Cisco IPsec Easy VPN Configuration

This topic is to discuss the following lesson:

1 Like

How is easy vpn different from GETVPN?

Hi Edwin,

Normally when you configure IPsec you have to configure security parameters (ESP/AH, DH, encryption algorithm, etc.) on both endpoints. Easy VPN is useful for remote workers so you don’t have to configure all these parameters on the client side. These VPN connections are all point-to-point.

Now imagine you have a large company with a HQ and multiple branch offices. All branch offices should be connected to the HQ and there should be some direct branch-to-branch VPNs. In this case, you really don’t want to configure dozens of these point-to-point VPNs which is why we have technology like DMVPN which uses point-to-multipoint tunnels.

I would recommend to read up a bit on DMVPN if you haven’t seen this before:

Introduction to DMVPN

Everything I described above has one thing in common…we use “tunnels” to “bridge” networks together. This allows connectivity between networks with private addresses.

Now let’s say we have that large company with its multiple branch offices and everything is connected the way it should. Branch offices can reach each other directly, they can all reach the HQ etc. For now it doesn’t matter what we used…it could be MPLS VPN or DMVPN and we are not using any IPsec at all.

We want to make sure that all our traffic is protected through IPsec and we want to centralize this…

GETVPN uses a key server (a central router) which takes care of all keys and it can distribute security policies. Other routers are called group members and once authenticated by the key server, they belong to the group and they can securely communicate with other group members.

The original IP header is used which is why you already need to have connectivity through a private network like MPLS VPN or DMVPN.

So the short version…with GETVPN we have a bunch of routers that are already connected somehow. We use a central key server and all other routers are group members. Group members authenticate to the key server which takes care of keying/policies. Once you belong to the group, traffic is protected with IPsec. It only takes care of “protecting” your traffic which is why you need a private network like MPLS VPN or DMVPN (or anything else).

I hope this helps, if not let me know.

Rene

Hi,

can you make an example using PPTP?

Also let`s say that we have NAT and we are connecting using PPPoE, but on internal LAN we have some servers we want to access from outside, we need to implement static routing?

Thank you

Hi Rene,

How can i use the Easy VPN to tunnel all the traffic from the client PC, not just to reach remote networks?
Especially when VPN router is doing NATing as well.
Traffic will enter and leave the same interface like Hairpin.

Regards,
Bandu

Hi Bandu,

By default, all traffic will be tunneled unless you configure split tunneling.

Rene

Hi Rene,

can you provide a scenario of site to site VPN using Easy VPN? thanks

Hany

Hello Hany.

I have set up a site to site VPN using Easy VPN in a production environment.

Easy VPN for a site to site VPN is created using Cisco Configuration Professional GUI for Cisco routers. You connect to both the VPN server and the VPN client routers individually and enter commands using the wizards provided. You can find out more about creating a site to site VPN with Easy VPN on CCP here.

The configuration I implemented required a group of 7 PCs at a remote site to connect to internal network resources (finance server and internal email) at company headquarters. I created a VPN server using Easy VPN at the head office location. Using an ADSL connection at the remote site, I used Easy VPN to configure the client ADSL router. The result was that the seven PCs were connected to an internal subnet of headquarters such that their communication with the rest of the network was as if they were physically located within the company WAN.

I hope this has been helpful.

Laz

Hi Laz,

Can you post the configuration as it shows up in the CLI of the central and remote sites?

Thanks

Hany

Hello Hany

Here’s an excerpt from the client side VPN router, that is, the ADSL router at the remote site. Of course it has been sanitised…

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
!
crypto pki trustpoint TP-self-signed-3860321116
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3860321116
 revocation-check none
 rsakeypair TP-self-signed-3860321116
!
!
crypto pki certificate chain TP-self-signed-3860321116
 certificate self-signed 01
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  	quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.96.1.73 10.96.1.74
!
ip dhcp pool sdm-pool
   import all
   network 10.96.1.72 255.255.255.248
   default-router 10.96.1.73 
   dns-server 10.96.0.66 XXXXXXXXXX
!
!
ip domain name XXXXXXXXX.com
ip name-server XXXXXXXXX
ip name-server 10.96.0.66
!
multilink bundle-name authenticated
!
!
username name privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
username name2 privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
! 
!
!
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
 connect auto
 group VPN_Group key XXXXXXX
 mode network-extension
 peer 10.96.0.15
 peer 10.96.0.13
 virtual-interface 2
 username name password XXXXXXXXXXXXXXX
 xauth userid mode local
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.4 point-to-point
 pvc 8/35 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template2 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 10.96.1.73 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer3
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXX
 ppp chap password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3 2
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer3 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.96.1.72 0.0.0.7
access-list 101 permit ip any 10.0.0.0 0.255.255.255
access-list 101 deny   ip any any
dialer-list 1 protocol ip permit
snmp-server community XXXXXXXX RO
no cdp run
!
!
!
!
control-plane
!
banner login C----------------------------------------------------------------
 XXXXXXXXXXXXXXXXXXXX
-----------------------------------------------------------------------




!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

I was unable to get access to the VPN server today, but when I do I will post that as well.

I hope this has been helpful!

Laz

Thanks Laz. very helpful

1 Like

Hi Rene,

Can you please give an example of using IKEv2 instead of IKEv1 ??

Hello Hussein

Until @ReneMolenaar creates a lesson that shows the differences in implementation of IKEv1 and IKEv2 on Cisco devices, take a look at this Cisco Documentation that compares configs for IKEv1 and IKEv2 on Cisco IOS devices. The connections in each case are made with strongSwan devices, but you can see the differences in the configs on the IOS side of the connections.

I hope this has been helpful!

Laz

Thanks for answer Laz

I will definitely be excited to this lesson, but for now I want only to know how to connect VPN from my win 10 to the router using IKEv2 ?? because cisco VPN client is end of sales and not used these days !!

Hi,
thank for the lesson. please can you check why this image is not displaying in the article ?
https://networklessons.com/wp-content/uploads/2014/02/cisco-vpn-client-profile-properties.png

B.R

1 Like

Hello Thierry

Thanks for letting us know. We’ll get it fixed ASAP.

Laz

Thank you Thierry, I just fixed this image.

Rene

1 Like