospf 1 router-id 3.3.3.3 log-adjacency-changes network 31.1.1.0 0.0.0.255 area 0 ! ip local pool VPNPOOL 11.1.1.10 11.1.1.20 ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 ! end
-
VPN_Client configuration
version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname VPN_client ! boot-start-marker boot-end-marker ! no aaa new-model memory-size iomem 5 ip cef ! ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! ! Note: name server below appears when IPSec tunnel is UP ! ip name-server 211.1.1.100 ! crypto isakmp invalid-spi-recovery ! crypto ipsec client ezvpn EzVPN connect manual group EzVPN key cisco123 mode client peer 31.1.1.2 username cisco password cisco xauth userid mode interactive !
interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! Note: Loopback intf below appears when IPSec tunnel is UP ! interface Loopback1 ip address 11.1.1.12 255.255.255.255 ! interface FastEthernet0/0 ip address 21.1.1.2 255.255.255.0 ip ospf network point-to-point speed 100 full-duplex crypto ipsec client ezvpn EzVPN outside ! interface FastEthernet0/1 ip address 211.1.1.2 255.255.255.0 duplex auto speed auto no keepalive crypto ipsec client ezvpn EzVPN inside ! router ospf 1 router-id 2.2.2.2 log-adjacency-changes network 21.1.1.0 0.0.0.255 area 0 ! ip route 0.0.0.0 0.0.0.0 21.1.1.1 ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login ! end
Easy VPN verification
Command used to verify Easy VPN operation:
-
Easy VPN Client side
First, setting up the IPSec tunnel from the client side – illustrates using manual setup,
Note: An auto connect mod which allows username and password for the X-auth stage not to be entered every time client establishes IPSec connection with the VPN server. It can be configured by adding the following lines on the Easy VPN client side: VPN_client(config)#crypto ipsec client ezvpn EzVPN VPN_client(config-crypto-ezvpn)#user cisco password cisco VPN_client(config-crypto-ezvpn)#xauth userid mode local VPN_client(config-crypto-ezvpn)#conn auto and also following line on the Easy VPN server side: VPN_hub(config)#crypto isakmp client configuration group EzVPN VPN_hub(config-isakmp-group)#save-password
VPN_client#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 21.1.1.2 YES manual up up
FastEthernet0/1 211.1.1.2 YES manual up up
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
NVI0 unassigned NO unset up up
Loopback0 2.2.2.2 YES manual up up
VPN_client#
VPN_client#sh ip route
< ommited >
Gateway of last resort is 21.1.1.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 21.1.1.1, 01:33:15, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
21.0.0.0/24 is subnetted, 1 subnets
C 21.1.1.0 is directly connected, FastEthernet0/0
31.0.0.0/24 is subnetted, 1 subnets
O 31.1.1.0 [110/2] via 21.1.1.1, 01:33:15, FastEthernet0/0
C 211.1.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 21.1.1.1
VPN_client#
VPN_client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : EzVPN
Inside interface list: FastEthernet0/1
Outside interface: FastEthernet0/0
Current State: CONNECT_REQUIRED
Last Event: TRACKED OBJECT UP
Save Password: Disallowed
Current EzVPN Peer: 31.1.1.2
VPN_client#
VPN_client#crypto ipsec client ezvpn connect
VPN_client#
*Mar 1 05:54:21.894: EZVPN(EzVPN): Pending XAuth Request, Please enter the following command:
*Mar 1 05:54:21.898: EZVPN: crypto ipsec client ezvpn xauth
VPN_client#crypto ipsec client ezvpn xauth
Username: cisco
Password: cisco
VPN_client#
*Mar 1 05:54:32.114: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=EzVPN Client_public_addr=21.1.1.2 Server_public_addr=31.1.1.2 Assigned_client_addr=11.1.1.18
VPN_client#
VPN_client#
*Mar 1 05:54:33.550: %LINK-3-UPDOWN: Interface Loopback1, changed state to up
*Mar 1 05:54:34.550: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback1, changed state to up
VPN_client#
VPN_client#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 4
Tunnel name : EzVPN
Inside interface list: FastEthernet0/1
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 11.1.1.18
Mask: 255.255.255.255
DNS Primary: 211.1.1.100
Default Domain: office.com
Save Password: Disallowed
Current EzVPN Peer: 31.1.1.2
VPN_client#sh crypto isakmp sa
dst src state conn-id slot status
31.1.1.2 21.1.1.2 QM_IDLE 1 0 ACTIVE
VPN_client#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: FastEthernet0/0-head-0, local addr 21.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (11.1.1.18/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 31.1.1.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 21.1.1.2, remote crypto endpt.: 31.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x20FB1F05(553328389)
inbound esp sas:
spi: 0x48BB0EE1(1220218593)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: 3, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4512346/3462)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x20FB1F05(553328389)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: 4, crypto map: FastEthernet0/0-head-0
sa timing: remaining key lifetime (k/sec): (4512346/3462)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
VPN_client#
VPN_client#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 21.1.1.2 YES manual up up
FastEthernet0/1 211.1.1.2 YES manual up up
FastEthernet1/0 unassigned YES NVRAM administratively down down
FastEthernet2/0 unassigned YES NVRAM administratively down down
NVI0 unassigned NO unset up up
Loopback0 2.2.2.2 YES manual up up
Loopback1 11.1.1.18 YES manual up up
VPN_client#
VPN_client#sh ip route
< ommited >
Gateway of last resort is 21.1.1.1 to network 0.0.0.0
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 21.1.1.1, 01:32:01, FastEthernet0/0
2.0.0.0/32 is subnetted, 1 subnets
C 2.2.2.2 is directly connected, Loopback0
21.0.0.0/24 is subnetted, 1 subnets
C 21.1.1.0 is directly connected, FastEthernet0/0
11.0.0.0/32 is subnetted, 1 subnets
C 11.1.1.18 is directly connected, Loopback1
31.0.0.0/24 is subnetted, 1 subnets
O 31.1.1.0 [110/2] via 21.1.1.1, 01:32:01, FastEthernet0/0
C 211.1.1.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 21.1.1.1
VPN_client#
VPN_client#ping 10.1.1.2 source Loopback 1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
Packet sent with a source address of 11.1.1.19
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/39/64 ms
VPN_client#
-
Easy VPN Server side
VPN_hub#show crypto isakmp sa
dst src state conn-id slot status
31.1.1.2 21.1.1.2 QM_IDLE 1 0 ACTIVE
VPN_hub#show ip route
< ommited >
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 31.1.1.1, 01:39:07, FastEthernet0/0
3.0.0.0/32 is subnetted, 1 subnets
C 3.3.3.3 is directly connected, Loopback0
21.0.0.0/24 is subnetted, 1 subnets
O 21.1.1.0 [110/2] via 31.1.1.1, 01:39:07, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/1
11.0.0.0/32 is subnetted, 1 subnets
S 11.1.1.18 [1/0] via 21.1.1.2
31.0.0.0/24 is subnetted, 1 subnets
C 31.1.1.0 is directly connected, FastEthernet0/0
VPN_hub#
VPN_hub#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: EzVPN, local addr 31.1.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (11.1.1.18/255.255.255.255/0/0)
current_peer 21.1.1.2 port 500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 31.1.1.2, remote crypto endpt.: 21.1.1.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xB726C0C3(3072770243)
inbound esp sas:
spi: 0xF5BC41C2(4122755522)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: 1, crypto map: EzVPN
sa timing: remaining key lifetime (k/sec): (4409131/3398)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB726C0C3(3072770243)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: 2, crypto map: EzVPN
sa timing: remaining key lifetime (k/sec): (4409131/3398)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
VPN_hub#
VPN_hub#show ip local pool VPNPOOL
Pool Begin End Free In use
VPNPOOL 11.1.1.10 11.1.1.20 10 1
Available addresses:
11.1.1.20
11.1.1.10 IKE Addr IDB
11.1.1.11 IKE Addr IDB
11.1.1.12 IKE Addr IDB
11.1.1.13 IKE Addr IDB
11.1.1.14 IKE Addr IDB
11.1.1.15 IKE Addr IDB
11.1.1.16 IKE Addr IDB
11.1.1.17 IKE Addr IDB
11.1.1.19 IKE Addr IDB
Inuse addresses:
11.1.1.18 IKE Addr IDB
VPN_hub#
Attachments:
- Diagram1.jpeg (36 KB)
Type: How-To - Archive ID: 2.60 - 1850 Views - Last Updated: March 19, 2010 20:22:35
Tags: Cisco Easy VPN EzVPN IPSec Remote VPN Security IPSEC