Cisco Easy VPN configuration example

An example of Cisco Easy VPN comprehensive configuration is shown in this example. The topology is 15-15. In this example, the Cisco 831 router is used as the remote device of Easy VPN and the Cisco 1751 router is used as the device of Easy VPN Server. In this example, the WAN interface IP addresses of the Cisco 1751 router and the Cisco 831 router are both static public IP addresses. The remote Cisco 831 vro of Easy VPN adopts the Client mode. The NAT/PAT technology is used to convert the addresses of communications from the Easy VPN Client host and perform Xauth user authentication on the Easy VPN Server. Figure 15-15 Cisco Easy VPN configuration example topology in this example, the remote Cisco 831 vro of Easy VPN works in Client mode, by default, this series of routers use Ethernet0 as the internal interface of NAT/PAT, so you do not need to specify the internal interface of NAT/PAT or apply the remote configuration of Easy VPN. The private network connected to the remote end of Easy VPN is converted to the Global IP address pushed by the Easy VPN Server mode configuration function through NAT/PAT. Because the Client mode is used, only VPN Client network users are allowed to access the network of the VPN Server, and communication from the Easy VPN Server to the Cisco 831 router is prohibited. 1. configuration of Easy VPN remote CISCO 831 router (1) basic global configuration. Router (config) # hostname Cisco831Cisco831 (config) # enable password ciscoCisco831 (config) # username cisco password 0 ciscoCisco831 (config) # ip subnet-zeroCisco831 (config) # no ip domain-lookupCisco831 (config) # ip domain-name cisco. comCisco831 (config) # ip ssh time-out 120Cisco831 (config) # ip ssh authentication-retries 3Cisco831 (config) # ip classlessCisco831 (config) # ip route 0.0.0.0 0.0.0.0 Ethernet1! --- Configure the default route Cisco831 (config) # ip route 30.30.30.0 255.255.255.0 Ethernet1 through the WAN interface! --- Configure the static route Cisco831 (config) # ip http serverCisco831 (config) # ip pim bidir-enableCisco831 (config) to reach the private network of the Easy VPN Server through the WAN Interface) # line con 0Cisco831 (config-line) # exec-timeout 120 0Cisco831 (config-line) # stopbits 1Cisco831 (config-line) # exitCisco831 (config) # line vty 0 4Cisco831 (config-line) # exec-timeout 0 0Cisco831 (config-line) # no loginCisco831 (config-line) # exit (2) DHCP server configuration (used to provide automatic IP Address Allocation for Easy VPN Client hosts ). Cisco831 (config) # ip dhcp excluded-address 10.10.1cisco831 (config) # ip dhcp pool CLIENTCisco831 (dhcp-config) # import allCisco831 (dhcp-config) # network 10.10.10.0 255.255.255.0Cisco831 (dhcp-config) # default-router 10.10.10.1Cisco831 (dhcp-config) # dns-server 30.30.30.60Cisco831 (dhcp-config) # exit (3) Easy VPN remote configuration. Cisco831 (config) # crypto ipsec client ezvpn hw-clientCisco831 (config-crypto-ezvpn) # group hw-client-groupname key hw-client-passwordCisco831 (config-crypto-ezvpn) # mode clientCisco831 (config-crypto-ezvpn) # peer route 2cisco831 (config-crypto-ezvpn) # exitCisco831 (config) # interface Ethernet0Cisco831 (config-if) # description connected to BRANCH LANCisco831 (config-if) # ip address 10.10.10.1 255.255.255.0Cisco 831 (config-if) # no cdp enableCisco831 (config-if) # exitCisco831 (config) # interface Ethernet1Cisco831 (config-if) # description connected to INTERNETCisco831 (config-if) # ip address 255.255.20.1 255.255.255.0Cisco831 (config-if) # no cdp enableCisco831 (config-if) # crypto ipsec client ezvpn hw-client! --- Apply the Easy VPN remote configuration hw-clientCisco831 (config-if) created earlier on the WAN interface used as the NAT/PAT external interface) # exit: run the show crypto ipsec client ezvpn command to view the basic configuration of Easy VPN remote. Cisco831 # show crypto ipsec client ezvpnCurrent State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: Primary 255.255dns Primary: Primary Secondary: Primary/WINS Primary: Primary/WINS Secondary: 30.30.13default Domain: you can run the show crypto ipsec sa command to view the configurations used by IPSec SA negotiation on the Easy VPN remote device. Cisco831 # show crypto ipsec sainterface: Ethernet1Crypto map tag: Ethernet1-head-0, local addr. zookeeper 1_1local ident (addr/mask/prot/port): (30.30.30.2/zookeeper 255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: required bytes limit 2permit, flags = {origin_is_acl,} # pkts encaps: 26, # pkts encrypt: 26, # pkts digest 26 # pkts decaps: 4, # pkts decrypt: 4, # pkts verify 4 # pkts compressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0, # pkts decompress failed: 0 # send errors 0, # recv errors 0 local crypto endpt.: encryption limit 20.1, remote crypto endpt.: too many connections 2path mtu 1500, media mtu 1500 current outbound spi: 7C1E9826inbound esp sas: spi: 0x54C859CF (1422416335) transform: esp-3des esp-sha-hmac, in use settings = {Tunnel ,} slot: 0, conn id: 2000, flow_id: 1, crypto Map: Ethernet1-head-0sa timing: remaining key lifetime (k/sec): (4607999/3404) IV size: 8 bytesreplay detection support: Yinbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7C1E9826 (2082379814) transform: esp-3des esp-sha-hmac, in use settings = {Tunnel,} slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0sa timing: remaining key lifetime (k/sec): (4607996/3395) IV size: 8 bytesrepla Y detection support: Youtbound ah sas: outbound pcp sas: 2. Easy VPN Server CISCO 1751V router configuration (1) basic global configuration. Router (config) # hostname Cisco1751Cisco1751 (config) # ip classlessCisco1751 (config) # ip route 0.0.0.0 0.0.0.0 Ethernet0/0! --- Configure the default route Cisco1751 (config) # no ip http serverCisco1751 (config) # ip pim bidir-enableCisco1751 (config) # no ip source-route! --- It is prohibited to process Cisco1751 (config) # line vty 0 4Cisco1751 (config-line) # password ciscoCisco1751 (config-line) # loginCisco1751 (config-line) # exit (2) Enable AAA search configuration. Cisco1751 (config) # aaa new-modelCisco1751 (config) # aaa authentication login userlist local! --- Define a user logon authentication AAA Server LIST named userlist, using the local authentication method Cisco1751 (config) # aaa authorization network hw-client-groupname local! --- Define a list of Network-authorized AAA servers named hw-client-groupname, using the local authorization method Cisco1751 (config) # aaa session-id commonCisco1751 (config) # enable password ciscoCisco1751 (config) # username winda password 0 cisco! --- Configure the username and password used for this authentication. Set the policy to Cisco1751 (config) # ip domain-name cisco.com (3) IKE. Cisco1751 (config) # crypto isakmp policy 1Cisco1751 (config-isakmp) # encryption partition (config-isakmp) # authentication pre-shareCisco1751 (config-isakmp) # group 2Cisco1751 (config-isakmp) # exitCisco1751 (config) # crypto ipsec transform-set transform-1 esp-3des esp-sha-hmacCisco1751 (config-crypto-tran) # exitCisco1751 (config) # crypto dynamic-map dynmap 1Cisco1751 (config-crypto-map) # set transform-set transfo Rm-1Cisco1751 (config-crypto-map) # reverse-routeCisco1751 (config-crypto-map) # exit (4) configuration mode configuration group policy information. Cisco1751 (config) # crypto isakmp client configuration group hw-client-groupnameCisco1751 (config-isakmp-group) # key hw-client-passwordCisco1751 (config-isakmp-group) # dns 30.30.30.10 30.30.30.11Cisco1751 (config-isakmp-group) # wins 30.30.30.12 30.30.30.30.13cisco1751 (config-isakmp-group) # domain cisco. comCisco1751 (config-isakmp-group) # pool dynpoolCisco1751 (config) # crypto isakmp client configuration address-po Ol local dynpool! --- Specify the local address pool name dynpoolCisco1751 (config) to be pushed in the group configuration # ip local pool dynpool 30.30.30.20 30.30.30.30! --- Configure the internal Global IP address pool (5) application mode configuration and Xauth for Easy VPN Client push. Cisco1751 (config) # crypto map dynmap client authentication list userlistCisco1751 (config) # crypto map dynmap isakmp authorization list hw-client-groupnameCisco1751 (config) # crypto map dynmap client configuration address respondCisco1751 (config) # crypto map dynmap 1 ipsec-isakmp dynamic dynmapCisco1751 (config) # interface Ethernet0/0Cisco1751 (config-if) # description connected to INTERNETCisco1751 (config-if) # Ip address 255.255.20.2 255.255.255.0Cisco1751 (config-if) # half-duplexCisco1751 (config-if) # no cdp enableCisco1751 (config-if) # crypto map dynmap! --- Apply the dynamic encryption cising Cisco1751 (config-if) # exitCisco1751 (config) # interface FastEthernet0/0Cisco1751 (config-if) created in the IKE policy earlier) # description connected to HQ LANCisco1751 (config-if) # ip address 30.30.30.1 255.255.255.0Cisco1751 (config-if) # speed autoCisco1751 (config-if) # no cdp enableCisco1751 (config-if) # exit you can also view the configurations used by IPSec SA negotiation on the Easy VPN Server through commands. Generally, it is similar to the IPSec SA negotiation configuration viewed at the remote end of Easy VPN. Cisco1751 # show crypto ipsec sainterface: Ethernet0/0 Crypto map tag: dynmap, local addr. protected against 255.2protected vrf: local ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port ): (30.30.30.20/255.%255/0/0) current_peer: %%20.1: 500 PERMIT, flags ={}# pkts encaps: 0, # pkts encrypt: 0, # pkts digest 0 # pkts decaps: 13, # pkts decrypt: 13, # pkts verify 13 # pkts comp Ressed: 0, # pkts decompressed: 0 # pkts not compressed: 0, # pkts compr. failed: 0 # pkts not decompressed: 0, # pkts decompress failed: 0 # send errors 0, # recv errors 0 local crypto endpt.: encryption limit 20.2, remote crypto endpt.: too many connections 1path mtu 1500, media mtu 1500 current outbound spi: 239C766Einbound esp sas: spi: 0xE89E6649 (3902694985) transform: esp-3des esp-sha-hmac, in use settings = {Tunnel ,} slot: 0, c Onn id: 200, flow_id: 1, crypto map: dynmapsa timing: remaining key lifetime (k/sec): (4458452/3335) IV size: 8 bytesreplay detection support: Yinbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x239C766E (597456494) transform: esp-3des esp-sha-hmac, in use settings = {Tunnel,} slot: 0, conn id: 201, flow_id: 2, crypto map: dynmapsa timing: remaining key lifetime (k/sec): (4458454/3335) IV size: 8 B Ytesreplay detection support: Youtbound ah sas: outbound pcp sas: You can use the show crypto engine connections active command to display the summary of connection activities of the encryption engine. The preceding number indicates the connection ID. Cisco1751 # show crypto engine activeons activeID Interface IP-Address State Algorithm Encrypt Decrypt1 Ethernet0/0 fill limit 20.2 set limit + limit 0 0200 Ethernet0/0 fill limit 20.2 set limit + limit 0 538201 Ethernet0/0 limit 20.2 HMAC_SHA + 3DES_56_C 133 0