SECS04L08 - Configuring Cisco Easy VPN Remote Access
SECS04L08 - Configuring Cisco Easy VPN Remote Access
SECS04L08 - Configuring Cisco Easy VPN Remote Access
Connectivity
Headquarters
Client mode
− Specifies that NAT or PAT be used
− Client automatically configures the NAT or PAT translation and the ACLs needed to
implement the VPN tunnel
ip nat inside command applied to all inside interfaces
ip nat outside command applied to interface configured for Cisco Easy VPN Remote
Network extension mode
– Specifies that the hosts at the client end of the VPN connection use fully routable IP
addresses
– PAT not used
Network extension plus mode
– Additional capability of being able to request an IP address via mode configuration and
automatically assign it to an available loopback interface
– IPsec SAs for this IP address automatically created by Cisco Easy VPN Remote
– IP address typically used for troubleshooting (using ping, Telnet, and SSH)
192.168.1.X
Cisco 831 Ethernet Cisco Easy
Broadband Router VPN Server
10.0.1.X
10.0.1.X
VPN Tunnel
10.0.1.X
Cisco 831 Ethernet Cisco Easy
Broadband Router VPN Server
Headquarters
Corporate
Router
VPN Tunnel
Telecommuter
Cisco
Secure ACS
1
Cisco VPN Client initiates the IKE aggressive mode for
preshared keys or main mode for PKI
2
Multiple ISAKMP proposals
3 Server
ISAKMP SA is established authenticates
device then user
Prompt for username and password 4
Credentials
Client requests Accept/Reject
remaining
parameters 5 Mode configuration RRI—route to
6 client is injected
IP address, DNS, etc.
into routing table
IPsec SA is established 7
Remote PC with
Cisco Easy VPN Cisco IOS Release
Remote Client v4.x Quick Mode 12.3(11)T Cisco
IPsec SA Easy VPN Server
Establishment
VPN Tunnel
R6 R1
(VPN Client) (VPN Server)
Fa0/1
R6 R1
Fa0/1
R6 R1
Cisco IOS message: Waiting for valid Xauth username and password.
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 172.30.1.2 port 500
IKE SA: local 172.30.6.2/500 remote 172.30.1.2/500
Active
IPSEC FLOW: permit ip host 10.0.1.100 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 172.30.1.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.30.1.2
Desc: (none)
IKE SA: local 172.30.6.2/500 remote 172.30.1.2/500 Active
Capabilities:C connid:0 lifetime:23:38:45
IPSEC FLOW: permit ip host 10.0.1.100 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4377612/2365
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4377612/2365
!
interface FastEthernet0/0
description Inside
ip address 10.0.6.2 255.255.255.0
crypto ipsec client ezvpn R6-Client inside
!
interface FastEthernet0/1
description Outside
ip address 172.30.6.2 255.255.255.0
crypto ipsec client ezvpn R6-Client
!
!
end
Remote Clients
Pool
Remote-Pool
10.0.1.100 to 10.0.1.150
R1
Group
VPN-REMOTE-ACCESS
R1
R1 Secondary DNS/
Microsoft WINS
10.0.1.14
Remote Clients
Policy 10
Authentication: Pre-shared keys
Encryption: 3-DES
Diffie-Hellman: Group 2
R1 Other settings: Default
esp-3des esp-sha-hmac
R1
transform-set VPNTRANSFORM
reverse-route
R1
Remote Client
R1
ClientMP
Remote Client
Fa0/1
R1
R1
2)2)DPD
DPDReply: YesIIam
reply: Yes, amhere.
here.
router(config)#
crypto isakmp keepalive secs retries
R1
20 Seconds
Remote Client
VPN user group
VPNUSERS
R1
Remote Client
R1
Group
VPN-REMOTE-ACCESS