It’s been a long and hopefully awesome series on the Cisco Configuration Professional tool. We are finally at the end with this last lab on Easy VPN Server. We were meant to complete this CCP series with full tunnel SSL VPN but due to some issues I had getting it set up on GNS3 (probably a version/OS issue), we will be looking at the next best thing (or the main best thing?) which is using the Cisco VPN client for remote VPN access.
Our network diagram is shown below:
The configuration tasks for Lab #11 are as follows:
- * Configure RTR2 as an Easy VPN server. Create a dynamic VTI using the Lo1 interface. Use the local database for group policy and user authentication. Use the default CCP IKE policy and Transform set.
- * The Easy VPN group name should be “IntenseSchoolEzVPN” with a pre-shared key of “ezvpn.” Create a local IP pool with start IP 192.168.140.1 and end IP 192.168.140.20.
- * Create a username of easyvpn with a password of easyvpn to access the configured SSL VPN service.
- * Test the Easy VPN server using a Cisco VPN client on your test PC (“Remote-access user”). You should be able to open a web page to http://184.108.40.206/.
Before the use of SSL VPN became prevalent, we used Cisco Easy VPN for remote access VPN connections. This required that users have the Cisco VPN client installed on their system and the group policies already configured for a connection to be made which is the edge that SSL VPN has over Easy VPN because users do not need to have a VPN client already installed. However, we still find organisations using the Easy VPN solution and that is the solution we will be configuring in this lab.
As usual, CCP offers us wizards to configure or edit Easy VPN. To begin with our first task, I will select RTR2 as the community member to configure and then navigate to Configure > Security > VPN > Easy VPN Server.
Note: AAA is a prerequisite to configuring the Easy VPN server so if AAA is not enabled on your router, you must first enable it. If it is not enabled, CCP will prompt you to first enable it.
I will click the Launch Easy VPN Server Wizard which brings up the Easy VPN Server Wizard start screen as shown below:
On the next screen, we can create a Virtual Template Interface (VTI). Using VTIs allows us to configure more options such as QoS for our VPN tunnels. You can read more about IPsec VTIs here.
The first option – “Unnumbered to New Loopback Interface” – will create a static VTI which is useful for site-to-site connectivity. In our case; however, we want to create a dynamic VTI for remote-access connectivity so I will select the second option and choose Loopback1 as required by our task. We will also leave the default selection – Pre-shared Keys – for authentication.
On the next two screens, we need to specify IKE proposals and transform sets. Luckily for us the task in this lab asks us to use the default CCP policies so we can just click Next and move on.
Easy VPN allows us to create VPN groups so that the same policy can be applied to clients in that group. These VPN groups can be stored locally on the router or on an external AAA server. In our case, the VPN groups will be created and stored locally on the router so I will leave the default Local option selected.
On the next screen, we need to specify whether to enable XAuth (User Authentication). Imagine a case where a staff’s laptop is stolen; without XAuth, the thief only has to start the VPN client and connect to the Easy VPN server without providing any user authentication. Therefore, XAuth is an added security measure. We are to use the local database for user authentication as specified by the task.
We are required to add a user “easyvpn” to the local database so I will click the Add User Credentials button. Note that we could also have added this user outside the Easy VPN Server wizard.
Because we specified that the local database on the router should be used for storing VPN groups, we are now provided with a screen to add a group policy as shown below:
At the minimum, we need to specify a group name, pre-shared key for the group and the IP pool from which users connecting to the VPN client will be assigned IP addresses.
Notice on the screen below that the group we configured has been added to the list. We can create more than one group by clicking on the Add button.
In some firewall configurations, ESP or IKE may be blocked and it may be necessary for VPN clients to initiate connections through other ports. This is where the Cisco Tunnelling Control Protocol comes in handy and we can specify what ports the Easy VPN server should listen on. We will leave that option unchecked in this lab as it is not required.
This brings us to the summary screen and if we have any changes, we can click the Back button to make them.
The configuration to be sent to the router is as follows:
aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authorization network ciscocp_vpn_group_ml_1 local ip local pool SDM_POOL_1 192.168.140.1 192.168.140.20 crypto ipsec transform-set ESP-3DES-SHA esp-sha-hmac esp-3des mode tunnel exit crypto isakmp profile ciscocp-ike-profile-1 isakmp authorization list ciscocp_vpn_group_ml_1 client authentication list ciscocp_vpn_xauth_ml_2 match identity group IntenseSchoolEzVPN client configuration address respond exit crypto ipsec profile CiscoCP_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 exit interface Virtual-Template1 type tunnel exit default interface Virtual-Template1 interface Virtual-Template1 type tunnel no shutdown ip unnumbered Loopback1 tunnel protection ipsec profile CiscoCP_Profile1 tunnel mode ipsec ipv4 exit crypto isakmp client configuration group IntenseSchoolEzVPN key 0 ***** pool SDM_POOL_1 netmask 255.255.255.0 exit crypto isakmp policy 1 authentication pre-share encr 3des hash sha group 2 lifetime 86400 exit crypto isakmp profile ciscocp-ike-profile-1 virtual-template 1 exit ! IP address / user account command username easyvpn privilege 1 secret 0 *******
To test, I will configure the IntenseSchoolEzVPN group on my Cisco VPN client as shown below. You can specify any of RTR2’s interface IP address in the Host field (as long as there is no access rule filtering traffic to that IP address).
I will save my settings and attempt to establish the VPN tunnel which brings up the user authentication dialog box as shown below. I will enter the easyvpn user I created.
After successful authentication, I am now connected to the VPN tunnel and I can view the Statistics to see information about the tunnel including encrypted and decrypted packets.
Notice from the route details that all traffic is currently going through the tunnel. Split tunnelling can be used to specify that only certain traffic should be encrypted.
I will open a web browser to http://220.127.116.11/ which is the web server running on RTR1. From our previous SSL VPN labs, this connection should be permitted but as you can see below, I can’t access that webpage.
The reason is because RTR1 sees a web request from 192.168.140.2 (the assigned IP address of the test PC from our VPN pool) but it does not have a route to that IP address; the only device that has a route to that IP address is RTR2.
Notice that RTR2 has installed a static route for that VPN client through the VTI we created. Every client that connects will be given an IP address from our VPN pool and that IP address will be installed as a static route through the VTI. So, we can advertise that VPN network through our dynamic routing protocol by redistributing static routes on RTR2.
Now, RTR1 will know about the IP address and then our HTTP connection will go through:
This brings us to the end of Lab #11 and indeed the entire series on CCP. In this article, we have configured Easy VPN server on RTR2 and tested our configuration by establishing a VPN tunnel from a Cisco VPN client. We were able to open an HTTP connection to RTR1’s loopback after redistributing the static routes (assigned IP address of VPN client from the pool) into EIGRP.
It’s been a wonderful journey through Cisco Configuration Professional and even though many Cisco engineers may not necessarily like GUI, CCP can help us learn the commands required to accomplish specific tasks. I hope you have found this article and the entire series helpful.
IPSec Virtual Tunnel Interface: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1027265