Configuring the Easy VPN Server
| In addition to the normal IKE and IPSec configurations that are required to create a VPN tunnel, Easy VPN requires further configurations. Because the Easy VPN Server can push policies to the Easy VPN Remote, you need to define the policies to be pushed on a group -by -group basis. Also, for the Easy VPN Server to perform group lookup and user authentication, you need to configure authentication, authorization, and accounting (AAA) authentication and authorization. Configuring IKE Phase 1 PolicyThe configuration of an IKE Phase 1 policy for use with Easy VPN is the same as it is for any IKE configuration. However, even though you can define Easy VPN policies on a group basis, the IKE Phase I policies that you configure apply to all groups on a global basis. To refresh your memory of IKE Phase I polices, here is an example: Router(config)# crypto isakmp policy 10 Router(config-isakmp)# authentication pre-share Router(config-isakmp)# encryption des Router(config-isakmp)# hash md5 Router(config-isakmp)# group 2 Configuring IKE DPDIKE DPD can alleviate some technical support calls due to inadvertent tunnel terminal. The command syntax to configure IKE DPD follows : Router(config)# crypto isakmp keepalive secs retries You specify the number of seconds between DPD messages by using the secs parameter. If a DPD message fails, you specify the number of seconds between DPD retries by using the retries parameter. An example of the command to configure IKE DPD to send messages every 10 seconds and retries every 5 seconds follows: Router(config)# crypto isakmp keepalive 10 5 Defining an IP Address PoolIf you want the Easy VPN Server to give out IP addresses to Easy VPN Remote devices, you need to configure a pool of addresses. IP addresses can be given out on a group-by-group basis or on a global basis. If you configure a different name for different pools and apply the pool names to different groups, each group can get its own IP address space. The command syntax to configure an IP address pool follows: Router(config)# ip local pool {default pool-name [starting-ip-address ending-ip-address]} An example of the command to configure a pool named SECURADMIN with a pool range of 192.168.65.100 to 192.168.65.253 follows: Router(config)# ip local pool SECURADMIN 192.168.65.100 192.168.65.253
Defining a Group That Will Receive a Push PolicyYou must define a group that you want to push a specific policy to. The command syntax to define a specific group is Router(config)# crypto isakmp client configuration group {default group-name } You have not defined the SECURADMIN group yet. Here is an example doing just that: Router(config)# crypto isakmp client configuration group SECURADMIN Easy VPN Group PoliciesAfter defining the group name, the router mode changes from global configuration mode to ISAKMP group configuration mode. It is in this mode that you specify parameters for each group that you define. The parameters you define are up to you; none of them are required. However, if you are using preshared keys on the Easy VPN Remote device, it is a good idea to define a key on the Easy VPN Server if you want the remote devices to connect. Configuring Group Preshared KeysIf you configure a preshared key on your Easy VPN Remote devices, you need to configure the same key on the Easy VPN Server for the specific group the remote device is assigned to. The command syntax for this parameter is key name . To assign a key called CISCO_123! to the group you are configuring, issue the following command: Router(config-isakmp-group)# key CISCO_123! Again, make sure the Easy VPN Remote device has this exact same key defined. If not, IKE Phase 1 and therefore your IPSec tunnel will fail.
Assigning IP Address Pools to GroupsEarlier, you created an IP address pool name SECURADMIN with a pool range of 192.168.65.100 to 192.168.65.253. If you want a group to be given an IP address, you need to issue the command pool name . To assign the pool called SECURADMIN to the group you are configuring, issue the following command: Router(config-isakmp-group)# pool SECURADMIN Configuring Group DNS DomainsAnother parameter that you can push to an Easy VPN Remote device is the DNS domain name. The command syntax for this parameter is domain name . To assign a DNS domain name called examcram.com to the group you are configuring, issue the following command: Router(config-isakmp-group)# domain examcram.com Configuring Group DNSTo define the DNS servers that an Easy VPN Remote device will use, issue the command dns primary-server secondary-server . You can specify either an IP address or a hostname for the servers. However, we believe that using IP addresses is more stable. The following is an example for configuring DNS servers: Router(config-isakmp-group)# dns 192.168.65.2 192.168.65.3
Configuring Group WINSIf you are in one of those unfortunate environments using NetBIOS, you probably want to define a Windows Internet Naming Service (WINS) server. Issue the command wins primary-server secondary-server to define two servers. The following is an example for configuring WINS servers: Router(config-isakmp-group)# wins 192.168.65.2 192.168.65.3
Configuring Split TunnelingWhen split tunneling is enabled, it allows an Easy VPN Remote device to send traffic directly to the Internet and not across the tunnel to the Easy VPN Server. However, split tunneling can be a security risk because hackers can potentially get direct access to the Easy VPN Remote device. To configure split tunneling, use the following syntax: Router(config-isakmp-group)# acl number If you were using access list 159, the command you enter would look like the following: Router(config-isakmp-group)# acl 159 The permit statements in the ACL mean that traffic should be protected and sent across the IPSec tunnel. The deny entries mean that traffic can be sent in cleartext and not sent across the tunnel. Configuring Group AuthorizationYou can define the group attributes only on an AAA server or in addition to the local router database. In either case, you must tell the router where the group policy attributes are defined. The command syntax to enable the router to look up the group policy is Router(config)# aaa authorization network group-name method1 method2 To configure the router to look up the group policy parameters for Easy VPN Remote devices using the local router database first and then a RADIUS server, use the following command: Router(config)# aaa authorization network EASYVPNREMOTE local group radius The name EASYVPNREMOTE is a name that we defined, and its only significance is that it tells us that this authorization method list is to be used with Easy VPN Remote devices. Configuring IKE Phase 2 PolicyIn a normal IPSec configuration, you need to define the security policies that apply to your data traffic using the IPSec tunnel. This process is no different with Easy VPN. Defining Group Transform SetsRemember that Easy VPN does not support the use of AH. However, it supports all ESP transforms, including NULL. The syntax to define a transform set is Router(config)# crypto ipsec transform-set name transform transform The following example configures a transform set named SECURADMIN using DES and MD5: Router(config)# crypto ipsec transform-set SECURADMIN esp-des esp-md5-hmac Configuring Dynamic Crypto MapsA dynamic crypto map is like a template, with many parameters not configured. You use the template because you do not know the remote device's configuration parameters. However, when the remote device makes a connection, the missing parameters are dynamically configured on the Easy VPN Server. The command syntax of a dynamic crypto map is Router(config)# crypto dynamic-map dynamic-map-name dynamic-seq-num Here is an example that configures a dynamic crypto map using the name SECURADMIN with a sequence number of 254: Router(config)# crypto dynamic-map SECURADMIN 254 Adding Group Transform Sets to Dynamic Crypto MapsEarlier in this chapter, we defined a transform set that specified the security policies to be used. To ensure that a particular Easy VPN Remote group uses these IPSec security policies, you need to apply the transform set to the dynamic crypto map. The syntax to do so is [View full width]
The following example applies the SECURADMIN transform set we defined earlier to the SECURADMIN dynamic crypto map we just defined: Router(config-crypto-map)# set transform-set SECURADMIN
Configuring RRI in Dynamic Crypto MapsIf you choose to use RRI, you configure this option in the dynamic crypto map. By configuring it under the dynamic crypto map, you can control which groups will have routes injected into the headend device. The command to enable this feature does not use any keywords or parameters. This example enables RRI: Router(config-crypto-map)# reverse-route Configuring Dynamic Crypto Maps for Mode ConfigurationThe Easy VPN Remote device needs to ask for group parameters from the Easy VPN Server. If the Remote device does not ask, the Server does not provide the group parameters. The next two sections enable the Easy VPN Remote device to ask for its group configuration parameters. Configuring Easy VPN Server to Assign IP AddressesAn Easy VPN Server can configure an IP address on the Easy VPN Remote device without the Remote device asking ( initiate keyword). Or the Easy VPN Remote device can ask for an IP address from the Easy VPN Server ( respond keyword). However, only the latter option is available ( respond keyword) if you are using a Cisco VPN Software Client that is version 3.x or above. The command syntax to configure an IP address is Router(config)# crypto map map-name client configuration address {initiate respond} Because you can only apply one crypto map to an interface, you want to use a fairly generic name for the actual crypto map. The following example configures a crypto map named EASYVPN on the Easy VPN Server and enables it to respond to a Remote's request for an IP address: Router(config)# crypto map EASYVPN client configuration address respond Assigning a Group Authorization MethodEarlier in this chapter, we configured the router to look up the group policies using the local router database and then a RADIUS server. To allow the Remote device to query for AAA group policy attributes, you need to use the following command: Router(config)# crypto map map-name isakmp authorization list list-name The crypto map we used earlier is named EASYVPN and the AAA authorization list configured earlier is named EASYVPNREMOTE. The following example applies the AAA authorization method to the crypto map to allow group querying: Router(config)# crypto map EASYVPN isakmp authorization list EASYVPNREMOTE Configuring Crypto Maps to Use Dynamic Crypto MapsThe last step when configuring dynamic crypto maps is to apply the dynamic map to a regular crypto map. This step tells the crypto map to use the dynamic map template that you specified. The command syntax is Router(config)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name This example applies the SECURADMIN dynamic crypto map to a regular crypto map. Once again, we use the EASYVPN crypto map because you can apply only one crypto map to an interface. However, you can apply the same crypto map to more than one interface if you choose: Router(config)# crypto map EASYVPN 15 ipsec-isakmp dynamic SECURADMIN We used a sequence number of 15 with the regular crypto map entry. It is with the use of sequence numbers that you can define multiple IPSec policies and apply all the policies to a single router interface. Crypto maps with a different sequence number but with the same name are considered one crypto map. Applying a Crypto Map to an InterfaceIPSec policies are not activated until you apply a crypto map to an interface. The syntax to apply a crypto map to an interface is crypto map map-name . The following is an example that applies the crypto map EASYVPN to a serial interface: Router(config)# interface serial 1/2 Router(config-if)# crypto map EASYVPN |
.transform-set-name6] 