This document demonstrates dual tunnel configuration with Cisco® Easy VPN. The user configures the first Easy VPN tunnel with the Cisco Router and Security Device Manager (SDM). When the first Easy VPN tunnel is established, the Auto Configuration Update feature causes the router to download instructions for the second tunnel into the running memory. The second tunnel has an Enhanced Easy VPN configuration with Virtual Tunnel Interface (VTI). Figure 1 shows a sample configuration.
Figure 1. Network Diagram
DUAL TUNNEL SUPPORT
Cisco Easy VPN now supports the ability to configure two Easy VPN tunnels having the same inside and outside interfaces. The feature, called the Easy VPN Dual Tunnel, was introduced in Cisco IOS
® Software Release 12.4(4)T. Configuring multiple tunnels on a single remote device can be accomplished in several ways. This configuration guide discusses the configuration of a second Easy VPN tunnel using Auto Configuration Update. The second tunnel is using Enhanced Easy VPN Tunnel with VTI. Please refer to the Cisco Easy VPN Remote feature documentation for further discussion on this feature.
There are two possible combinations in which the dual tunnels can be used.
• Dual Easy VPN tunnels that have one tunnel using a non-split tunnel policy and the other tunnel using a split tunnel policy that has been pushed from the respective headend.
• Dual Easy VPN tunnels in which both tunnels are using an independent split tunnel policy that has been pushed from the respective headend.
The Easy VPN dual tunnel makes use of route injections to direct the appropriate traffic through the correct Easy VPN VTI. When the Easy VPN tunnel on the remote device "comes up," it "learns" the split or non-split policy from the headend. The Easy VPN Remote device injects routes in its routing table that correspond to the non-split networks that have been learned. If the headend pushes a non-split tunnel policy to the Easy VPN Remote device, the device installs a default route in its routing table that directs all traffic out of the Easy VPN virtual interface that corresponds to this Easy VPN tunnel. If the headend pushes split-tunnel networks to the remote device, the remote device installs specific routes to the split networks in its routing table, directing the traffic to these networks out of the VTI.
AUTO CONFIGURATION UPDATE
Auto Configuration Update is a new feature, introduced in Cisco IOS Software Release 12.4(4)T, that allows any configuration change to be pushed to any number of Cisco IOS Software-based Easy VPN hardware clients (Cisco routers running as Easy VPN Remote, for example). Auto Configuration Update also provides zero-touch provisioning of any feature (voice, routing, etc.). It can be used to enable any feature on the fly, such as enabling access control lists (ACLs), firewalls, IPSs, and quality of service (QoS). Auto Configuration Update has two components-one deals with configuration and the other deals with monitoring and reporting.
Configuration Manageability Component
The configuration component addresses the changes or additional configuration needs to be pushed on Cisco IOS Easy VPN Remote devices. Two new attributes-"configuration url" and "configuration version"-were introduced in the IPSec policy push, also called "MODCFG".
During IPSec phase 2 the "configuration url" push attribute is pushed to the Easy VPN Client, which it applies it right away. Use the following command on the Easy VPN Server to specify the URL that the remote device must use to get the configuration file:
configuration url https://IPaddress/router.cfg
The configuration URL can use any of the following protocols: SCP, TFTP, FTP, HTTP, or HTTPS.
The "configuration version" attribute maintains the version of the configuration file. The remote router must use the new configuration file, if it has a lower configuration version number.
Configuration changes are required on the remote router. Both the server and the remote router must meet the minimum software version requirements.
Monitoring and Reporting Component
As soon as the configuration changes apply at Cisco Easy VPN Remote, an update notification will be generated. This update notification comprises detailed information about Easy VPN Remote, including:
• Memory size/available memory
• Flash size/available flash
• Public IP addresses
• Assigned IP address
• Cisco IOS image
• Serial number
• Configuration version
This information will be available via CLI at the Easy VPN Server. It can be easily written to Cisco Secure Access Control Server (ACS) or to any standard RADIUS server. Easy VPN Server writes records to the RADIUS server using Cisco AV-Pair via RADIUS accounting; this requires activating RADIUS accounting at the Easy VPN Server.
Using Easy VPN with VTI, the traffic is forward to or from the IPSec tunnel interface by virtue of the IP routing table lookup. Routes are dynamically learned during IKE Mode Configuration exchange, and inserted into the routing table pointing to the virtual access interface.
This configuration allows for split tunneling. With split tunneling, remote users can send traffic destined for the Internet directly, without going onto the IPSec tunnel.
The remote router uses a static IP address for the WAN interface. Dynamic IP addresses can be used for typical DSL and cable connectivity configurations. Also, the remote router is in User Mode. In this mode, the remote subnet can be a private IP network that is invisible to the hub network. All traffic sent from the remote subnet uses Network Address Translation (NAT) to translate an IP address downloaded from the Easy VPN Server. An alternative would be to use Network Extension mode in this configuration to enable the support of devices such as VoIP phones located at the remote site.
This configuration shows two types of Easy VPN tunnels: a traditional Easy VPN tunnel using the primary path, and an Enhanced Easy VPN tunnel with DVTI using the backup path. The two different types of tunnels were used for purpose of demonstration only; both tunnels can be of the same type. With traditional Easy VPN tunnel, one or more IPSec security associations are created for each IPSec tunnel (depending on the server configuration) with each IPSec security association allowing a specific source and destination IP address on the IPSec tunnel. With Enhanced Easy VPN, only one IPSec security association is created for each IPSec tunnel with any source to any destination IP addresses.
For more information about the IPSec DVTI feature, see the document IPSec Virtual Tunnel Interface; a hyperlink is provided in the Related Information section of this document.
The sample configuration is based on the following assumptions:
• The remote router is configured with IP addresses and the router can reach the Internet.
• IP NAT is configured on the remote router on the interfaces only. Easy VPN dynamically creates the global NAT configuration to provide connectivity to end users when Easy VPN is connected.
• A static IP address on the remote router is not required and DHCP can be used instead.
• Split tunneling for end-user traffic is enabled, allowing Internet traffic to go directly to the Internet.
This guide provides a sample of Cisco Easy VPN configuration. It does not cover the following configurations:
• Full security audit on the router. It is recommended that users run a Cisco Router and Security Device Manager (SDM) security audit in Wizard Mode to secure the router.
• This configuration guide enables split tunneling. Split tunneling is enabled on the hub by the ACL command under the crypto isakmp client configuration mode. To disable the split tunneling on the remote, remove the ACL command from the Easy VPN Server. Only one Easy VPN Server can have split tunneling disabled with Easy VPN dual tunnel support.
• The Easy VPN Remote router is configured with Port Address Translation (PAT) to provide Internet connectivity. The Easy VPN Remote router configuration requires Cisco IOS Software Release 12.4(4)T to work.
• This configuration uses Network Extension Mode. For details on configuring User Mode, please review documentation for Cisco Easy VPN Remote or Server.
• This configuration guide shows how an end user can use Cisco SDM to bring up basic IPSec configuration to allow the Auto Configuration Update from the Easy VPN Server to download the branch.cfg file into the running configuration. The Cisco SDM version used in this configuration guide does not manage dual tunnel configurations on the easy VPN remote router.
The sample configuration uses the following software and hardware releases:
• Cisco IOS Software Release 12.4(4)T
• Cisco 3725, 3845, and 7206 routers
• Cisco SDM Version 2.2
Figure 1 illustrates the sample network configuration.
The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.
IMPLEMENTING DUAL EASY VPN TUNNEL WITH AUTO CONFIGURATION UPDATE
From the main Cisco SDM window, select as shown in Figure 2: Configure (1), VPN (2), Easy VPN Remote (3), Create Easy VPN Remote (4), and the Launch Easy VPN Remote Wizard (5).
Figure 2. Launch Cisco Easy VPN Remote Wizard
Step 2: Select "Next" on the "Configure a Primary Easy VPN Remote Connection" window.
Step 3: Enter connection name and Easy VPN Server 1 IP address as shown in Figure 3. Then, select "Next".
Figure 3. Server Information Window
Step 4: Enter the device authentication information as shown in Figure 4. Then, click "Next".
Figure 4. Device Authentication
Step 5: Select the local networks connected to the Easy VPN tunnel and to the WAN interface as shown in Figure 5. Then, select "Next".
Figure 5. Interface and Connection Settings Window
Step 6: Review the summary of the configuration window. Next, select "Finish".
Step 7: Following is the list of commands delivered to the router:
crypto ipsec client ezvpn easyvpn1
group branch key 0 *****
crypto ipsec client ezvpn easyvpn1 inside
crypto ipsec client ezvpn easyvpn1 outside
Step 8: Once the configuration generated by the wizard has been delivered by the router, review the edited Easy VPN Remote tab for the router status. (Note: Cisco SDM may show one tunnel at first. Selecting "Refresh" may be required to view both tunnels).
Figure 6. Easy VPN Remote Status with Configured easyvpn1 Tunnel, and ez2 Tunnel Configuration Downloaded from the Easy VPN Server; Both Tunnels status shows are "Up".
branch.cfg Configuration File
Following is the configuration file downloaded from the Easy VPN Server. The configuration file can contain any Cisco IOS commands to reconfigure the remote router-configuration such as QoS, routing, or even multicast. Note: This configuration is downloaded to the running memory. To store the configuration to the startup configuration, users have to use the "do" keyword for applying certain commands like
"do write mem".