This document describes how to configure a Cisco IOS®
Router as an Easy VPN (EzVPN) Server using
Configuration Professional (Cisco CP) and the CLI. The Easy VPN Server
feature allows a remote end user to communicate using IP Security (IPsec) with
any Cisco IOS Virtual Private Network (VPN) gateway. Centrally managed IPsec
policies are "pushed" to the client device by the server, minimizing
configuration by the end user.
For more information on Easy VPN Server refer to the
VPN Server section of
Connectivity Configuration Guide Library, Cisco IOS Release
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Perform these steps in order to install Cisco CP:
Download Cisco CP V2.1 from the
(registered customers only)
and install it on your local PC.
The latest version of Cisco CP can be found at the
Launch Cisco CP from your local PC through Start
> Programs > Cisco Configuration Professional
(CCP) and choose the Community which has the router
you want to configure.
In order to discover the device you want to configure, highlight the
router and click Discover.
Note: For information on the Cisco router models and IOS releases that are
compatible to Cisco CP v2.1, refer to the
Cisco IOS releases section.
Note: For information on the PC requirements that runs Cisco CP v2.1, refer
Perform these configuration steps in order to run Cisco CP on a Cisco
Connect to your router using Telnet, SSH, or through the
Enter global configuration mode using this command:
If HTTP and HTTPS are enabled and configured to use nonstandard port
numbers, you can skip this step and simply use the port number already
Enable the router HTTP or HTTPS server using these Cisco IOS Software
Router(config)# ip http server
Router(config)# ip http secure-server
Router(config)# ip http authentication local
Create a user with privilege level 15:
Router(config)# username <username> privilege 15 password 0 <password>
username and password that you want to configure.
Configure SSH and Telnet for local log in and privilege level
Router(config)# line vty 0 4
Router(config-line)# privilege level 15
Router(config-line)# login local
Router(config-line)# transport input telnet
Router(config-line)# transport input telnet ssh
(Optional) Enable local logging to support the log monitoring
Router(config)# logging buffered 51200 warning
This document assumes that the Cisco router is fully operational and
configured to allow Cisco CP to make configuration changes.
For complete information on how to start using Cisco CP, refer to
Started with Cisco Configuration Professional.
Refer to the
Technical Tips Conventions for more information on document
In this section, you are presented with the information to configure
the basic settings for a router in a network.
Note: Use the
Command Lookup Tool
(registered customers only)
to obtain more information on
the commands used in this section.
This document uses this network setup:
Note: The IP addressing schemes used in this configuration are not legally
routable on the Internet. They are
addresses which have been used in a lab environment.
Perform these steps in order to configure the Cisco IOS router as an
Easy VPN Server:
Choose Configure > Security
> VPN > Easy VPN Server >
Create Easy VPN Server and click Launch Easy VPN
Server Wizard in order to configure the Cisco IOS router as an Easy
Click Next in order to proceed with the
Easy VPN Server configuration.
In the resulting window, a Virtual Interface will
be configured as a part of the Easy VPN Server configuration. Provide the
IP Address of the Virtual Tunnel Interface and also choose the
Authentication method used for authenticating the VPN clients.
Here, Pre-shared Keys is the authentication method used. Click
Specify the Encryption algorithm, authentication algorithm
and key exchange method to be used by this router when negotiating
with the remote device. A default IKE policy is present on the router which can
be used if required. If you want to add a new IKE policy, click
Provide Encryption Algorithm,
Authentication Algorithm, and the Key Exchange
method as shown here, then click OK:
The Default IKE policy is used in this example. As
a result, choose the default IKE policy and click Next.
In the new window, the Transform Set details
should be provided. The Transform Set specifies the Encryption
and Authentication algorithms used to protect Data in
VPN Tunnel. Click Add to provide these details. You
can add any number of Transform Sets as needed when you click
Add and provide the details.
CP Default Transform Set is present by default
on the router when configured using Cisco CP.
Provide the Transform Set details
(Encryption and Authentication Algorithm) and click
The Default Transform Set named CP
Default Transform Set is used in this example. As a result, choose the
default Transform Set and click Next.
In the new window, choose the server on which the group policies
will be configured which can be either Local or
RADIUS or both Local and RADIUS. In this
example, we use Local server to configure group policies.
Choose Local and click
Choose the server to be used for User Authentication in this new
window which can be either Local Only or
RADIUS or both Local Only and RADIUS. In this
example we use Local server to configure User credentials for
authentication. Make sure the check box next to Enable User
Authentication is checked. Choose Local Only and
Click Add to create a new group policy and to add
the remote users in this group.
In the Add Group Policy window, provide the group
name in the space provide for Name of This Group
(cisco in this example) along with Pre-shared
key, and the IP Pool (the Starting IP
address and Ending IP address) information as shown
and click OK.
Note: You can create a new IP pool or use an existing IP pool if
Now choose the new Group Policy created with the
name cisco and then click the check box next to
Configure Idle Timer as required in order to configure the
Idle Timer. Click Next.
Enable Cisco Tunneling Control Protocol (cTCP) if
required. Otherwise, click Next.
Review the Summary of the Configuration. Click
In the Deliver Configuration to Router window,
click Deliver to deliver the configuration to the router. You
can click on Save to file to save the configuration as a file
on the PC.
The Command Delivery Status window shows the
delivery status of the commands to the router. It appears as
Configuration delivered to router. Click
You can see the newly created Easy VPN Server. You can edit the
existing server by choosing Edit Easy VPN Server. This
completes the Easy VPN Server configuration on the Cisco IOS
Current configuration : 2069 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
no logging buffered
enable password cisco
!---AAA enabled using aaa newmodel command. Also
AAA Authentication and Authorization are enabled---!
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
ip domain name cisco.com
multilink bundle-name authenticated
!--- Configuration for IKE policies.
!--- Enables the IKE policy configuration (config-isakmp)
!--- command mode, where you can specify the parameters that
!--- are used during an IKE negotiation. Encryption and Policy details are hidden
as the default values are chosen.
crypto isakmp policy 1
crypto isakmp keepalive 10
crypto isakmp client configuration group cisco
crypto isakmp profile ciscocp-ike-profile-1
match identity group cisco
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
!--- Configuration for IPsec policies.
!--- Enables the crypto transform configuration mode,
!--- where you can specify the transform sets that are used
!--- during an IPsec negotiation.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!--- RSA certificate generated after you enable the
!--- ip http secure-server command.
crypto pki trustpoint TP-self-signed-1742995674
!--- Create a user account named cisco123 with all privileges.
username cisco123 privilege 15 password 0 cisco123
!--- Interface configurations are done as shown below---!
ip address 10.10.10.10 255.255.255.0
ip address 10.77.241.111 255.255.255.192
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!--- VPN pool named SDM_POOL_1 has been defined in the below command---!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.254
!--- This is where the commands to enable HTTP and HTTPS are configured.
ip http server
ip http authentication local
ip http secure-server
line con 0
line aux 0
!--- Telnet enabled with password as cisco.
line vty 0 4
transport input all
scheduler allocate 20000 1000
Use this section to confirm that your configuration works
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
Note: Refer to
Information on Debug Commands before you issue debug commands.