Scribd Logo
Upload

Welcome to Scribd!

  • Cisco Easy VPN Server

    Uploaded by

    Itachi Kanade Eucliwood
    58 views33 pages
    Cisco Easy VPN Server is used to configure a network on a cisco router. The following general tasks are used to configure the server: Create an IP address pool for connecting clients enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access.

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cisco Easy VPN Server is used to configure a network on a cisco router. The following general tasks are used to configure the server: Create an IP address pool for connecting clients enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    58 views33 pages

    Cisco Easy VPN Server

    Uploaded by

    Itachi Kanade Eucliwood
    Cisco Easy VPN Server is used to configure a network on a cisco router. The following general tasks are used to configure the server: Create an IP address pool for connecting clients enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    Secured Connectivity

    Cisco Easy VPN Server

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-1

    Cisco Easy VPN Server General Configuration Tasks


    The following general tasks are used to configure Cisco Easy VPN Server on a Cisco router:
    (Optional) Create IP address pool for connecting clients Enable group policy lookup via AAA Create an ISAKMP policy for remote VPN Client access Define a group policy for mode configuration push Apply mode configuration and XAUTH Enable RRI for the client Enable IKE DPD Configure XAUTH (Optional) Enable the XAUTH Save Password feature

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-2

    Create IP Address Pool


    Remote Clients Pool Remote-Pool 10.0.1.100 to 10.0.1.150 R1

    R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150

    Creating a local address pool is optional if you are using an external DHCP server.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-3

    Configure Group Policy Lookup


    Remote Clients
    Group
    VPN-REMOTE-ACCESS

    R1

    R1(config)# R1(config)# R1(config)# R1(config)#

    aaa new-model aaa authentication login vpn-users local aaa authorization network vpn-group local username cisco password 0 cisco

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-4

    Define Group Policy for Mode Configuration Push


    Contains the following steps:
    Step 1: Add the group profile to be defined. Step 2: Configure the ISAKMP pre-shared key. Step 3: Specify the DNS servers. Step 4: Specify the Microsoft WINS servers. Step 5: Specify the DNS domain. Step 6: Specify the local IP address pool.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-5

    Add the Group Profile to Be Defined


    Remote Clients
    Primary DNS/ Microsoft WINS 10.0.1.13

    R1

    Secondary DNS/ Microsoft WINS 10.0.1.14

    R1(config)# crypto isakmp client configuration group R6 R1(config-isakmp-group)# key VPNKEY R1(config-isakmp-group)# dns 10.0.1.13 10.0.1.14 R1(config-isakmp-group)# wins 10.0.1.13 10.0.1.14 R1(config-isakmp-group)# domain cisco.com R1(config-isakmp-group)# pool Remote-Pool R1(config-isakmp-group)# save-password

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-6

    Create ISAKMP Policy for Remote VPN Client Access


    Remote Clients
    Policy 10 Authentication: Pre-shared keys Encryption: 3-DES Diffie-Hellman: Group 2

    R1

    Other settings: Default

    R1(config)# crypto R1(config)# crypto R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)# R1(config-isakmp)#

    isakmp enable isakmp policy 10 authentication pre-share encryption 3des group 2 end

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-7

    Create Transform Sets

    Remote Clients

    VPNTRANSFORM esp-3des esp-sha-hmac

    R1

    R1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des esp-sha-hmac R1(cfg-crypto-trans)# end

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-8

    Create Dynamic Crypto Map with RRI


    Contains the following steps:
    Step 1: Create a dynamic crypto map. Step 2: Assign a transform set. Step 3: Enable RRI.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-9

    Step 1: Create a Dynamic Crypto Map

    Remote Clients

    Dynamic-Map 10
    transform-set VPNTRANSFORM reverse-route

    R1

    R1(config)# crypto dynamic-map Dynamic-Map 10 R1(config-crypto-map)# set transform-set VPNTRANSFORM R1(config-crypto-map)# reverse-route R1(config-crypto-map)# end

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-10

    Apply Mode Configuration and XAUTH


    Contains the following steps:
    Step 1: Configure the router to respond to mode configuration requests. Step 2: Enable IKE querying for a group policy. Step 3: Enforce XAUTH Step 3: Apply the dynamic crypto map to the crypto map.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-11

    Applying Mode Configuration


    Remote Client

    R1

    R1(config)# R1(config)# R1(config)# R1(config)#

    crypto crypto crypto crypto

    map map map map

    ClientMap ClientMap CLientMap ClientMap

    client configuration address respond isakmp authorization list vpn-group client authentication list vpn-users 65535 ipsec-isakmp dynamic Dynamic-Map

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-12

    Apply the Crypto Map to Router Outside Interface


    Crypto map name ClientMP

    Remote Client

    Fa0/1

    R1

    R1(config)# interface ethernet0/1 R1(config-if)# crypto map ClinetMap R1(config-if)# end

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-13

    Enable ISAKMP DPD


    1) DPD Send: Are you there? Remote Client

    R1

    2)2) DPDReply:Yes, IIam here. DPD reply: Yes am here.

    router(config)#

    crypto isakmp keepalive secs retries R1(config)# crypto isakmp keepalive 20 10

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-14

    Configure XAUTH
    Step 1: Enable AAA login authentication. Step 2: Set the XAUTH timeout value. Step 3: Enable ISAKMP XAUTH for the dynamic crypto map.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-15

    Step 1: Enable AAA Login Authentication


    VPN user group VPNUSERS R1

    Remote Client

    R1(config)# aaa authentication login VPNUSERS local

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-16

    Step 2: Set XAUTH Timeout Value

    20 Seconds
    Remote Client VPN user group VPNUSERS R1

    R1(config)# crypto isakmp xauth timeout 20

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-17

    Step 3: Enable ISAKMP XAUTH for Crypto Map

    Remote Client

    Crypto map name CLIENTMAP VPN user group R1 VPNUSERS

    R1(config)# crypto map CLIENTMAP client authentication list VPNUSERS

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-18

    (Optional) Enable XAUTH Save Password


    Remote Client

    R1

    Group VPN-REMOTE-ACCESS

    R1(config)# crypto isakmp client configuration group VPNREMOTE-ACCESS R1(config-isakmp-group)# save-password

    This step could have been completed in Step 1 of Task 4 following the crypto isakmp client configuration group command.
    2007 Cisco Systems, Inc. All rights reserved. SNRS v2.04-19

    Verify

    Router# show crypto map interface ethernet 0 Router# show run

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-20

    Configuring Cisco Easy VPN Remote for the Cisco VPN Client v4.x: General Tasks
    Install Cisco VPN Client v4.x. Create a new client connection entry. Choose an authentication method. Configure transparent tunneling. Enable and add backup servers. Configure a connection to the Internet through dialup networking.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-21

    Install Cisco VPN Client

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-22

    Install Cisco VPN Client (Cont.)

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-23

    Create a New Client Connection Entry

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-24

    Create a New Client Connection Entry (Cont.)

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-25

    Configure Client Authentication Properties

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-26

    Mutual Group Authentication

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-27

    Configure Transparent Tunneling

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-28

    Routes Table

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-29

    Enable and Add Backup Servers

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-30

    Configure Connection to the Internet Through Dial-Up Networking

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-31

    Summary
    Cisco Easy VPN simplifies the configuration of VPNs using routers as Easy VPN servers and clients. An access router can be configured as a Cisco Easy VPM remote client. The Cisco Easy VPN Server feature allows a remote end user to communicate using IPsec with any Cisco IOS VPN gateway. The Cisco VPN Client is simple to deploy and operate.

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-32

    2007 Cisco Systems, Inc. All rights reserved.

    SNRS v2.04-33

    You might also like