Wednesday, 16 January 2013

Cisco IPSec Easy VPN Server Configuration Guide

Introduction

The Cisco Easy VPN server allows a remote user to connect the corporate network using an IPSec tunnel. Easy VPN servers can be deployed in a Cisco IOS router or an ASA appliance. To connect with the VPN server, we use a Cisco VPN client software that can be installed on an operating system. The Easy VPN feature minimizes the configuration requirement at a remote location where we can put all the configuration on a VPN server and push the access policies upon a VPN tunnel connection from a Cisco VPN server.
  • This document will show you how to configure an Easy VPN Server on a Cisco IOS Router.
Network Diagram












Configuration Tasks
  1. Enable AAA on the router.
  2. Create a User account.
  3. Configure IKE Policy.
  4. Define Group policy information.
  5. Configure Phase 2 policy (IPSec Transform-set)
  6. Bind IPSec configuration with a Virtual Interface.
Now we can go into detail and configure each task which is listed above.

1.) Enabling AAA on the router

AAA is enabled using the 'aaa newmodel' command. We can either define the AAA locally on a router or point out an external TACACS+ or RADIUS server for authentication, authorization and accounting. AAA identifies the level of access that has been granted to each user and monitor the user activity to produce accounting information. In this example I am configuring AAA locally on a router.

Router(config)#aaa new-model
Router(config)#aaa authentication login default local
Router(config)#aaa authentication login VPN-USER-AUTH local
Router(config)#aaa authorization exec default local
Router(config)#aaa authorization network VPN-GROUP local









2.) Creating User Account

Router(config)#username tony privilege 15 password mypassword

3.) Configuring IKE Policy

Here we enable the IKE Policy configuration where you can specify the parameters that are used during an IKE negotiation or Phase 1 policy negotiation.

Router(config)#crypto isakmp policy 1
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#encryption 3des
Router(config-isakmp)#group 2

4.) Defining Group Policy information

We have to create a group and configure all the parameters that need to be pushed into the client as soon as it successfully authenticate to the group. The parameters defined in this example are:
Pre-shared  key : The key is used for authentication to the group.
DNS & Wins server : Users authenticating to this group will get this DNS and WINS server IP.
Max-Users : Maximum number of users allowed to connect simultaneously.

Router(config)# crypto isakmp client configuration group vpngroup
Router(config-isakmp-group)# key 6 mysecurekey
Router(config-isakmp-group)# dns 10.0.0.10
Router(config-isakmp-group)# wins 10.0.0.10
Router(config-isakmp-group)# pool VPN-POOL-1
Router(config-isakmp-group)# max-users 20
Router(config-isakmp-group)# netmask 255.255.255.0
Router(config-isakmp-group)# domain tony.com









The pool should contain the IP's that is distributed to the VPN clients as soon as it establish a connection to the VPN server. (Note: The pool should contain a different subnet of IP's than your internal LAN.) Create the pool using the below command:

Router(config)#ip local pool VPN-POOL-1 192.168.1.1 192.168.1.20

5.) Configure Phase 2 policy

a.) IPSec Transform-set
 
IPSec Transform-set is defined for data encryption and phase 2 authentication. The actual data encryption is happening in this phase. Create a transform-set using the below command:

Router(config)#crypto ipsec transform-set VPN-TRANSFORM-SET esp-3des esp-sha-hmac
Router(cfg-crypto-trans)#exit

b.) Creating ISAKMP Profile

Create an ISAKMP profile that will match the client group (vpngroup) and mention the authentication and authorization used by the profile.

Router(config)#crypto isakmp profile ISAKMP-PROFILE-1
Router(conf-isa-prof)#match identity group vpngroup
Router(conf-isa-prof)#client authentication list VPN-USER-AUTH
Router(conf-isa-prof)#isakmp authorization list VPN-GROUP
Router(conf-isa-prof)#client configuration address respond
Router(conf-isa-prof)#virtual-template 2








Now apply this transform-set to a VPN profile named VPN-PROFILE

Router(config)#crypto ipsec profile VPN-PROFILE
Router(ipsec-profile)#set transform-set VPN-TRANSFORM-SET
Router(ipsec-profile)#set isakmp-profile ISAKMP-PROFILE-1

6.) Binding the configuration with a Virtual Interface

The last step is to bind all the configurations to a virtual interface that will receive all the incoming VPN client connections. The virtual interface should be unnumbered to a physical interface, usually to the internal LAN interface.

Router(config)#interface virtual-template 2 type tunnel
Router(config-if)#ip unnumbered GigabitEthernet0/0
Router(config-if)# tunnel mode ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VPN-PROFILE

Easy VPN and NAT exemption

Now we need to exempt NAT for the VPN users. We need to put a 'no NAT' statement for the VPN traffic, that means if  there is a VPN traffic then do not NAT. We have to put the below configuration to achieve the same:

ip nat inside source list 120 interface GigabitEthernet0/1 overload  (Gi0/1 is the Internet facing interface)

access-list 120 deny ip 10.0.0.0 0.255.255.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.255.255.255 any

Here the access-list 120 will deny the local subnet (LAN subnet) to access the VPN users and allow all other traffic.

There we finish our Easy VPN server configuration. Now you can download  and install a Cisco VPN client software on your operating system and configure it by referring the below screenshot.
Cisco VPN client download link : https://docs.google.com/folder/d/0BzwBbyVriGKkSGVXTmJJd0xCOVU/edit

Host : Public IP address of the Easy VPN Server
Group Authentication:
                            Name: 'group name'
                            Password: 'group password'
Save the configuration and click connect to establish the VPN connection. You will be prompted for a username and password as below.













Enter the correct user credentials in order establish the VPN connection successfully with Easy VPN server from your computer.

Easy VPN and Zone Based Firewall 

For more information about how to allow Easy VPN server through a Zone Based Firewall refer Using IPSec VPN with Zone-Based Policy Firewall

Verification and Troubleshooting of Easy VPN

Verification Command List :
  • show crypto ipsec sa
  • show crypto ipsec spi-lookup
  • show crypto isakmp profile
  • show crypto isakmp policy
  • show crypto isakmp sa
  • show crypto isakmp peers
  • show crypto engine connections active
Troubleshooting Command List :
  • debug crypto isakmp —Displays errors during Phase 1.
  • debug crypto isakmp —Displays errors during Phase 2.
  • debug crypto isakmp —Displays information from the crypto engine.
  • clear crypto connection connection-id [slot | rsm | vip] —Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. (Use the show crypto cisco connections command to see the connection-id value.)
  • clear crypto isakmp —Clears the Phase 1 security associations.
  • clear crypto sa —Clears the Phase 2 security associations.
For more IPSec troubleshooting command list visit http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

You can also find the configuration example of Cisco IPSec Site-to-site VPN in http://yadhutony.blogspot.in/2012/12/cisco-ipsec-site-to-site-vpn.html

21 comments:

  1. You really make it seem so easy together with your presentation however I to find this matter to be really something that I believe I'd never understand. It seems too complicated and extremely large for me. I am looking forward in your next put up, I'll attempt to get the grasp of it!
    vpn for usa

    ReplyDelete
  2. sayang masih setengah2x Tapi Tidak apa-apa sudah di sharing ..

    Aku berharap Ada Yang sharing mengenai configurasi VPN Server Router cisco 1800 series

    Selamat menyaksikan

    ReplyDelete
    Replies
    1. Hi Mesi,

      In English please :)

      Delete
    2. OI YADHU boss. CAN HELP ME .. GREETING KNOW boss

      Delete
  3. Awesome tutorial here. If you don’t want anyone to know what you are downloading including your Internet Service Provider then you should be using a VPN Service. Find the best ones here. http://thebestproxyserver.com

    ReplyDelete
  4. I am having difficulties in getting the VPN client connected, just to verify on the client under Group Authentication, what is the password entered?
    Name: vpngroup
    password:?????

    ReplyDelete
    Replies
    1. Hi Ken,

      You need to enter the password of the VPN group which you have defined on task 4:

      4.) Defining Group Policy information

      Router(config)# crypto isakmp client configuration group vpngroup
      Router(config-isakmp-group)# key 6 mysecurekey

      In this example 'mysecurekey' is the password.

      Please let me know if you have any further queries.

      Best Regards,
      Yadhu

      Delete
  5. Hello, firstly, I'd like to thank you for this tutorial, It's the best one i've seen so far and it makes this whole subjet a lot easier to undestand.
    I have a question though: would anything here change if I had a server (Cisco 1720) and several clients (Cisco 831)?
    In this case also the VPN is needed just so we can monitor several small offices and fix problems remotely if needed, the different 831's will never access each other, just from the server to the clients.
    Thanks and sorry if I'm not clear enough with my question.

    ReplyDelete
    Replies
    1. Hi, this guide can be used only when you have Cisco VPN client software on one side. In your case I would suggest the DMVPN (refer http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html).

      An even more flexible approach, although less well-documented due to its relative age, is FlexVPN. See the FlexVPN data sheet for an overview of its advantages:

      http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html

      Here are a couple of FlexVPN configuration examples:

      http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115782-flexvpn-site-to-site-00.html

      http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-flex-spoke.html

      Both DMVPN and FlexVPN allow you to route dynamically and establish tunnels in a mesh fashion as needed to reach all the sites, whether spoke-hub or spoke-spoke. Unfortunately I haven't put my hands on flex VPN so far.

      Delete
  6. i have successfully connected my software client with the easy vpn server but the ping from my pc to the ip behind the vpn server is not successfull ......... please help

    ReplyDelete
    Replies
    1. Hi,

      Two things to consider:

      1. Are the VPN users getting a different subnet of IP's than your internal LAN ?
      2. Have you worked through the instructions under the topic "Easy VPN and NAT exemption" ?

      Still unsuccessful? Contact me @ my email ID.

      Cheers,
      Yadhu

      Delete
  7. Great article. Keep up the good job

    ReplyDelete
  8. Good article but if we don't configure nat it's also ok?

    ReplyDelete
    Replies
    1. Hi,

      Thank you for your comment. Yes, If you have NAT configured on the router, then you need to put a 'no NAT' statement for the VPN traffic, that means if there is a VPN traffic then do not NAT.

      Cheers,

      Delete
    2. Ok thank but when I connected to vpn client ip address always change new, for example (ip local pool VPN-POOL-1 192.168.1.1 192.168.1.20) this time 192.168.1.1 next time 192.168.1.2 so if I connect 20 times and get ip address 192.168.1.20 so how about next time which ip address should i get or need to clear something ?

      Delete
    3. The IP will be re-used (cache will be cleared). In your case 20 clients can be connected at a time.

      Cheers.

      Delete
  9. What is the tool you used to create these cisco network diagrams? Is it packet tracer or creately online diagramming tool ?

    ReplyDelete
  10. Hi, this tutorial is great, work really well. I hace an 2801 router as vpn server and a 831 as client but the client ask for admin an pass. How can i do to authenticate automatically?

    ReplyDelete
    Replies
    1. Hi, this guide can be used only when you have Cisco VPN client software on one side. In your case I would suggest the DMVPN (refer http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html).

      Delete