Wednesday, August 12, 2009

Easy VPN Configuration – Paradox

I have always wondered what was easy about the EzVPN, I got my hands dirty with it and found out that Easy VPN doesn't live up to its name (from the network engineer's perspective). Its pretty easy from the end user's perspective.

The cisco easy VPN solution involves two parties; The Easy VPN Server and The Easy VPN Remote.
The Easy VPN Server contains all the configurations and pushes the VPN settings to the client.
The Easy VPN Remote side can be a cisco device (Router, PIX/ASA firewall) or a PC with the Cisco VPN Client installed.
There are many parts to the EzVPN configuration. I do not intend to make this post unecessarily long and boring so I would try to keep things simple.

Base configuration:
Server
Hostname VPNSERVER
interface Serial0/0
ip address 172.16.1.2 255.255.255.0
ip ospf 1 area 0
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.3.1 255.255.255.0
!
Client
Hostname VPNCLIENT
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
!
interface Serial0/0
ip address 172.16.2.2 255.255.255.0
ip ospf 1 area 0

Easy VPN Server Configuration
-Create a local pool
ip local pool EZVPNPOOL 192.168.1.15 192.168.1.50
Configure AAA
aaa new-model
!
aaa authorization network VPNGRP local
-Create Access List for Split tunneling (Without Split tunneling, all traffic is sent to the server and the clients would lose access to the internet - In the case of VPN CLIENTS, access to the LAN is lost)
ip access-list extended SPL
permit ip 192.168.0.0 0.0.255.255 any
-Create the Client Configuration on the server. The groupname and key must match on the client side
!
crypto isakmp client configuration group EZVPNGRP
key s3cr3t
dns 192.168.1.5
wins 192.168.1.6
pool EZVPNPOOL
acl SPL
!
-Create the ISAKMP Policy
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
Note: Only Diffie-Helman group 2 is supported in EZVPN Configuration.
-Create the dynamic crypto map
crypto dynamic-map EZVPNDYN 10
set transform-set TRANSFORM
reverse-route
!reverse route is set so that the server can learn of client networks automatically
-Create the ‘Real’ Crypto map and attach the dynamic crypto map
!
crypto map EZVPNMAP isakmp authorization list VPNGRP
crypto map EZVPNMAP client configuration address respond
crypto map EZVPNMAP 65535 ipsec-isakmp dynamic EZVPNDYN
!
-Configure Xauth to authenticate the clients
!
aaa authentication login EZVPN local
username amplebrain password 0 cisco
!
crypto isakmp client configuration group EZVPNGRP
save-password
!The save password feature allows the clients authentication to be saved throughout !the process of establishing the VPN tunnel
-Apply the Configuration to the interfaces.
int s0/0
crypto map EZVPNMAP
THE EASY VPN REMOTE: The easy VPN Remote can be in three modes;
1. client: Here an address is assigned to the router (from the local pool configured) using an available loopback interface and the inside network is automatically translated to the that address using PAT.
2. Network-Extension: the inside network is considered to be an extension of the VPN Server's network. No address is allocated from the pool.
3. Network-Extension-Plus: the inside network is still considered to be an extension of the VPN Server's network. An address is allocated from the pool to a loopback interface of the router for testing connectivity. Only the inside network and the loopback interface can reach the VPN network.

The configuration:


crypto ipsec client ezvpn EZVPN
connect auto
group EZVPNGRP key s3cr3t
mode network-plus
peer 172.16.1.2
username amplebrain password cisco
xauth userid mode local
interface FastEthernet0/0
crypto ipsec client ezvpn EZVPN inside
!
interface Serial0/0
crypto ipsec client ezvpn EZVPN

The xauth userid mode local command tells the router to use the locally configured username and password for extended authentication.

TEST

VPNCLIENT#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.10.10.1 YES manual up up
Serial0/0 172.16.2.2 YES NVRAM up up
NVI0 unassigned NO unset up up
Loopback0 192.168.1.20 YES manual up up
Notice that loopback 0 has been added with IP address 192.168.1.20 from the local pool.

On the Server,
VPNSERVER(config)#do sh ip rou
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 2 subnets
C 172.16.1.0 is directly connected, Serial0/0
O 172.16.2.0 [110/128] via 172.16.1.1, 01:39:56, Serial0/0
10.0.0.0/24 is subnetted, 1 subnets
S 10.10.10.0 [1/0] via 172.16.2.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Loopback0
S 192.168.1.20/32 [1/0] via 172.16.2.2
C 192.168.3.0/24 is directly connected, Loopback2
The Routes are a result of the RRI. You have to redistribute static if you are running a routing protocol on the inside of the VPN server.
Back on the Remote Router,
VPNCLIENT#ping 192.168.1.1 Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
U.U.U
Success rate is 0 percent (0/5)
The Packets are lost in the cloud.
VPNCLIENT#ping 192.168.1.1 so lo0
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 264/342/480 ms


On the Inside Host,

To test Split Tunelling,
Now, its all up and running.
I would post more VPN stuff later.
Amplebrain


3 comments:

  1. Always read abt easyVPN n i knw its not one of my strong points...this is really inciteful especially the part of split tunneling.

    ReplyDelete
  2. nice job but i would like to see the configuration with the cisco vpn client windows software too

    ReplyDelete
  3. Good to know about this pd proxy vpn service. I am searching for good tech reviews on expressvpn as I am planning to get registered with them. Heard that they are providing great services and want to confirm before signing up with them.

    ReplyDelete