Cisco: Cisco EzVPN(Remote Access VPN)

EzVPN, IPsec, VPN, Cisco, Networking, Secuirty, Encryption

Topology:

Preparation

Project name: ccna-vpn-0001-ezvpn

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#cry
R1(config)#crypto isakm
R1(config)#crypto isakmp pro
R1(config)#crypto isakmp profile V-profile
% A profile is deemed incomplete until it has match identity statements
R1(conf-isa-prof)#cli
R1(conf-isa-prof)#client confi
R1(conf-isa-prof)#client configuration add
R1(conf-isa-prof)#client configuration address ?
  initiate  Push the network address to the client
  respond   Respond to network address requests from the client

R1(conf-isa-prof)#client configuration address res
R1(conf-isa-prof)#clie                                 
R1(conf-isa-prof)#client confi
R1(conf-isa-prof)#client configuration add
R1(conf-isa-prof)#client configuration address re
R1(conf-isa-prof)#client configuration address respond 
R1(conf-isa-prof)#clie
R1(conf-isa-prof)#client confi
R1(conf-isa-prof)#client configuration ad
R1(conf-isa-prof)#client configuration address initi
R1(conf-isa-prof)#client configuration address initiate 
R1(conf-isa-prof)#do sh run | sec crypto isakmp profile
crypto isakmp profile V-profile
R1(conf-isa-prof)#do sh run all | sec crypto isakmp profile
crypto isakmp profile V-profile
R1(conf-isa-prof)#do sh run all | begin crypto isakmp profile
crypto isakmp profile V-profile
! This profile is incomplete (no match identity statement)
   description 
   vrf 
   client authentication list 
   client pki authorization list 
   isakmp authorization list 
   client authentication username 
   client authentication password 
   client configuration address-pool local 
   client pki authorization list 
   client configuration address initiate
   client configuration address respond
   client configuration group 
   accounting 
   initiate mode aggressive
   virtual-template 0
crypto isakmp diagnose error 50
crypto ipsec optional retry 300
!
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association lifetime seconds 3600
no crypto ipsec security-association replay disable
          
R1(conf-isa-prof)#do sh run | begin crypto isakmp profile    
crypto isakmp profile V-profile
! This profile is incomplete (no match identity statement)
   client configuration address initiate
   client configuration address respond
!
!
crypto ipsec transform-set TS-IPSEC1 esp-3des esp-md5-hmac 
 mode transport
!
crypto ipsec profile PRO-DMVPN1
 set transform-set TS-IPSEC1 
!
!
!
!
!
!
!
interface Loopback0
 ip address 100.0.0.1 255.255.255.255
!
interface Tunnel0
 ip address 172.16.0.1 255.255.255.0
          
R1(conf-isa-prof)#

XAUTH

IKE Phase1 → XAUTH (4-way) → mode-config (2way) → IKE Phase2

Topology: EZVPN Server

IKE Agressive mode

configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit

configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit

R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#aaa new
R2(config)#aaa new-model 
R2(config)#aaa
R2(config)#aaa auth
R2(config)#aaa authe
R2(config)#aaa authentication lo
R2(config)#aaa authentication login VPNAUTHE ?
  cache          Use Cached-group
  enable         Use enable password for authentication.
  group          Use Server-group
  krb5           Use Kerberos 5 authentication.
  krb5-telnet    Allow logins only if already authenticated via Kerberos V
                 Telnet.
  line           Use line password for authentication.
  local          Use local username authentication.
  local-case     Use case-sensitive local username authentication.
  none           NO authentication.
  passwd-expiry  enable the login list to provide password aging support

R2(config)#aaa authentication login VPNAUTHE loca
R2(config)#aaa authentication login VPNAUTHE local
R2(config)#aaa author
R2(config)#aaa authorization netw
R2(config)#aaa authorization ?       
  auth-proxy           For Authentication Proxy Services
  cache                For AAA cache configuration
  commands             For exec (shell) commands.
  config-commands      For configuration mode commands.
  configuration        For downloading configurations from AAA server
  console              For enabling console authorization
  credential-download  For downloading EAP credential from Local/RADIUS/LDAP
  exec                 For starting an exec (shell).
  ipmobile             For Mobile IP services.
  multicast            For downloading Multicast configurations from an AAA
                       server
  network              For network services. (PPP, SLIP, ARAP)
  onep                 For ONEP authorization service
  policy-if            For diameter policy interface application.
  prepaid              For diameter prepaid services.
  radius-proxy         For proxying radius packets
  reverse-access       For reverse access connections
  subscriber-service   For iEdge subscriber services (VPDN etc)
  template             Enable template authorization

R2(config)#aaa authorization netwo
R2(config)#aaa authorization network VPNAUTHO local
R2(config)#userna
R2(config)#username ciscovpn password 0 cisco
R2(config)#cryp
R2(config)#crypto isak
R2(config)#crypto isakmp po
R2(config)#crypto isakmp policy 1
R2(config-isakmp)#ecn
R2(config-isakmp)#en 
R2(config-isakmp)#encryption 
R2(config-isakmp)#encryption 3de
R2(config-isakmp)#encryption 3des 
R2(config-isakmp)#ha
R2(config-isakmp)#hash md
R2(config-isakmp)#hash md5 
R2(config-isakmp)#auth
R2(config-isakmp)#authentication pre-share
R2(config-isakmp)#group 2
R2(config-isakmp)#exit
R2(config)#cryp
R2(config)#crypto isak
R2(config)#crypto isakmp cli
R2(config)#crypto isakmp client co
R2(config)#crypto isakmp client configuration gr
R2(config)#crypto isakmp client configuration group VPNCLIENT
R2(config-isakmp-group)#key
R2(config-isakmp-group)#key cisco
R2(config-isakmp-group)#dns 10.1.1.1
R2(config-isakmp-group)#win
R2(config-isakmp-group)#wins 10.1.1.2
R2(config-isakmp-group)#domai
R2(config-isakmp-group)#domain pg1x.net
R2(config-isakmp-group)#poo
R2(config-isakmp-group)#pool ezremote
R2(config-isakmp-group)#save-
R2(config-isakmp-group)#save-password ?
  <cr>

R2(config-isakmp-group)#save-password 
R2(config-isakmp-group)#exit
R2(config)#ip loca
R2(config)#ip local p
R2(config)#ip local poo
R2(config)#ip local pool ezre
R2(config)#ip local pool ezremo
R2(config)#ip local pool ezremote 192.168.1.100 192.168.1.150
R2(config)#cryp
R2(config)#crypto isak
R2(config)#crypto isakmp pr
R2(config)#crypto isakmp profile VPN-PROFILE
% A profile is deemed incomplete until it has match identity statements
R2(conf-isa-prof)#mat
R2(conf-isa-prof)#match iden
R2(conf-isa-prof)#match identity gr
R2(conf-isa-prof)#match identity group VPNCLIENT
R2(conf-isa-prof)#clie
R2(conf-isa-prof)#client auth
R2(conf-isa-prof)#client authentication lis
R2(conf-isa-prof)#client authentication list VPNAUTHE
R2(conf-isa-prof)#isakm
R2(conf-isa-prof)#isakmp author
R2(conf-isa-prof)#isakmp authorization li
R2(conf-isa-prof)#isakmp authorization list VPNAUTHO
R2(conf-isa-prof)#clie
R2(conf-isa-prof)#client config
R2(conf-isa-prof)#client configuration add
R2(conf-isa-prof)#client configuration address re
R2(conf-isa-prof)#client configuration address respond 
R2(conf-isa-prof)#exit
R2(config)#cryp
R2(config)#crypto ipse
R2(config)#crypto ipsec tran
R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3d
R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3des esp-md
R2(config)#crypto ipsec transform-set REMO-IPSEC esp-3des esp-md5-hmac 
R2(cfg-crypto-trans)#mo
R2(cfg-crypto-trans)#mode tu
R2(cfg-crypto-trans)#mode tunnel 
R2(cfg-crypto-trans)#exit
R2(config)#cry
R2(config)#crypto dyn
R2(config)#crypto dynamic-map REMO ?
  <1-65535>  Sequence to insert into dynamic-map entry

R2(config)#crypto dynamic-map REMO 1
R2(config-crypto-map)#set tra
R2(config-crypto-map)#set transform-set REMO-IPSEC
R2(config-crypto-map)#set isakm
R2(config-crypto-map)#set isakmp-profile VPN-PROFILE
R2(config-crypto-map)#crypto
R2(config-crypto-map)#exit  
R2(config)#cry
R2(config)#crypto ma
R2(config)#crypto map EZVPN 1 ipse
R2(config)#crypto map EZVPN 1 ipsec-?
ipsec-isakmp  ipsec-manual  

R2(config)#crypto map EZVPN 1 ipsec-isak
R2(config)#crypto map EZVPN 1 ipsec-isakmp dy
R2(config)#crypto map EZVPN 1 ipsec-isakmp dynamic REMO
R2(config)#inter
R2(config)#interface Giga
R2(config)#interface GigabitEthernet 0/1
R2(config-if)#cry
R2(config-if)#crypto ma
R2(config-if)#crypto map EZVPN
R2(config-if)#
*May  1 03:13:18.094: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R2(config-if)#

R2(config)#username ciscovpn password cisco
R2(config)#cry
R2(config)#crypto ipse
R2(config)#cry          
R2(config)#crypto isak
R2(config)#crypto isakmp kee
R2(config)#crypto isakmp keepalive 30
R2(config)#crypto isakmp keepalive 30 peri
R2(config)#crypto isakmp keepalive 30 periodic 
R2(config)#ip acce
R2(config)#ip access-list exten
R2(config)#ip access-list extended A-security
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit esp an
R2(config-ext-nacl)#permit esp any hos
R2(config-ext-nacl)#permit esp any host 100.1.1.1
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit udp an
R2(config-ext-nacl)#permit udp any hos
R2(config-ext-nacl)#permit udp any host 100.1.1.1 eq isak
R2(config-ext-nacl)#permit udp any host 100.1.1.1 eq isakmp 
R2(config-ext-nacl)#exit
R2(config)#int gig0/1
R2(config-if)#ip acc
R2(config-if)#ip acce
R2(config-if)#ip access-group A-security in
R2(config-if)#exit
R2(config)#username ciscovpn1 password cisco1
R2(config)#username ciscovpn2 password cisco2
R2(config)#username ciscovpn3 password cisco3
R2(config)#username ciscovpn4 password cisco4
R2(config)#username ciscovpn5 password cisco5
R2(config)#do sh run | i usernaem
R2(config)#do sh run | i username
username ciscovpn password 0 cisco
username ciscovpn1 password 0 cisco1
username ciscovpn2 password 0 cisco2
username ciscovpn3 password 0 cisco3
username ciscovpn4 password 0 cisco4
username ciscovpn5 password 0 cisco5

Internet

Internet access from Remote w/ ACL

R2(config)#crypto isakmp client configuration group VPNCLIENT
R2(config-isakmp-group)#ac
R2(config-isakmp-group)#acl
R2(config-isakmp-group)#acl ?
  <100-199>  access-list number for split-tunneling
  WORD       Access-list name

R2(config-isakmp-group)#acl 102
R2(config-isakmp-group)#exit
R2(config)#acc
R2(config)#access-list 102 per
R2(config)#$ 102 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255       
R2(config)#

Internet access via VPN Server

CBAC Context-Based Access Control

R2(config)#ip inspe
R2(config)#ip inspect na
R2(config)#ip inspect name CBAC tcp
R2(config)#ip insp
R2(config)#ip inspect nam
R2(config)#ip inspect name CBAC udp
R2(config)#ip ins
R2(config)#ip inspect nam
R2(config)#ip inspect name CBAC ftp
R2(config)#int gig0/1
R2(config-if)#int gig0/0
R2(config-if)#ip nat inside

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CCC6EAz 3CCC62Cz 3CCC5CBz 3A36694z 233EB23z 233E910z 2341812z 2358E3Cz - Process "Exec", CPU hog, PC 0x00153D7D

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE3952z 3CCC643z 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B

-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE3952z 3CCC643z 3CCC5CBz 38CF640z 38C1EBCz 38C21F0z 38C9416z 38CE1D0z - Process "Exec", CPU hog, PC 0x00153D6B
R2(config-if)#
*May  1 03:38:53.709: %SYS-3-CPUHOG: Task is running for (1998)msecs, more than (2000)msecs (0/0),process = Exec.
*May  1 03:38:55.468: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
*May  1 03:38:57.477: %SYS-3-CPUHOG: Task is running for (2000)msecs, more than (2000)msecs (0/0),process = Exec.
*May  1 03:38:59.477: %SYS-3-CPUHOG: Task is running for (4000)msecs, more than (2000)msecs (0/0),process = Exec.
R2(config-if)#ip 
-Traceback= 1140338z 130825z 15E41Ez 15E140z 15DF4Dz 158075z 158CABz 158C3Fz 3CE389Ez 3CD0C7Ez 3CD19E8z 50D46FFz 380B77Ez 388A04Fz 388A1E2z 388A349z - Process "STILE PERIODIC TASK", CPU hog, PC 0x00153D85

*May  1 03:39:05.865: %SYS-3-CPUHOG: Task is running for (1997)msecs, more than (2000)msecs (0/0),process = STILE PERIODIC TASK.
R2(config-if)#int gig0/1
R2(config-if)#ip nat outside 
R2(config-if)#ip ins
R2(config-if)#ip inspect CBAC out
R2(config-if)#ip nat insi
R2(config-if)#ip nat inside sou
R2(config-if)#ip nat inside souli
R2(config-if)#ip nat inside sour 
R2(config-if)#exit              
R2(config)#ip nat ins
R2(config)#ip nat inside sour
R2(config)#ip nat inside source li
R2(config)#ip nat inside source list 101 inter
R2(config)#ip nat inside source list 101 interface gig0/1
R2(config)#ip nat inside source list 101 interface gig0/1 over
R2(config)#ip nat inside source list 101 interface gig0/1 overload 
R2(config)#no ip nat inside source list 101 interface gig0/1       
R2(config)#ip nat inside source list 101 interface gig0/1 overload
R2(config)#acce
R2(config)#access-list 101 de
R2(config)#$ 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255         
R2(config)#$ 101 permit 192.168.0.0 0.0.0.255 an                    
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 
% Incomplete command.

R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 a
R2(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 any 
R2(config)#access-list 101 permit ip 192.168.1.0 0.0.0.255 any 
R2(config)#

References

PG1X WIKI

Table of Contents

Cisco: Cisco EzVPN(Remote Access VPN)

Topology:

Preparation

Topology: EZVPN Server

References

PG1X WIKI

User Tools

Site Tools

Table of Contents

Cisco: Cisco EzVPN(Remote Access VPN)

Topology:

Preparation

Topology: EZVPN Server

References

Page Tools