This topic is to discuss the following lesson:
How is easy vpn different from GETVPN?
Normally when you configure IPsec you have to configure security parameters (ESP/AH, DH, encryption algorithm, etc.) on both endpoints. Easy VPN is useful for remote workers so you don’t have to configure all these parameters on the client side. These VPN connections are all point-to-point.
Now imagine you have a large company with a HQ and multiple branch offices. All branch offices should be connected to the HQ and there should be some direct branch-to-branch VPNs. In this case, you really don’t want to configure dozens of these point-to-point VPNs which is why we have technology like DMVPN which uses point-to-multipoint tunnels.
I would recommend to read up a bit on DMVPN if you haven’t seen this before:
Everything I described above has one thing in common…we use “tunnels” to “bridge” networks together. This allows connectivity between networks with private addresses.
Now let’s say we have that large company with its multiple branch offices and everything is connected the way it should. Branch offices can reach each other directly, they can all reach the HQ etc. For now it doesn’t matter what we used…it could be MPLS VPN or DMVPN and we are not using any IPsec at all.
We want to make sure that all our traffic is protected through IPsec and we want to centralize this…
GETVPN uses a key server (a central router) which takes care of all keys and it can distribute security policies. Other routers are called group members and once authenticated by the key server, they belong to the group and they can securely communicate with other group members.
The original IP header is used which is why you already need to have connectivity through a private network like MPLS VPN or DMVPN.
So the short version…with GETVPN we have a bunch of routers that are already connected somehow. We use a central key server and all other routers are group members. Group members authenticate to the key server which takes care of keying/policies. Once you belong to the group, traffic is protected with IPsec. It only takes care of “protecting” your traffic which is why you need a private network like MPLS VPN or DMVPN (or anything else).
I hope this helps, if not let me know.
can you make an example using PPTP?
Also let`s say that we have NAT and we are connecting using PPPoE, but on internal LAN we have some servers we want to access from outside, we need to implement static routing?
How can i use the Easy VPN to tunnel all the traffic from the client PC, not just to reach remote networks?
Especially when VPN router is doing NATing as well.
Traffic will enter and leave the same interface like Hairpin.
By default, all traffic will be tunneled unless you configure split tunneling.
can you provide a scenario of site to site VPN using Easy VPN? thanks
I have set up a site to site VPN using Easy VPN in a production environment.
Easy VPN for a site to site VPN is created using Cisco Configuration Professional GUI for Cisco routers. You connect to both the VPN server and the VPN client routers individually and enter commands using the wizards provided. You can find out more about creating a site to site VPN with Easy VPN on CCP here.
The configuration I implemented required a group of 7 PCs at a remote site to connect to internal network resources (finance server and internal email) at company headquarters. I created a VPN server using Easy VPN at the head office location. Using an ADSL connection at the remote site, I used Easy VPN to configure the client ADSL router. The result was that the seven PCs were connected to an internal subnet of headquarters such that their communication with the rest of the network was as if they were physically located within the company WAN.
I hope this has been helpful.
Can you post the configuration as it shows up in the CLI of the central and remote sites?
Here’s an excerpt from the client side VPN router, that is, the ADSL router at the remote site. Of course it has been sanitised…
! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname XXXXXX ! boot-start-marker boot-end-marker ! logging buffered 52000 enable secret 5 XXXXXXXX ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local ! ! aaa session-id common clock timezone PCTime 2 clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00 ! crypto pki trustpoint TP-self-signed-3860321116 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3860321116 revocation-check none rsakeypair TP-self-signed-3860321116 ! ! crypto pki certificate chain TP-self-signed-3860321116 certificate self-signed 01 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX quit dot11 syslog ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.96.1.73 10.96.1.74 ! ip dhcp pool sdm-pool import all network 10.96.1.72 255.255.255.248 default-router 10.96.1.73 dns-server 10.96.0.66 XXXXXXXXXX ! ! ip domain name XXXXXXXXX.com ip name-server XXXXXXXXX ip name-server 10.96.0.66 ! multilink bundle-name authenticated ! ! username name privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX username name2 privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! ! ! ! ! ! crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 connect auto group VPN_Group key XXXXXXX mode network-extension peer 10.96.0.15 peer 10.96.0.13 virtual-interface 2 username name password XXXXXXXXXXXXXXX xauth userid mode local ! ! archive log config hidekeys ! ! ! ! ! interface BRI0 no ip address encapsulation hdlc shutdown ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.4 point-to-point pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Virtual-Template2 type tunnel no ip address tunnel mode ipsec ipv4 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 10.96.1.73 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1412 crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside ! interface Dialer3 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname XXXXXXXXXXXXXXXXXXXXXXXXXX ppp chap password 0 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer3 2 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip dns server ip nat inside source list 1 interface Dialer3 overload ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.96.1.72 0.0.0.7 access-list 101 permit ip any 10.0.0.0 0.255.255.255 access-list 101 deny ip any any dialer-list 1 protocol ip permit snmp-server community XXXXXXXX RO no cdp run ! ! ! ! control-plane ! banner login C---------------------------------------------------------------- XXXXXXXXXXXXXXXXXXXX ----------------------------------------------------------------------- ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 transport input telnet ssh ! scheduler max-task-time 5000 end
I was unable to get access to the VPN server today, but when I do I will post that as well.
I hope this has been helpful!
Thanks Laz. very helpful
Can you please give an example of using IKEv2 instead of IKEv1 ??
Until @ReneMolenaar creates a lesson that shows the differences in implementation of IKEv1 and IKEv2 on Cisco devices, take a look at this Cisco Documentation that compares configs for IKEv1 and IKEv2 on Cisco IOS devices. The connections in each case are made with strongSwan devices, but you can see the differences in the configs on the IOS side of the connections.
I hope this has been helpful!
Thanks for answer Laz
I will definitely be excited to this lesson, but for now I want only to know how to connect VPN from my win 10 to the router using IKEv2 ?? because cisco VPN client is end of sales and not used these days !!
thank for the lesson. please can you check why this image is not displaying in the article ?
Thanks for letting us know. We’ll get it fixed ASAP.
Thank you Thierry, I just fixed this image.