In configuration no need of any changes for connecting HARDWARE device as client or SOFTWARE installed pc as a client
Cisco proprietary VPN
Ipsec RA method
Any vpn client can be used
Cisco Easy VPN is an IP Security (IPsec) virtual private network (VPN) solution supported by Cisco routers and
security appliances. It greatly simplifies VPN deployment for remote offices and mobile workers. Cisco Easy
VPN is based on the Cisco Unity Client Framework, which centralizes VPN management across all Cisco VPN
devices, thus reducing the management complexity of VPN deployments. There are three components of the
Cisco Easy VPN solution: Easy VPN Client, Easy VPN Remote, and Easy VPN Server.
The Cisco Easy VPN Client enables mobile workers to create a remote-access VPN connection to a Cisco Easy
VPN Server. Cisco Easy VPN Client refers to the Cisco VPN Client, which is also commonly referred to as the
Cisco Software VPN Client.
The Cisco Easy VPN Remote enables Cisco routers and security appliances to establish a site-to-site VPN
connection to a Cisco Easy VPN Server without complex remote-side configuration. Cisco Easy VPN Remote is
also commonly referred to as a hardware client.
The Cisco Easy VPN Server accepts connections from Cisco Easy VPN Client and Remote, ensures that those
connections have up-to-date policies in place before the connections are established.
The Cisco Easy VPN solution uses the Mode-Configuration (Mode-Config) mechanism within the Internet Key
Exchange (IKE) to push policy (attributes) from the Easy VPN Server to the Easy VPN Client or Remote. Since
this policy is pushed to the client or the remote every time a new tunnel is created, it makes it easier to
propagate new policy changes. Mode-Config also enables the Client or the Remote to have minimal
configuration in order to establish the tunnel.
The attributes that can be pushed down through Mode-Config include: internal IP address, internal subnet mask,
Domain Name Server (DNS) addresses, Windows Internet Name Service (WINS) addresses, backup server list,
domain name, client firewall policy, Cisco IOS Software configuration and Split Tunneling
- It can handle hardware and software clients
- Configured for Site to Site or Site to Remote Access
- There is no change int the S2S or S2RA configurations
- IPSec based VPN
- Server can be ROUTER/ASA
- Client can be ROUTER (H/w)/ASA 5505 (H/w)/VPN Clients (S/w)
- There are 3 phases for EAZY VPN
- Phase 1
- Phase 1.5 (XAuth)
- Phase 2
- EAZY VPN hardware client can be in 3 modes
- Client (Remote Access)
- By default any client connecting to a server is in this mode
- Gets an IP Address from the pool
- PATing happens
- Can only be initiated from the client
- Loopback 10000 and NVI are formed
- Network Extension (Site to Site)
- No IP Address from the pool is assigned from the pool
- No PATing happens
- Bidirectional
- Requires large number of address space
- Only NVI formed
- Network Extension Plus (Site to Site)
- Receives an IP Address from the pool
- PATing will NOT happen
- Bidirectional
- This is used when the client is configured to receive an ip from a DHCP server and thus could use different IP Addresses
- Loopback 10000 and NVI are formed
NVI
The NAT Virtual Interface feature allows all NAT traffic flows on the virtual interface, eliminating the need to specify inside and outside domains. When a domain is specified, the translation rules are applied either before or after route decisions depending on the traffic flow from inside to outside or outside to inside. The translation rules are applied only after the route decision for an NVI. When a NAT pool is shared for translating packets from multiple networks connected to a NAT router, an NVI is created and a static route is configured that forwards all packets addressed to the NAT pool to the NVI. The standard interfaces connected to various networks will be configured to identify that the traffic originating and receiving on the interfaces needs to be translated.
Limitations
- No AH
- No DH Group 1
- For software client, no DES and SHA
- No Transport Mode
- No Routing Protocols
CLASS TASK
.html.resources/6482CE45-CCD2-44BA-8D67-B166DA5F53D0.png)
SERVER CONFIGURATION
Step 1: Define AAA based service
- (config)# aaa new-model
- (config)# aaa authentication login AUTH local
- (config)# aaa authorization network AUTH1 local
In this configuration the command ‘aaa authorization network AUTH1 local’ tells us that the configuration for Easy VPN group (policies) must be downloaded from local database.
Step 2: Create Username/Password [ACS/Local]
- (config)# username cisco password cisco123
Step 3: Define ISAKMP Policy
- (config)# crypto isakmp policy 10
- (config-isakmp-policy)# group 2
- (config-isakmp-policy)# authentication pre-share
- (config-isakmp-policy)# encryption 3des
- (config-isakmp-policy)# hash md5
Step 4: Define transform set for data protection
- (config)# crypto ipsec transform-set TSET esp-3des esp-sha-mac
Step 5: Define ACL for split tunneling
- ! If Split Tunneling is required, define the ACL's here
- ! SPLIT TUNNELING DEFINITION: This is a process where we can tell the device what traffic needs to be encrypted. If split tunnel is not enabled, every traffic (even traffic on the public network)
- ! will be routed via the server! So in a practical scenario, if there is a VPN tunnel established between a remote client and a server, even traffic destined for the Internet
- ! will get routed through the server.
Step 6: Define pool of IP Address for client
- (config)# ip local pool Pconf t
- OOL 7.7.7.1 7.7.7.3
Step 7: Define a ISAKMP Client Config and Reference the POOL
- (config)# crypto isakmp client configuration group CCIE
- (config-isakmp-group)# key cisco
- (config-isakmp-group)# pool POOL
- ! If Split Tunneling is required, the ACL should be referenced here
Step 8: Define Dynamic crypto map
- (config)# crypto dynamic map DMAP 10
- (config-crypto-map)# set transform-set TSET
- (config-crypto-map)# reverse route // This is a command to create a STATIC route to reach the client in the routing table
Step 9: Refer the dynamic crypto map onto a static crypto map
- (config)# crypto map CMAP 10 ipsec-isakmp dynamic DMAP
- (config)# crypto map CMAP client authentication list AUTH
- (config)# crypto map CMAP isakmp authorization list AUTH1
- (config)# crypto map CMAP client config address respond
.html.resources/E470E5E4-30CF-42B8-822A-3344DB2B8B8E.png)
Step 10: Apply the static crypto map to the interface
- (config)# int f0/0
- (config-if)# crypto map CMAP
CLIENT CONFIGURATION
Step 1: Define ISAKMP Policy
- (config)# crypto isakmp policy 10
- (config-isakmp-policy)# authentication pre-share
- (config-isakmp-policy)# encryption 3des
- (config-isakmp-policy)# hash md5
- (config-isakmp-policy)# group 2
Step 2: Config IPSec Client
- (config)# crypto ipsec client ezvpn <ezvpn_name>
- (config-ezvpn)# group CCIE key cisco
- (config-ezvpn)# peer 10.1.1.1 [Server's IP Address]
- (config-ezvpn)# connect <auto/manual>
! Any one of the mode below
Mode: Client
- (config-ezvpn)# mode client
Mode: Network Extension
- (config-ezvpn)# mode network-extension
Mode: Network Extension Plus
- (config-ezvpn)# mode network-plus
! Any one of the above
Step 3: Apply to the Interfaces
- (config)# int loopback 0
- (config-if)# crypto ipsec client ezvpn <ezvpn_name> inside
- (config)# int f0/0
- (config-if)# crypto ipsec client ezvpn <ezvpn_name> outside
Step 4: Connect
If connection is MANUAL:
# crypto ipsec client ezvpn connect
- # crypto ipsec client ezvpn xauth
Miscellaneous Command/Configurations
SAVE USERNAME/PASSWORD: If you want to save username and password and want the VPN to come on without typing the username and password,
At the Server STEP 7:
- (config)# crypto isakmp client configuration group CCIE
- (config-isakmp-group)# save password
At the Client STEP 2:
- (config)# crypto ipsec client ezvpn <name>
- (config-ezvpn)# username cisco password cisco123
- (config-ezvpn)# xauth userid mode local
Class Task 2
.html.resources/12F757A5-C8F0-41C4-ADE1-6100E1335282.png)
- Configure SERVER as EAZY VPN server with 2 groups, and a single pool
- The pool of IP Addresses are from the range 20.1.1.2 to 20.1.1.100
- The first group's name is HR and pre-shared key is HR, Second group's name is Admin and pre-shared key is Admin
- Create 2 user names, namely CCIE and CCNP with passwords CCIE and CCNP respectively
- Group HR should access 1.1.1.1 and group Admin should access both 1.1.1.1 and 11.11.11.11
- Configure CLIENT1 as EAZY VPN client operating in CLIENT mode for group HR and connect manually such that all traffic from the internal networks of CLIENT1 is being protected
- Configure CLIENT2 as EAZY VPN client operating in NEM mode for group Admin and connect automatically with password saved in local database. All the traffic flowing from the internal network of CLIENT2 should be protected while reaching the internal network of SERVER
- Configure CLIENT3 as EAZY VPN client operating in NEM Plus mode for group HR and connect automatically, such that all traffic from the internal networks of CLIENT3 is being protected
- Configure the Remote Access Software client, so that all traffic from the client machine to the loopback of the server is protected
Solutions:
- Please ensure IP Addresses are configured as shown in the topology
- Please ensure that there is connectivity between all the devices
Configuration on the Server:
Step 1: AAA Configuration
- server(config)# aaa new-model
- server(config)# aaa authentication login AUTHC local
- server(config)# aaa authorization network AUTHZ local
Step 2: Username and Password
- server(config)# username CCIE password CCIE
- server(config)# username CCNP password CCNP
Step 3: ISAKMP Policy
- server(config)# crypto isakmp policy 10
- server(config-isakmp)# authentication pre-share
- server(config-isakmp)# encr 3des
- server(config-isakmp)# hash sha
- server(config-isakmp)# group 2
Step 4: IPSec Transform Set
- server(config)# crypto ipsec transform-set TSET esp-3des esp-sha-hmac
Step 4: Access Lists
- server(config)# access-list 101 permit ip host 1.1.1.1 any // To control Traffic from HR Group
- server(config)# access-list 102 permit ip host 1.1.1.1 any // To control Traffic from Admin Group
- server(config)# access-list 102 permit ip host 11.11.11.11 any // To control Traffic from Admin Group
Step 5: IP POOL
- server(config)# ip local pool POOL 20.1.1.2 20.1.1.100
Step 6: ISAKMP Client Configuration
- server(config)# crypto isakmp client configuration group HR
- server(config-isakmp-group)# key HR
- server(config-isakmp-group)# pool POOL
- server(config-isakmp-group)# acl 101 // Used for SPLIT TUNNELING, encrypt some traffic and do not encrypt the others
- server(config)# crypto isakmp client configuration group Admin
- server(config-isakmp-group)# key Admin
- server(config-isakmp-group)# pool POOL
- server(config-isakmp-group)# save-password // For Auto Connect without entering password
- server(config-isakmp-group)# acl 102 // Used for SPLIT TUNNELING, encrypt some traffic and do not encrypt the others
Step 7: Dynamic Crypto Map
- server(config)# crypto dynamic-map DMAP 10
- server(config-crypto-map)# set transform-set TSET
- server(config-crypto-map)# reverse-route
Step 8: Static Crypto MAP
- server(config)# crypto map CMAP 10 ipsec-isakmp dynamic DMAP
- server(config)# crypto map CMAP client authentication list AUTHC
- server(config)# crypto map CMAP isakmp authorization list AUTHZ
- server(config)# crypto map CMAP client configuration address respond
Step 9: Apply the Static Crypto Map on the interface
- server(config)# interface f0/0
- server(config-if)# crypto map CMAP
Client1 Configurations
Step 1: Define ISAKMP Policy
- client1 (config)# crypto isakmp policy 10
- client1 (config-isakmp-policy)# authentication pre-share
- client1 (config-isakmp-policy)# encryption 3des
- client1 (config-isakmp-policy)# hash sha
- client1 (config-isakmp-policy)# group 2
Step 2: Config IPSec Client
- client1 (config)# crypto ipsec client ezvpn EZ_HR
- client1 (config-ezvpn)# group HR key HR
- client1 (config-ezvpn)# peer 10.1.1.1 // Server's IP Address
- client1 (config-ezvpn)# connect manual
- client1 (config-ezvpn)# mode client
Step 3: Apply to the Interfaces
- client1 (config)# int loopback 0
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR inside
- client1 (config)# int loopback 1
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR inside
- client1 (config)# int f0/0
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR outside
Step 4: Connect
- client1# crypto ipsec client ezvpn connect // Because connection is MANUAL
- client1# crypto ipsec client ezvpn xauth
Client2 Configurations
Step 1: Define ISAKMP Policy
- client1 (config)# crypto isakmp policy 10
- client1 (config-isakmp-policy)# authentication pre-share
- client1 (config-isakmp-policy)# encryption 3des
- client1 (config-isakmp-policy)# hash sha
- client1 (config-isakmp-policy)# group 2
Step 2: Config IPSec Client
- client1 (config)# crypto ipsec client ezvpn EZ_Admin
- client1 (config-ezvpn)# group Admin key Admin
- client1 (config-ezvpn)# peer 10.1.1.1 // Server's IP Address
- client1 (config-ezvpn)# connect auto
- client1 (config-ezvpn)# mode network-extension
- client1 (config-ezvpn)# username CCIE password CCIE // For Auto Connect without password
- client1 (config-ezvpn)# xauth userid mode local
Step 3: Apply to the Interfaces
- client1 (config)# int loopback 0
- client1 (config-if)# crypto ipsec client ezvpn EZ_Admin inside
- client1 (config)# int loopback 1
- client1 (config-if)# crypto ipsec client ezvpn EZ_Admin inside
- client1 (config)# int f0/0
- client1 (config-if)# crypto ipsec client ezvpn EZ_Admin outside
Step 4: Connect
- ! In this case, we do not need to use any commands to connect as the username and password is available locally as configured in step 2.
Client3 Configurations
Step 1: Define ISAKMP Policy
- client1 (config)# crypto isakmp policy 10
- client1 (config-isakmp-policy)# authentication pre-share
- client1 (config-isakmp-policy)# encryption 3des
- client1 (config-isakmp-policy)# hash sha
- client1 (config-isakmp-policy)# group 2
Step 2: Config IPSec Client
- client1 (config)# crypto ipsec client ezvpn EZ_HR
- client1 (config-ezvpn)# group HR key HR
- client1 (config-ezvpn)# peer 10.1.1.1 // Server's IP Address
- client1 (config-ezvpn)# connect auto
- client1 (config-ezvpn)# mode network-plus
Step 3: Apply to the Interfaces
- client1 (config)# int loopback 0
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR inside
- client1 (config)# int loopback 1
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR inside
- client1 (config)# int f0/0
- client1 (config-if)# crypto ipsec client ezvpn EZ_HR outside
Step 4: Connect
- client1# crypto ipsec client ezvpn xauth // Connection is auto, but we need to type this command to provide the login details!
Software Client Configurations
For this task, we will make use of a virtual machine running windows xp on VMWare. The virtual machine's NIC is the interface connected to the cloud from GNS3. You could also make use of loopback adapters on Windows 7 and below and connect the cloud to loopback interface. Since I am using Windows 8, the loopback interface does not seem to be working well. Hence I am using VMWare!
- First check connectivity between your computer (VMware or PC if using loopback adapter) and GNS3. Start by pinging 50.1.1.10 after assigning the the ip add of 50.1.1.1 to the computer.
- You might have to add routing on windows for access the server at 10.1.1.1. You can do it as following from the command prompt window:
- >route ADD 10.1.1.1 50.1.1.10 // 50.1.1.10 is the next hop ip of the router named INTERNET in GNS3
- Launch Cisco VPN client software
.html.resources/84875BCA-9FC4-47A9-978C-1DFB4C1D7E12.png)
- As shown above click on the NEW button shown on #1. From the pop up that opens, enter the connection entry name that gets listed in #2. Next enter the server IP Address as the Host at #3. Next enter the Group Name and Key at #4
.html.resources/C8528583-9DA5-4020-9AF6-BBE0E0F48998.png)
- Select the Connection Entry 'Server' at #1. Click on the button 'Connect' at #2. A new pop up will ask for Username and Password as shown in #3.
.html.resources/D8AA926A-2404-4187-9533-930783F54388.png)
- After entering the username and password, the connection is successful. Open the client and open statistics as shown at #1. The statistic window shows all the details regarding the connection. The packet section shows the encryption details as shown at #2. If we ping to 10.1.1.1 as shown on #3, the 'Bypassed' counter increases. If we ping to the loopback of the Server, the 'Encrypted' counter increases!