Cisco IOS Easy VPN

Cisco IOS Easy VPN De-mystified

At first, there seems to be nothing “easy” about configuring “Easy VPN” for IOS! But, don’t be alarmed, tenacious technician!

The critical thing to grasp is that this method requires IKE “group2” Diffie-Hellman exchange for a 1024bit modulus. Your VPN server has to have a IKE policy with this enabled.

Also, on the EZ client side, you’ll notice that the ISAKMP policies starting with priority 65515 are used from the client’s perspective. The first one specifies AES, SHA, and Group2. I recommend that you specify a matching policy on the server side first.

The server side configuration is classic remote access VPN type.

You will begin with a “crypto isakmp client configuration group ” and work your way to “crypto isakmp profile” and “crypto ipsec profile” where all the elements are tied together, so that they can be applied to the dynamic map or virtual-template.

Consider:

crypto isakmp client configuration group iosvpn
key cisco50
pool iosvpnpool
acl 144
banner ^CWelcome to R6 IOS remote access VPN ^C

crypto isakmp profile iosvpn
match identity group iosvpn
client authentication list LOCO
isakmp authorization list LOCO
client configuration address respond
virtual-template 20

crypto ipsec transform-set ccie esp-3des esp-sha-hmac

crypto ipsec profile iosvpn
set transform-set ccie
set reverse-route tag 23501
set isakmp-profile iosvpn

aaa new-model
aaa authentication login LOCO local
aaa authorization network LOCO local

ip local pool iosvpnpool 192.168.99.1 192.168.99.10

DMVPN through firewalls in virtual multi-context mode

When you have an ASA running in multi-context mode, you have to pay extra attention to the flow classifier.

Consider:

ccie-asa1/india# packet-tracer input out icmp 192.168.70.1 8 0 10.7.1.2
Result:input-interface: outinput-status: upinput-line-status: upAction: dropDrop-reason: (ifc-classify) Virtual firewall classification failed

Let's work backwards. Here, we are dealing with an external network 192.168.70.0 /24 trying t reach a internal network 10.7.1.0/24 in a "no nat-control" setup. The multi-context ASA here has multiple contexts sharing an outside interface (common in SP and hosting environments).

Here is the challenge:
When a packet arrives at the outside interface destined for a destination inside one of the contexts, how does the firewall know which one to forward to? Without unique mac-addresses, the layer 2 address does not give any clues. The firewall relies on NAT configuration to determine the context.

For example:
In the "ccie-asa1/india" context
static (inside,out) 10.7.1.1 10.7.1.1 netmask 255.255.255.255

Now, the classifier has information to act on the packet is sent to the "india" context.

This behavior is critical to grasp when it comes to configuring DMVPN through the firewall. Here, we have a need to allow IP/47 (GRE) traffic to the 10.7.1.1 address, or IP/50 (ESP) or IP/51 (AH). You can be very specific and allow just the protocol you are using. Don't forget udp/500 and if necessary, udp/4500 for IKE.

ASA - Active/Standby with IPSec

With a pair of ASA appliances, you can configure an active/standby pair with full IPSec support, including remote access VPN failover.

Proceed with configuring the active unit first. Specify the failover addresses for each interface and don't forget to include the "management-only" interface! This is crucial to allow remote access VPN connections to fail over (it took me a while to finally solve this issue, and it is not documented anywhere!)

interface GigabitEthernet 0/1
nameif inside
ip address 10.35.0.1 255.255.255.0 standby 10.35.0.2



failover lan unit primary
failover lan interface failcheck GigabitEthernet1/0
failover key *****
failover replication http
failover link failcheck GigabitEthernet1/0
failover interface ip failcheck 10.10.10.1 255.255.255.0 standby 10.10.10.2
failover

If you wish, you can dedicate an interface to failover "link" for stateful failover purposes. It will need its own IP addressing of course.

On the backup appliance, you need only configure the failover interface(s) and addressing and enable failover.

Cisco IPS - VLAN Groups

With VLAN groups, you can assign specific policies to different sets of VLANs. Here is a practical example. Note that the "group" mode work best when used in-line between two switches.

Switch A (dot1q) <----> Gi0/0 IPS Gi0/1 <----> (dot1q) Switch B

Let's say your trunk carries vlans 600 to 609. You can configure an "interface pair" on the IPS and call it "outside_pair" for example.

Then, proceed to configure VLAN groups -> create a group, specify subinterface "1" and select VLANs 600 to 604. Next, specify subinterface "2" and specify VLANs 605 to 609.

You can apply separate policies to outside_pair.1 (to handle the first 5 VLANs) and outside_pair.2 for the last 5 VLANs.