© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Secured Connectivity Configuring Cisco Easy VPN Remote Access

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Components Cisco Easy VPN is made up of two components: Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series Concentrators to act as VPN headend devices in site-to-site or remote-access VPNs, where the remote office devices are using the Cisco Easy VPN Remote feature. Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients or Cisco VPN Software Clients to act as remote VPN Clients.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Remote Access Using Cisco Easy VPN PC with Cisco Easy VPN Remote Client v4. x Cisco Series 800 Router Cisco 2600 Router Cisco 1800 Router Cisco VPN Concentrator Cisco ASA Cisco IOS Router with Cisco Easy VPN Server Headquarters

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Modes of Operation Client mode Specifies that NAT or PAT be used Client automatically configures the NAT or PAT translation and the ACLs needed to implement the VPN tunnel ip nat inside command applied to all inside interfaces ip nat outside command applied to interface configured for Cisco Easy VPN Remote Network extension mode –Specifies that the hosts at the client end of the VPN connection use fully routable IP addresses –PAT not used Network extension plus mode –Additional capability of being able to request an IP address via mode configuration and automatically assign it to an available loopback interface –IPsec SAs for this IP address automatically created by Cisco Easy VPN Remote –IP address typically used for troubleshooting (using ping, Telnet, and SSH)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Client Mode Cisco 831 Ethernet Broadband Router Cisco Easy VPN Server X X NAT or PAT Uses NAT or PAT VPN Tunnel

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v X Provides a seamless extension of the remote network VPN Tunnel Cisco Easy VPN Remote Network Extension Mode Cisco 831 Ethernet Broadband Router Cisco Easy VPN Server

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Web-Based Activation Corporate Router Telecommuter Headquarters Cisco Secure Access Control Server (ACS) Server Using RADIUS for Authentication VPN Tunnel

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Web-Based Activation

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Authentication Bypass

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v User Authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Successful Authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Deactivation

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Connection Process Cisco Easy VPN Server Cisco Easy VPN Clients Cisco VPN Client initiates the IKE aggressive mode for preshared keys or main mode for PKI Server authenticates device then user Multiple ISAKMP proposals Prompt for username and password Credentials Client requests remaining parameters Mode configuration IP address, DNS, etc. IPsec SA is established RRIroute to client is injected into routing table ISAKMP SA is established Accept/Reject Cisco Secure ACS

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v IPsec Quick Mode Completes the Connection After the configuration parameters have been successfully received by the Cisco VPN Client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete. Quick Mode IPsec SA Establishment VPN Tunnel Remote PC with Cisco Easy VPN Remote Client v4. x Cisco IOS Release 12.3(11)T Cisco Easy VPN Server

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Configuration General Tasks for Access Routers Configure the DHCP server pool. Configure the Cisco Easy VPN Remote client profile. –Group and key –Peer –Mode –Manual or automatic tunnel control Assign the Cisco Easy VPN Remote client profile to the interfaces. Verify the Cisco Easy VPN configuration.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Create a DHCP Server Pool R6(config)# ip dhcp pool Local-Pool R6(dhcp-config)# network R6(dhcp-config)# default-router R6(dhcp-config)# exit R6(config)# ip dhcp excluded-address R6 (VPN Client) R1 (VPN Server)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure the Cisco Easy VPN Client Profile R6(config)# crypto ipsec client ezvpn R6-Client R6(config-crypto-ezvpn)# group R6 key VPNKEY R6(config-crypto-ezvpn)# peer R6(config-crypto-ezvpn)# mode client R6(config-crypto-ezvpn)# connect auto R6(config-crypto-ezvpn)# end R6 R Group: R6 Peer: Key: MYVPNKEY Mode: Client R6-Client.2 Fa0/1

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Assign Cisco Easy VPN Remote to an Interface R6(config)# interface FastEthernet 0/1 R6(config-if)# crypto ipsec client ezvpn R6-Client R6(config-if)# exit R6(config)# interface FastEthernet 0/0 R6(config-if)# crypto ipsec client ezvpn R6-Client inside R6(config-if)# end R6-Client R6 R Fa0/1

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v (Optional) Configure XAUTH Save Password Feature R6(config)# crypto ipsec client ezvpn R6-Client R6(config-crypto-ezvpn)# username cisco password 0 cisco R6(config-crypto-ezvpn)# end R6-Client R6R Fa0/1

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v (Optional) Initiate the VPN Tunnel (XAUTH) Cisco IOS message: Waiting for valid Xauth username and password. 01:34:42: EZVPN: Pending XAuth Request, Please enter the following command: 01:34:42: EZVPN: crypto ipsec client ezvpn xauth R6# crypto ipsec client ezvpn xauth Enter Username and Password: vpnusers Password: ******** With XAUTH: When SA expires, username and password must be manually entered. With XAUTH Save Password enabled: When SA expires, the last valid username and password will be reused automatically.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify Cisco Easy VPN Operation R6# show crypto ipsec client ezvpn Easy VPN Remote Phase: 6 Tunnel name : R6-Client Inside interface list: FastEthernet0/0 Outside interface: FastEthernet0/1 Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: Mask: Default Domain: cisco.com Save Password: Allowed Current EzVPN Peer:

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify Cisco Easy VPN Operation (Cont.) R6# show crypto session Crypto session current status Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: port 500 IKE SA: local /500 remote /500 Active IPSEC FLOW: permit ip host / Active SAs: 2, origin: crypto map

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify Cisco Easy VPN Operation (Cont.) R6# show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: port 500 fvrf: (none) ivrf: (none) Phase1_id: Desc: (none) IKE SA: local /500 remote /500 Active Capabilities:C connid:0 lifetime:23:38:45 IPSEC FLOW: permit ip host / Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) /2365 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) /2365

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Remote Configuration Example ! username cisco password 0 cisco ip domain-name cisco.com ip dhcp excluded-address ! ip dhcp pool Local-Pool import all network default-router ! crypto ipsec client ezvpn R6-Client connect auto group R6 key VPNKEY mode client peer username cisco password cisco xauth userid mode local !

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v ! interface FastEthernet0/0 description Inside ip address crypto ipsec client ezvpn R6-Client inside ! interface FastEthernet0/1 description Outside ip address crypto ipsec client ezvpn R6-Client ! end Cisco Easy VPN Remote Configuration Example (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Cisco Easy VPN Server General Configuration Tasks The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router: (Optional) Create IP address pool for connecting clients Enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access Define a group policy for mode configuration push Apply mode configuration and XAUTH Enable RRI for the client Enable IKE DPD Configure XAUTH (Optional) Enable the XAUTH Save Password feature

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# ip local pool Remote-Pool Creating a local address pool is optional if you are using an external DHCP server. R1 Remote Clients Create IP Address Pool Remote-Pool to Pool

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# aaa new-model R1(config)# aaa authentication login vpn-users local R1(config)# aaa authorization network vpn-group local R1(config)# username cisco password 0 cisco R1 VPN-REMOTE-ACCESS Group Configure Group Policy Lookup Remote Clients

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Define Group Policy for Mode Configuration Push Contains the following steps: Step 1: Add the group profile to be defined. Step 2: Configure the ISAKMP pre-shared key. Step 3: Specify the DNS servers. Step 4: Specify the Microsoft WINS servers. Step 5: Specify the DNS domain. Step 6: Specify the local IP address pool.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# dns R1(config-isakmp-group)# wins R1(config-isakmp-group)# domain cisco.com R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# save-password Add the Group Profile to Be Defined Primary DNS/ Microsoft WINS Secondary DNS/ Microsoft WINS Remote Clients R1

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto isakmp enable R1(config)# crypto isakmp policy 10 R1(config-isakmp)# authentication pre-share R1(config-isakmp)# encryption 3des R1(config-isakmp)# group 2 R1(config-isakmp)# end Authentication: Pre-shared keys Encryption: 3-DES Diffie-Hellman: Group 2 Other settings: Default Policy 10 R1 Create ISAKMP Policy for Remote VPN Client Access Remote Clients

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac R1(cfg-crypto-trans)# end esp-3des esp-sha-hmac VPNTRANSFORM R1 Create Transform Sets Remote Clients

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Create Dynamic Crypto Map with RRI Contains the following steps: Step 1: Create a dynamic crypto map. Step 2: Assign a transform set. Step 3: Enable RRI.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto dynamic-map Dynamic-Map 10 R1(config-crypto-map)# set transform-set VPNTRANSFORM R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end transform-set VPNTRANSFORM reverse-route Dynamic-Map 10 R1 Remote Clients Step 1: Create a Dynamic Crypto Map

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Apply Mode Configuration and XAUTH Contains the following steps: Step 1: Configure the router to respond to mode configuration requests. Step 2: Enable IKE querying for a group policy. Step 3: Enforce XAUTH Step 3: Apply the dynamic crypto map to the crypto map.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto map ClientMap client configuration address respond R1(config)# crypto map ClientMap isakmp authorization list vpn-group R1(config)# crypto map CLientMap client authentication list vpn-users R1(config)# crypto map ClientMap ipsec-isakmp dynamic Dynamic-Map R1 Remote Client Applying Mode Configuration

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# interface ethernet0/1 R1(config-if)# crypto map ClinetMap R1(config-if)# end ClientMP Crypto map name Fa0/1 Apply the Crypto Map to Router Outside Interface R1 Remote Client

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1 Remote Client router(config)# crypto isakmp keepalive secs retries R1(config)# crypto isakmp keepalive ) DPD Send: Are you there? 2) DPD Reply: Yes I am here. 2) DPD reply: Yes, I am here. Enable ISAKMP DPD

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure XAUTH Step 1: Enable AAA login authentication. Step 2: Set the XAUTH timeout value. Step 3: Enable ISAKMP XAUTH for the dynamic crypto map.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# aaa authentication login VPNUSERS local R1 Remote Client VPNUSERS VPN user group Step 1: Enable AAA Login Authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Seconds R1(config)# crypto isakmp xauth timeout 20 Step 2: Set XAUTH Timeout Value R1 Remote Client VPNUSERS VPN user group

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v R1(config)# crypto map CLIENTMAP client authentication list VPNUSERS R1 Remote Client Step 3: Enable ISAKMP XAUTH for Crypto Map VPNUSERS VPN user group CLIENTMAP Crypto map name

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v (Optional) Enable XAUTH Save Password This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration group command. R1(config)# crypto isakmp client configuration group VPN- REMOTE-ACCESS R1(config-isakmp-group)# save-password VPN-REMOTE-ACCESS Group R1 Remote Client

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Verify Router# show crypto map interface ethernet 0 Router# show run

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configuring Cisco Easy VPN Remote for the Cisco VPN Client v4.x: General Tasks Install Cisco VPN Client v4.x. Create a new client connection entry. Choose an authentication method. Configure transparent tunneling. Enable and add backup servers. Configure a connection to the Internet through dialup networking.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Install Cisco VPN Client

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Install Cisco VPN Client (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Create a New Client Connection Entry

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Create a New Client Connection Entry (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure Client Authentication Properties

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Mutual Group Authentication

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure Transparent Tunneling

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Routes Table

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Enable and Add Backup Servers

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Configure Connection to the Internet Through Dial-Up Networking

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v Summary Cisco Easy VPN simplifies the configuration of VPNs using routers as Easy VPN servers and clients. An access router can be configured as a Cisco Easy VPM remote client. The Cisco Easy VPN Server feature allows a remote end user to communicate using IPsec with any Cisco IOS VPN gateway. The Cisco VPN Client is simple to deploy and operate.

© 2007 Cisco Systems, Inc. All rights reserved.SNRS v