Wednesday, August 12, 2009

Easy VPN Configuration – Paradox

I have always wondered what was easy about the EzVPN, I got my hands dirty with it and found out that Easy VPN doesn't live up to its name (from the network engineer's perspective). Its pretty easy from the end user's perspective.

The cisco easy VPN solution involves two parties; The Easy VPN Server and The Easy VPN Remote.
The Easy VPN Server contains all the configurations and pushes the VPN settings to the client.
The Easy VPN Remote side can be a cisco device (Router, PIX/ASA firewall) or a PC with the Cisco VPN Client installed.
There are many parts to the EzVPN configuration. I do not intend to make this post unecessarily long and boring so I would try to keep things simple.

Base configuration:
interface Serial0/0
ip address
ip ospf 1 area 0
interface Loopback0
ip address
interface Loopback2
ip address
interface FastEthernet0/0
ip address
interface Serial0/0
ip address
ip ospf 1 area 0

Easy VPN Server Configuration
-Create a local pool
ip local pool EZVPNPOOL
Configure AAA
aaa new-model
aaa authorization network VPNGRP local
-Create Access List for Split tunneling (Without Split tunneling, all traffic is sent to the server and the clients would lose access to the internet - In the case of VPN CLIENTS, access to the LAN is lost)
ip access-list extended SPL
permit ip any
-Create the Client Configuration on the server. The groupname and key must match on the client side
crypto isakmp client configuration group EZVPNGRP
key s3cr3t
acl SPL
-Create the ISAKMP Policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
Note: Only Diffie-Helman group 2 is supported in EZVPN Configuration.
-Create the dynamic crypto map
crypto dynamic-map EZVPNDYN 10
set transform-set TRANSFORM
!reverse route is set so that the server can learn of client networks automatically
-Create the ‘Real’ Crypto map and attach the dynamic crypto map
crypto map EZVPNMAP isakmp authorization list VPNGRP
crypto map EZVPNMAP client configuration address respond
crypto map EZVPNMAP 65535 ipsec-isakmp dynamic EZVPNDYN
-Configure Xauth to authenticate the clients
aaa authentication login EZVPN local
username amplebrain password 0 cisco
crypto isakmp client configuration group EZVPNGRP
!The save password feature allows the clients authentication to be saved throughout !the process of establishing the VPN tunnel
-Apply the Configuration to the interfaces.
int s0/0
crypto map EZVPNMAP
THE EASY VPN REMOTE: The easy VPN Remote can be in three modes;
1. client: Here an address is assigned to the router (from the local pool configured) using an available loopback interface and the inside network is automatically translated to the that address using PAT.
2. Network-Extension: the inside network is considered to be an extension of the VPN Server's network. No address is allocated from the pool.
3. Network-Extension-Plus: the inside network is still considered to be an extension of the VPN Server's network. An address is allocated from the pool to a loopback interface of the router for testing connectivity. Only the inside network and the loopback interface can reach the VPN network.

The configuration:

crypto ipsec client ezvpn EZVPN
connect auto
group EZVPNGRP key s3cr3t
mode network-plus
username amplebrain password cisco
xauth userid mode local
interface FastEthernet0/0
crypto ipsec client ezvpn EZVPN inside
interface Serial0/0
crypto ipsec client ezvpn EZVPN

The xauth userid mode local command tells the router to use the locally configured username and password for extended authentication.


VPNCLIENT#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 YES manual up up
Serial0/0 YES NVRAM up up
NVI0 unassigned NO unset up up
Loopback0 YES manual up up
Notice that loopback 0 has been added with IP address from the local pool.

On the Server,
VPNSERVER(config)#do sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set is subnetted, 2 subnets
C is directly connected, Serial0/0
O [110/128] via, 01:39:56, Serial0/0 is subnetted, 1 subnets
S [1/0] via is variably subnetted, 2 subnets, 2 masks
C is directly connected, Loopback0
S [1/0] via
C is directly connected, Loopback2
The Routes are a result of the RRI. You have to redistribute static if you are running a routing protocol on the inside of the VPN server.
Back on the Remote Router,
VPNCLIENT#ping Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)
The Packets are lost in the cloud.
VPNCLIENT#ping so lo0
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of
Success rate is 100 percent (5/5), round-trip min/avg/max = 264/342/480 ms

On the Inside Host,

To test Split Tunelling,
Now, its all up and running.
I would post more VPN stuff later.


  1. Always read abt easyVPN n i knw its not one of my strong points...this is really inciteful especially the part of split tunneling.

  2. nice job but i would like to see the configuration with the cisco vpn client windows software too

  3. Good to know about this pd proxy vpn service. I am searching for good tech reviews on expressvpn as I am planning to get registered with them. Heard that they are providing great services and want to confirm before signing up with them.