Friday, January 21, 2011

Cisco IOS Easy VPN

Cisco IOS Easy VPN De-mystified

At first, there seems to be nothing “easy” about configuring “Easy VPN” for IOS! But, don’t be alarmed, tenacious technician!

The critical thing to grasp is that this method requires IKE “group2” Diffie-Hellman exchange for a 1024bit modulus. Your VPN server has to have a IKE policy with this enabled.

Also, on the EZ client side, you’ll notice that the ISAKMP policies starting with priority 65515 are used from the client’s perspective. The first one specifies AES, SHA, and Group2. I recommend that you specify a matching policy on the server side first.

The server side configuration is classic remote access VPN type.

You will begin with a “crypto isakmp client configuration group ” and work your way to “crypto isakmp profile” and “crypto ipsec profile” where all the elements are tied together, so that they can be applied to the dynamic map or virtual-template.


crypto isakmp client configuration group iosvpn
key cisco50
pool iosvpnpool
acl 144
banner ^CWelcome to R6 IOS remote access VPN ^C

crypto isakmp profile iosvpn
match identity group iosvpn
client authentication list LOCO
isakmp authorization list LOCO
client configuration address respond
virtual-template 20

crypto ipsec transform-set ccie esp-3des esp-sha-hmac

crypto ipsec profile iosvpn
set transform-set ccie
set reverse-route tag 23501
set isakmp-profile iosvpn

aaa new-model
aaa authentication login LOCO local
aaa authorization network LOCO local

ip local pool iosvpnpool

No comments:

Post a Comment