© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Configuring Cisco Easy VPN and Easy VPN Server Using SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Cisco Easy VPN

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introducing Cisco Easy VPN Cisco Easy VPN has two main functions: –Simplify client configuration –Centralize client configuration and dynamically push the configuration to clients How are these two goals achieved? –IKE Mode Config functionality is used to download some configuration parameters to clients. –Clients are preconfigured with a set of IKE policies and IPsec transform sets.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Easy VPN Components Easy VPN Server: Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Concentrators to act as VPN head- end devices in site-to-site or remote-access VPNs, in which the remote office devices are using the Cisco Easy VPN Remote feature Easy VPN Remote: Enables Cisco IOS routers, Cisco PIX Firewalls, and Cisco VPN Hardware Clients or Software Clients to act as remote VPN clients

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Remote Access Using Cisco Easy VPN

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Describe Easy VPN Server and Easy VPN Remote

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Easy VPN Remote Connection Process 1. The VPN client initiates the IKE Phase 1 process. 2. The VPN client establishes an ISAKMP SA. 3. The Easy VPN Server accepts the SA proposal. 4. The Easy VPN Server initiates a username and password challenge. 5. The mode configuration process is initiated. 6. The RRI process is initiated. 7. IPsec quick mode completes the connection.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 1: The VPN Client Initiates the IKE Phase 1 Process Using pre-shared keys? Initiate aggressive mode. Using digital certificates? Initiate main mode.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 2: The VPN Client Establishes an ISAKMP SA The VPN client attempts to establish an SA between peer IP addresses by sending multiple ISAKMP proposals to the Easy VPN Server. To reduce manual configuration on the VPN client, these ISAKMP proposals include several combinations of the following: –Encryption and hash algorithms –Authentication methods –Diffie-Hellman group sizes

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 3: The Cisco Easy VPN Server Accepts the SA Proposal The Easy VPN Server searches for a match: –The first proposal to match the server list is accepted (highest- priority match). –The most secure proposals are always listed at the top of the Easy VPN Server proposal list (highest priority). The ISAKMP SA is successfully established. Device authentication ends and user authentication begins.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 4: The Cisco Easy VPN Server Initiates a Username and Password Challenge If the Easy VPN Server is configured for Xauth, the VPN client waits for a username/password challenge: –The user enters a username/password combination. –The username/password information is checked against authentication entities using AAA. All Easy VPN Servers should be configured to enforce user authentication.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 5: The Mode Configuration Process Is Initiated If the Easy VPN Server indicates successful authentication, the VPN client requests the remaining configuration parameters from the Easy VPN Server: –Mode configuration starts. –The remaining system parameters (IP address, DNS, split tunneling information, and so on) are downloaded to the VPN client. Remember that the IP address is the only required parameter in a group profile; all other parameters are optional.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 6: The RRI Process Is Initiated RRI should be used when the following conditions occur: –More than one VPN server is used –Per-client static IP addresses are used with some clients (instead of using per-VPN-server IP pools) RRI ensures the creation of static routes. Redistributing static routes into an IGP allows the servers site routers to find the appropriate Easy VPN Server for return traffic to clients.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Step 7: IPsec Quick Mode Completes the Connection After the configuration parameters have been successfully received by the VPN client, IPsec quick mode is initiated to negotiate IPsec SA establishment. After IPsec SA establishment, the VPN connection is complete.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Easy VPN Server Configuration Tasks

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Easy VPN Server Configuration Tasks Using SDM Configuring the Easy VPN Server requires these tasks: Configuring a privileged user Configuring enable secret Enabling AAA using the local database Configuring the Easy VPN Server using a configuration wizard

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Easy VPN Server Configuration Tasks for the Easy VPN Server Wizard The Easy VPN server wizard includes these tasks: Selecting the interface on which to terminate IPsec IKE policies Group policy lookup method User authentication Local group policies IPsec transform set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Easy VPN Server

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring Easy VPN Server Use a browser to connect to the Easy VPN Server router. Click on the link to the SDM. Prepare a design before implementing the VPN server: –IKE authentication method –User authentication method –IP addressing and routing for clients Install all prerequisite services (depending on the chosen design), for example: –RADIUS/TACACS+ server –CA and enrollment with the CA –DNS resolution for the VPN server addresses

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v VPN Wizards

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Enabling AAA 1. 2.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Local User Management

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating Users

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Enabling AAA 1. 2.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Starting the Easy VPN Server Wizard

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Select Interface for Terminating IPsec

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IKE Proposals

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Transform Set

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Group Policy Configuration Location

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 1: Local Router Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: External Location via RADIUS 1. 2.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: External Location via RADIUS (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v User Authentication

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 1: Local User Database

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Local User DatabaseAdding Users

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Option 2: External User Database via RADIUS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Local Group Policies

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Local Group Policies

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v General Parameters A.3B.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Domain Name System 1. 2.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Split Tunneling

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Options

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Xauth Options

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Completing the Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Review the Generated Configuration (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verify the Easy VPN Server Configuration

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verify the Easy VPN Server Configuration (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Monitoring Easy VPN Server

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Advanced Monitoring Advanced monitoring can be performed using the default Cisco IOS HTTP server interface. Requires knowledge of Cisco IOS CLI commands. show crypto isakmp sa Lists active IKE sessions show crypto ipsec sa Lists active IPsec security associations router#

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting Advanced troubleshooting can be performed using the Cisco IOS CLI. Requires knowledge of Cisco IOS CLI commands. debug crypto isakmp router# Debugs IKE communication debug aaa authentication router# Debugs user authentication via local user database or RADIUS debug aaa authorization router# Debugs IKE Mode Config debug radius router# Debugs RADIUS communication

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Cisco Easy VPN consists of two components: Easy VPN Server and Easy VPN Remote. Cisco Easy VPN Server can be configured using SDM. If you are using a local IP address pool, you need to configure that pool for use with Easy VPN. AAA is enabled for policy lookup. ISAKMP policies are configured for VPN clients.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary (Cont.) The steps for defining group policy include configuring the following: –Policy profile of the group that will be defined –Preshared key –DNS servers –WINS servers –DNS domain –Local IP address pool Verify the Easy VPN operation.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v