Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

SECS04L08 - Configuring Cisco Easy VPN Remote Access

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 54

Secured

Connectivity

Configuring Cisco Easy VPN Remote Access

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-1


Cisco Easy VPN Components

Cisco Easy VPN is made up of two components:


 Cisco Easy VPN Server: Enables Cisco IOS routers, Cisco
ASA/Cisco PIX Firewall, and Cisco VPN 3000 Series
Concentrators to act as VPN headend devices in site-to-site or
remote-access VPNs, where the remote office devices are using
the Cisco Easy VPN Remote feature.
 Cisco Easy VPN Remote: Enables Cisco IOS routers, Cisco
ASA/Cisco PIX Firewall, and Cisco VPN 3002 Hardware Clients
or Cisco VPN Software Clients to act as remote VPN Clients.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-2


Remote Access Using Cisco Easy VPN
PC with Cisco Easy VPN
Remote Client v4.x

Cisco Series 800 Router

Headquarters

Cisco 2600 Router

Cisco 1800 Router


Cisco IOS
Router with
Cisco Easy
VPN Server

Cisco ASA Cisco VPN


Concentrator

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-3


Cisco Easy VPN Remote Modes of
Operation

 Client mode
− Specifies that NAT or PAT be used
− Client automatically configures the NAT or PAT translation and the ACLs needed to
implement the VPN tunnel
 ip nat inside command applied to all inside interfaces
 ip nat outside command applied to interface configured for Cisco Easy VPN Remote
 Network extension mode
– Specifies that the hosts at the client end of the VPN connection use fully routable IP
addresses
– PAT not used
 Network extension plus mode
– Additional capability of being able to request an IP address via mode configuration and
automatically assign it to an available loopback interface
– IPsec SAs for this IP address automatically created by Cisco Easy VPN Remote
– IP address typically used for troubleshooting (using ping, Telnet, and SSH)

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-4


Cisco Easy VPN Remote Client Mode

NAT or PAT 10.0.1.X

192.168.1.X 192.168.1.2 VPN Tunnel

192.168.1.X
Cisco 831 Ethernet Cisco Easy
Broadband Router VPN Server

 Uses NAT or PAT

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-5


Cisco Easy VPN Remote Network
Extension Mode

10.0.1.X

10.0.1.X
VPN Tunnel

10.0.1.X
Cisco 831 Ethernet Cisco Easy
Broadband Router VPN Server

• Provides a seamless extension of the remote network

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-6


Cisco Easy VPN Remote Web-Based Activation

Headquarters

Corporate
Router

VPN Tunnel

Telecommuter

Cisco Secure Access


www.Cisco.com Control Server (ACS)
Server Using RADIUS
for Authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-7


Web-Based Activation

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-8


Authentication Bypass

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-9


User Authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-10


Successful Authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-11


Deactivation

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-12


Cisco Easy VPN Remote Connection Process
Cisco Easy Cisco Easy
VPN Clients VPN Server

Cisco
Secure ACS
1
Cisco VPN Client initiates the IKE aggressive mode for
preshared keys or main mode for PKI
2
Multiple ISAKMP proposals
3 Server
ISAKMP SA is established authenticates
device then user
Prompt for username and password 4
Credentials
Client requests Accept/Reject
remaining
parameters 5 Mode configuration RRI—route to
6 client is injected
IP address, DNS, etc.
into routing table
IPsec SA is established 7

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-13


IPsec Quick Mode Completes the
Connection

Remote PC with
Cisco Easy VPN Cisco IOS Release
Remote Client v4.x Quick Mode 12.3(11)T Cisco
IPsec SA Easy VPN Server
Establishment

VPN Tunnel

 After the configuration parameters have been successfully received


by the Cisco VPN Client, IPsec quick mode is initiated to negotiate
IPsec SA establishment.
 After IPsec SA establishment, the VPN connection is complete.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-14


Cisco Easy VPN Remote Configuration
General Tasks for Access Routers

 Configure the DHCP server pool.


 Configure the Cisco Easy VPN Remote client profile.
– Group and key
– Peer
– Mode
– Manual or automatic tunnel control
 Assign the Cisco Easy VPN Remote client profile to the interfaces.
 Verify the Cisco Easy VPN configuration.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-15


Create a DHCP Server Pool

10.0.6.0 172.30.0.0 10.0.1.0


.2 .2 .2

R6 R1
(VPN Client) (VPN Server)

R6(config)# ip dhcp pool Local-Pool


R6(dhcp-config)# network 10.0.6.0 255.255.255.0
R6(dhcp-config)# default-router 10.0.6.2
R6(dhcp-config)# exit
R6(config)# ip dhcp excluded-address 10.0.6.2

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-16


Configure the Cisco Easy VPN Client
Profile

R6-Client 10.0.6.0 172.30.0.0 10.0.1.0


Group: R6 .2 .1.2 .6.2
Peer: 172.30.1.2
Fa0/1 R1
Key: MYVPNKEY R6
Mode: Client

R6(config)# crypto ipsec client ezvpn R6-Client


R6(config-crypto-ezvpn)# group R6 key VPNKEY
R6(config-crypto-ezvpn)# peer 172.30.1.2
R6(config-crypto-ezvpn)# mode client
R6(config-crypto-ezvpn)# connect auto
R6(config-crypto-ezvpn)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-17


Assign Cisco Easy VPN Remote to an
Interface

10.0.6.0 172.30.0.0 10.0.1.0


R6-Client
.2 .2 .2

Fa0/1
R6 R1

R6(config)# interface FastEthernet 0/1


R6(config-if)# crypto ipsec client ezvpn R6-Client
R6(config-if)# exit
R6(config)# interface FastEthernet 0/0
R6(config-if)# crypto ipsec client ezvpn R6-Client inside
R6(config-if)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-18


(Optional) Configure XAUTH Save
Password Feature

10.0.6.0 172.30.0.0 10.0.1.0


R6-Client
.2 .2 .2

Fa0/1
R6 R1

R6(config)# crypto ipsec client ezvpn R6-Client


R6(config-crypto-ezvpn)# username cisco password 0 cisco
R6(config-crypto-ezvpn)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-19


(Optional) Initiate the VPN Tunnel
(XAUTH)
01:34:42: EZVPN: Pending XAuth Request, Please enter
the following command:

01:34:42: EZVPN: crypto ipsec client ezvpn xauth

 Cisco IOS message: Waiting for valid Xauth username and password.

R6# crypto ipsec client ezvpn xauth


Enter Username and Password: vpnusers
Password: ********

 With XAUTH: When SA expires, username and password must be


manually entered.
 With XAUTH Save Password enabled: When SA expires, the last valid
username and password will be reused automatically.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-20


Verify Cisco Easy VPN Operation

R6# show crypto ipsec client ezvpn


Easy VPN Remote Phase: 6

Tunnel name : R6-Client


Inside interface list: FastEthernet0/0
Outside interface: FastEthernet0/1
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 10.0.1.100
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Current EzVPN Peer: 172.30.1.2

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-21


Verify Cisco Easy VPN Operation (Cont.)

R6# show crypto session


Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 172.30.1.2 port 500
IKE SA: local 172.30.6.2/500 remote 172.30.1.2/500
Active
IPSEC FLOW: permit ip host 10.0.1.100 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-22


Verify Cisco Easy VPN Operation (Cont.)
R6# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 172.30.1.2 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 172.30.1.2
Desc: (none)
IKE SA: local 172.30.6.2/500 remote 172.30.1.2/500 Active
Capabilities:C connid:0 lifetime:23:38:45
IPSEC FLOW: permit ip host 10.0.1.100 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4377612/2365
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4377612/2365

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-23


Cisco Easy VPN Remote Configuration
Example
!
username cisco password 0 cisco
ip domain-name cisco.com
ip dhcp excluded-address 10.0.6.2
!
ip dhcp pool Local-Pool
import all
network 10.0.6.0 255.255.255.0
default-router 10.0.6.2
!
crypto ipsec client ezvpn R6-Client
connect auto
group R6 key VPNKEY
mode client
peer 172.30.1.2
username cisco password cisco
xauth userid mode local
!

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-24


Cisco Easy VPN Remote Configuration
Example (Cont.)

!
interface FastEthernet0/0
description Inside
ip address 10.0.6.2 255.255.255.0
crypto ipsec client ezvpn R6-Client inside
!
interface FastEthernet0/1
description Outside
ip address 172.30.6.2 255.255.255.0
crypto ipsec client ezvpn R6-Client
!
!
end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-25


Cisco Easy VPN Server—
General Configuration Tasks
The following general tasks are used to configure Cisco
Easy VPN Server on a Cisco router:
 (Optional) Create IP address pool for connecting clients
 Enable group policy lookup via AAA
 Create an ISAKMP policy for remote VPN Client access
 Define a group policy for mode configuration push
 Apply mode configuration and XAUTH
 Enable RRI for the client
 Enable IKE DPD
 Configure XAUTH
 (Optional) Enable the XAUTH Save Password feature

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-26


Create IP Address Pool

Remote Clients

Pool
Remote-Pool
10.0.1.100 to 10.0.1.150
R1

R1(config)# ip local pool Remote-Pool 10.0.1.100 10.0.1.150

 Creating a local address pool is optional if you are using an


external DHCP server.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-27


Configure Group Policy Lookup
Remote Clients

Group
VPN-REMOTE-ACCESS

R1

R1(config)# aaa new-model


R1(config)# aaa authentication login vpn-users local
R1(config)# aaa authorization network vpn-group local
R1(config)# username cisco password 0 cisco

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-28


Define Group Policy for Mode
Configuration Push

Contains the following steps:


Step 1: Add the group profile to be defined.
Step 2: Configure the ISAKMP pre-shared key.
Step 3: Specify the DNS servers.
Step 4: Specify the Microsoft WINS servers.
Step 5: Specify the DNS domain.
Step 6: Specify the local IP address pool.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-29


Add the Group Profile to Be Defined
Remote Clients
Primary DNS/
Microsoft WINS
10.0.1.13

R1 Secondary DNS/
Microsoft WINS
10.0.1.14

R1(config)# crypto isakmp client configuration group R6


R1(config-isakmp-group)# key VPNKEY
R1(config-isakmp-group)# dns 10.0.1.13 10.0.1.14
R1(config-isakmp-group)# wins 10.0.1.13 10.0.1.14
R1(config-isakmp-group)# domain cisco.com
R1(config-isakmp-group)# pool Remote-Pool
R1(config-isakmp-group)# save-password

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-30


Create ISAKMP Policy for Remote VPN
Client Access

Remote Clients
Policy 10
Authentication: Pre-shared keys
Encryption: 3-DES
Diffie-Hellman: Group 2
R1 Other settings: Default

R1(config)# crypto isakmp enable


R1(config)# crypto isakmp policy 10
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# group 2
R1(config-isakmp)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-31


Create Transform Sets

Remote Clients VPNTRANSFORM

esp-3des esp-sha-hmac

R1

R1(config)# crypto ipsec transform-set VPNTRANSFORM esp-3des


esp-sha-hmac
R1(cfg-crypto-trans)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-32


Create Dynamic Crypto Map with RRI

Contains the following steps:


Step 1: Create a dynamic crypto map.
Step 2: Assign a transform set.
Step 3: Enable RRI.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-33


Step 1: Create a Dynamic Crypto Map

Remote Clients Dynamic-Map 10

transform-set VPNTRANSFORM
reverse-route

R1

R1(config)# crypto dynamic-map Dynamic-Map 10


R1(config-crypto-map)# set transform-set VPNTRANSFORM
R1(config-crypto-map)# reverse-route
R1(config-crypto-map)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-34


Apply Mode Configuration and XAUTH

Contains the following steps:


Step 1: Configure the router to respond to mode
configuration requests.
Step 2: Enable IKE querying for a group policy.
Step 3: Enforce XAUTH
Step 3: Apply the dynamic crypto map to the crypto map.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-35


Applying Mode Configuration

Remote Client

R1

R1(config)# crypto map ClientMap client configuration address respond


R1(config)# crypto map ClientMap isakmp authorization list vpn-group
R1(config)# crypto map CLientMap client authentication list vpn-users
R1(config)# crypto map ClientMap 65535 ipsec-isakmp dynamic Dynamic-Map

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-36


Apply the Crypto Map to Router Outside
Interface

Crypto map name

ClientMP
Remote Client
Fa0/1

R1

R1(config)# interface ethernet0/1


R1(config-if)# crypto map ClinetMap
R1(config-if)# end

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-37


Enable ISAKMP DPD

1) DPD Send: Are you there?


Remote Client

R1
2)2)DPD
DPDReply: YesIIam
reply: Yes, amhere.
here.

router(config)#
crypto isakmp keepalive secs retries

R1(config)# crypto isakmp keepalive 20 10

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-38


Configure XAUTH

Step 1: Enable AAA login authentication.


Step 2: Set the XAUTH timeout value.
Step 3: Enable ISAKMP XAUTH for the dynamic crypto map.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-39


Step 1: Enable AAA Login Authentication

VPN user group


Remote Client
VPNUSERS

R1

R1(config)# aaa authentication login VPNUSERS local

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-40


Step 2: Set XAUTH Timeout Value

20 Seconds
Remote Client
VPN user group
VPNUSERS
R1

R1(config)# crypto isakmp xauth timeout 20

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-41


Step 3: Enable ISAKMP XAUTH for
Crypto Map

Crypto map name


Remote Client
CLIENTMAP
VPN user group
R1
VPNUSERS

R1(config)# crypto map CLIENTMAP client authentication list


VPNUSERS

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-42


(Optional) Enable XAUTH Save Password

Remote Client

R1
Group
VPN-REMOTE-ACCESS

R1(config)# crypto isakmp client configuration group VPN-


REMOTE-ACCESS
R1(config-isakmp-group)# save-password

 This step could have been completed in Step 1 of Task 4


following the crypto isakmp client configuration group
command.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-43


Configuring Cisco Easy VPN Remote for
the Cisco VPN Client v4.x: General Tasks

 Install Cisco VPN Client v4.x.


 Create a new client connection entry.
 Choose an authentication method.
 Configure transparent tunneling.
 Enable and add backup servers.
 Configure a connection to the Internet through dialup networking.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-45


Install Cisco VPN Client

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-46


Install Cisco VPN Client (Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-47


Create a New Client Connection Entry

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-48


Create a New Client Connection Entry
(Cont.)

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-49


Configure Client Authentication
Properties

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-50


Mutual Group Authentication

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-51


Configure Transparent Tunneling

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-52


Routes Table

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-53


Summary

• Cisco Easy VPN simplifies the configuration of VPNs


using routers as Easy VPN servers and clients.
• An access router can be configured as a Cisco Easy
VPM remote client.
• The Cisco Easy VPN Server feature allows a remote
end user to communicate using IPsec with any Cisco
IOS VPN gateway.
• The Cisco VPN Client is simple to deploy and operate.

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-56


© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—4-57

You might also like