Monday, May 17, 2010

Easy VPN- IOS to IOS client mode

In this minilab we will setup Easy VPN in client mode using IOS routers as both server and client. This will serve as base for other Easy VPN labs. In this scenario we will be using client mode with split tunneling, and enabling the client router to authenticate in the xauth phase ("save password") to make things easy to test.
Here's our topology:
R0's f0/0 connects to R1's f0/0, both connect to their internal networks via their f1/0 interface

And here´s the breakdown of the necessary tasks:
  1. Server side configuration:
    1. AAA and users
    2. ISAKMP policy and IPsec transform-set
    3. IP address pool
    4. ACL for split tunneling
    5. Client group configuration
    6. Dynamic crypto map
    7. Ezvpn crypto map
    8. Apply crypto map to interface
  2. Client side configuration:
    1. IPsec client configuration
    2. Assign interfaces as inside and outside
 Server config
1-AAA and users
R0#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0(config)#aaa new-model
R0(config)#aaa authentication login aaa_auth local
R0(config)#aaa authorization network aaa_author local
R0(config)#username cisco password cisco

2-ISAKMP policy and IPsec transform-set 
 R0(config)#crypto isakmp policy 10
R0(config-isakmp)#authentication pre-share
R0(config-isakmp)#encryption aes
R0(config-isakmp)#group 2
R0(config-isakmp)#hash md5
R0(config)#exit
R0(config)#crypto ipsec transform-set tset esp-aes esp-sha-hmac
R0(cfg-crypto-trans)#exit

Note: The ISAKMP policy must use Diffie-Hellman group 2!

3- IP address pool
 R0(config)#ip local pool ezpool 4.4.4.1 4.4.4.10

4-ACL for split tunneling
R0(config)#access-list 199 permit ip 2.2.2.0 0.0.0.255 any

5-Client group configuration
R0(config)#crypto isakmp client configuration group MYGROUP 
R0(config-isakmp-group)#pool ezpool
R0(config-isakmp-group)#acl 199
R0(config-isakmp-group)#key cisco
R0(config-isakmp-group)#save-password

6-Dynamic crypto map
R0(config)#crypto dynamic-map DYNMAP 1
R0(config-crypto-map)#set transform-set tset

7-Ezvpn crypto map
R0(config)#crypto map ez_map client configuration address respond
R0(config)#crypto map ez_map isakmp authorization list aaa_author
R0(config)#crypto map ez_map client authentication list aaa_auth
R0(config)#crypto map ez_map 1 ipsec-isakmp dynamic DYNMAP

8-Apply crypto map to interface
R0(config)#int f0/0
R0(config-if)#crypto map ez_map
R0(config-if)#
*Mar  1 00:44:58.403: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

As soon as you apply the crypto map you should see ISAKMP turning on (assuming you didn't have it on before). Now that the hard part is done let's move on to the client configuration.

Client config
1-IPsec client configuration
R1(config)#crypto ipsec client ezvpn remote_ez
R1(config-crypto-ezvpn)#group MYGROUP key cisco
R1(config-crypto-ezvpn)#peer 192.168.1.200
R1(config-crypto-ezvpn)#mode client
R1(config-crypto-ezvpn)#exit

2-Assign interfaces as inside and outside
R1(config)#int f0/0

R1(config-if)#crypto ipsec client ezvpn remote_ez outsideR1(config)#exit
R1(config)#int f1/0
R1(config-if)#crypto ipsec client ezvpn remote_ez inside
*Mar  1 00:46:55.919: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

And soon enough you should get a message like this: 


*Mar  1 00:49:59.723: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 192.168.1.200:500       Id: 192.168.1.200

To check if everything is ok:
R1#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 2

Tunnel name : remote_ez
Inside interface list: FastEthernet1/0,
Outside interface: FastEthernet0/0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 4.4.4.1
Mask: 255.255.255.255
Split Tunnel List: 1
       Address    : 2.2.2.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0


Looking good so far, now to check if the split tunneling is working ping for R3 to R2, and then to R0's outside interface, if all is well the first ping should be encrypted and the second pass in cleartext:

R3#ping 2.2.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/44/120 ms
R3#ping 192.168.1.200

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/68 ms

Looking at a capture taken between R0 and R1:

Everything is working as expected :-)

Posted by at
Labels:

2 comments:

Unknown said...

Glad to know about this pd proxy vpn service. Few weeks ago, availed affordable and fast vpn service by getting information through one of the best tech reviews sites. Best part is that this VPN allowed access to many blocked social networking sites and happy to get their services.

June 28, 2017 at 1:40 AM
Elvira Albert said...

Ivacy VPN has been rated #1 in fastest vpn list by bestvpn.com-The most reputable VPN reviewer in the industry.
Browse securely and enjoy fast vpn connection anywhere, anytime. Ivacy VPN offers 450+ Servers in 100+ Locations.
Ivacy is built for High-Speed VPN connection so that you can enjoy seamless Online Streaming, Unlimited Bandwidth, and a Secure Web-surfing experience.

December 14, 2018 at 8:02 AM

Post a Comment

Subscribe to: Post Comments (Atom)