The Cisco Easy VPN server allows a remote user to connect to the corporate network using an IPSec tunnel. Easy VPN servers can be deployed in a Cisco IOS router or an ASA appliance. To connect with the VPN server, we can use a Cisco VPN client software that can be installed on an operating system. The Easy VPN feature minimizes the configuration requirement at a remote location where we can put all the configuration on a VPN server and push the access policies to the client upon a VPN tunnel connection from a Cisco VPN server.
Another option to connect with the VPN server is by using Easy VPN Remote, that enables Cisco routers and security appliances to establish a site-to-site VPN connection to a Cisco Easy VPN Server.
GNS3 example
You don’t need a real router to practise most of the CCNAS
labs. GNS3 works fine and you can simulate ASA, IPS, ISR routers, etc.
Here, CCP_connection is a cloud simulating a loopback
interface with IP address of 192.168.0.3/24 .
CCP and Cisco VPN client are installed on my PC.
Allow CCP connection
First of all, you must configure the router to allow CCP
access. The commands are:
hostname R2
!
username
juantron privilege 15 password 0 juantron
!
interface
FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
no shutdown
!
ip http
server
ip http
secure-server
ip http
authentication local
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
login local
!
line vty 0
4
privilege level 15
transport input telnet ssh
login localPrerrequisites: AAA must be enabled to configure Easy VPN Server (the wizard ask us to configure it).
The tasks to configure are:
- Select the interface on which client connections will terminate and selec the method to authenticate VPN clients (PSK, digital certificates (RSA Signatures) or both).
- Configure IKE policies (IKE Phase 1): select encryption algorithms for confidenciality (DES, 3DES, AES, SEAL, RSA); select hashing algorithms for data integrity (MD5, SHA); select secure key exchange algorithms (DH group).
- Configure a IPSec transform set (IKE Phase 2).
- Select the Group Authorization method: Local, RADIUS, RADIUS and Local or AAA. Here you can create users.
- Create a Group Policy: stablish the key for PSK; create a POOL to allocate an internal IP address to a client.
Go to Configure > Security > VPN > Easy VPN Server .
Click Launch Easy VPN Server Wizard .Note: you can see the following message:
You have to configure AAA before start the Easy VPN Server Configuration. So, click Yes:
Click Deliver to continue:
Configure the Interface for this server (Fa0/0 in my GNS3 example):
Click Next and Configure IKE proposals to delete the Cisco CP Default:
Note Choice group5 for D-H Group in this case, but Maybe VPN Server doesn’t support group5.
Click OK and Next and Configure Transform Set. Click Add (when you add a transform set, Cisco CP Default transform set is deleted):
NOTE Click Show Advanced>> to see that Mode “tunnel” is selected. Remember ESP tunnel mode is used in remote and Site to Site VPN to full encrypt the packets.
NOTE Click Show Advanced>> to see that Mode “tunnel” is selected. Remember ESP tunnel mode is used in remote and Site to Site VPN to full encrypt the packets.
Click OK and Next and Configure VPN Authentication Method List:
Click Next after the method has been selected:
Click Next after the method has been selected:
If you don’t have a RADIUS Server, select “Select an
Existing AAA Method List” instead of “Local Only”.
Make sure the check box next to Enable User Authentication is checked. Here, you can Add User Credentials by clicking in this buttom and then Add to create the users.
Click Next to Configure VPN Authentication Group Policy. Click Add:
Select OK and Next. The window Configuration Summary is showed:
You can check the check box “Test VPN connectivity after configuring”.
Click
Finish to deliver the configuration
to the router.
If you checked the box “Test VPN connectivity after configuring”, a new window is showed. Click Start:
NOTE This is the first place you should check when a VPN configuration isn't working correctly.
NOTE This is the first place you should check when a VPN configuration isn't working correctly.
Finally, you can Edit Easy VPN Server:
CLI Commands to deliver to the router
aaa
authorization network ciscocp_vpn_group_ml_1 local
ip
local pool SDM_POOL_1 10.5.1.1 10.5.1.10
crypto
ipsec transform-set ESP_AES-256_SHA esp-sha-hmac esp-aes 256
mode tunnel
exit
crypto
dynamic-map SDM_DYNMAP_1 1
set transform-set ESP_AES-256_SHA
reverse-route
exit
crypto
map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface
FastEthernet0/0
no crypto map
crypto map SDM_CMAP_1
exit
crypto
map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1
crypto
map SDM_CMAP_1 client authentication list default
crypto
map SDM_CMAP_1 client configuration address respond
crypto
isakmp client configuration group Marketing
key 0 ******
pool SDM_POOL_1
netmask 255.255.255.0
exit
crypto
isakmp policy 2
authentication pre-share
encr aes 256
hash sha
group 2
lifetime 86400
exit
crypto
isakmp policy 1
authentication pre-share
encr 3des
hash sha
group 2
lifetime 86400
exit
crypto
isakmp xauth timeout 15
Connecting using the client
After this, you can use Cisco VPN Client to connect to the Server.
Features of Cisco VPN Client:
• Establishes end-to-end, encrypted VPN tunnels for secure connectivity.
• Compatible with all Cisco VPN products.
• Supports the innovative Cisco Easy VPN capabilities.
In my GNS3 example (EASY_VPN_SERVER_ON_R2), I’ve created an authentication group named Marketing and a PSK key “juanma”. The IP addres of the Server’s interface is 192.168.0.1.
Launch VPN client and configure the connection to this Server. Finally click on the Connect buttom. The following window is showed:
In my case: username “juantron” and password “juantron” was configured. Click OK :
That’s all. Now, you can work at home with your laptop and download mail, access to server’s files, etc.
Verifying VPN connection
You have two options after the client has stablished a connection to the server:
- Check “Test VPN connectivity after configuring”.
- Usin monitoring feature on CCP. Click: Monitor > Security > VPN Status > Easy VPN Server
You also can disconnect the peer from here by clicking the Disconnect buttom.
Or you can see the IPSec tunnel:
NOTE All you have seen here has been tested on my PC and many of the screen captures have been taken from my PC. All my gratitude to GNS3 team, Cisco books and links, and other blogs that helped me understand VPN connections.
NOTE All you have seen here has been tested on my PC and many of the screen captures have been taken from my PC. All my gratitude to GNS3 team, Cisco books and links, and other blogs that helped me understand VPN connections.
No hay comentarios:
Publicar un comentario