Easy VPN Server

Although users can belong to only one group per connection, they may belong to specific groups with different policy requirements. Thus, users may decide to connect to the client using a different group ID by changing their client profile on the VPN device. To define the policy attributes that are pushed to the client via Mode Configuration, perform the following steps.

If you want to restrict the maximum number of connections to the device per VPN group and the maximum number of simultaneous logins per user, perform this task.

Mode Configuration and Xauth must be applied to a crypto map to be enforced. To apply Mode Configuration and Xauth to a crypto map, perform the following steps.

To enable RRI on the crypto map (static or dynamic) for VPN client support, perform the following steps.

To enable a Cisco IOS VPN gateway (instead of the client) to send IKE DPD messages, perform the following steps.

To configure access to the RADIUS server and allow the Cisco IOS VPN device to send requests to the server, perform the following steps.

To verify your configurations for this feature, perform the following steps.

To configure an Easy VPN server to push a banner to an Easy VPN remote device, perform the following steps.

To configure an Easy VPN server to provide an automated mechanism to make software and firmware upgrades automatically available to an Easy VPN remote device, perform the following steps.

To configure an EasyVPN server so that the Easy VPN remote device can access resources on the corporate network when using Cisco IOS VPN Client software, perform the following steps. With this configuration, the user does not have to manually modify the proxy settings of the web browser when connecting and does not have to manually revert the proxy settings when disconnecting.

To configure an Easy VPN server to push a configuration URL through a Mode-Configuration exchange, perform the following steps.

To configure a AAA server to push user attributes to a remote device, perform the following steps.

To define a CPP firewall policy push on a server to allow or deny a tunnel on the basis of whether a remote device has a required firewall for a local AAA server, perform the following steps.

After the CPP firewall policy push is defined, it must be applied to the configuration group.

To add the Vendor-Specific Attributes (VSA) CPP policy under the group definition that is defined in RADIUS, perform the following step.

To configure the Password Aging feature so that the Easy VPN client is notified if the password has expired, perform the following steps.

Note	The following restrictions apply to the Password Aging feature: It works only with VPN software clients. It does not work with VPN client hardware. It works only with RADIUS servers.

To verify a split DNS configuration, perform the following steps (the show commands can be used one at a time or together).

The Easy VPN server selects the method for address assignment in the following order of precedence:

1. Selects the Framed IP address
2. Uses the IP address from the authentication server (group/user)
3. Uses the global IKE address pools
4. Uses DHCP

Note	To enable the Easy VPN server to obtain an IP address from a DHCP server, remove other address assignments.

To verify your DHCP client proxy configuration, perform the following steps (use the show commands one at a time or together).

To monitor and maintain your DHCP client proxy configuration, perform the following steps (use the debug commands one at a time or together).

To verify your Cisco Tunneling Control Protocol configuration, perform the following steps.

To monitor and maintain your Cisco Tunneling Control Protocol configuration, perform the following steps.

To troubleshoot a Cisco Tunneling Control Protocol configuration, perform the following steps.

The following example shows how to define group policy information locally for mode configuration. In this example, a group name is named "cisco" and another group name is named "default." The policy is enforced for all users who do not offer a group name that matches "cisco."

! Enable policy look-up via AAA. For authentication and authorization, send requests to
! RADIUS first, then try local policy.
aaa new-model
aaa authentication login userlist group radius local
aaa authorization network grouplist group radius local
enable password XXXX
!
username cisco password 0 cisco
clock timezone PST -8
ip subnet-zero
! Configure IKE policies, which are assessed in order so that the first policy that
matches the proposal of the client will be used.
crypto isakmp policy 1
 group 2
!
crypto isakmp policy 3
 hash md5
 authentication pre-share
 group 2
crypto isakmp identity hostname
!
! Define "cisco" group policy information for mode config push.
crypto isakmp client configuration group cisco
 key cisco
 dns 10.2.2.2 10.2.2.3
 wins 10.6.6.6
 domain cisco.com
 pool pool1
 acl 199
! Define default group policy for mode config push.
crypto isakmp client configuration group default
 key cisco
 dns 10.2.2.2 10.3.2.3
 pool pool1
 acl 199
!
!
crypto ipsec transform-set dessha esp-des esp-sha-hmac 
!
crypto dynamic-map mode 1
 set transform-set dessha 
!
! Apply mode config and xauth to crypto map "mode." The list names that are defined here
! must match the list names that are defined in the AAA section of the config.
crypto map mode client authentication list userlist
crypto map mode isakmp authorization list grouplist
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic mode 
!
!
controller ISA 1/1
!
!         
interface FastEthernet0/0
 ip address 10.6.1.8 255.255.0.0
 ip route-cache
 ip mroute-cache
 duplex auto
 speed auto
 crypto map mode
!
interface FastEthernet0/1
 ip address 192.168.1.28 255.255.255.0
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
! Specify IP address pools for internal IP address allocation to clients.
ip local pool pool1 192.168.2.1 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 10.6.0.1
!
! Define access lists for each subnet that should be protected.
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.3.0 0.0.0.255 any
!
! Specify a RADIUS server host and configure access to the server.
radius-server host 192.168.1.1 auth-port 1645 acct-port 1646 key XXXXX
radius-server retransmit 3
!
!
line con 0
 exec-timeout 0 0
 length 25
 transport input none
line aux 0
line vty 5 15
!

The following is an example of a standard RADIUS group profile that includes RADIUS IPsec AV pairs. To get the group authorization attributes, "cisco" must be used as the password.

client_r Password = "cisco"
 Service-Type = Outbound
       
 cisco-avpair = "ipsec:tunnel-type*ESP"
 cisco-avpair = "ipsec:key-exchange=ike"
 cisco-avpair = "ipsec:tunnel-password=lab"
 cisco-avpair = "ipsec:addr-pool=pool1"
 cisco-avpair = "ipsec:default-domain=cisco"
 cisco-avpair = "ipsec:inacl=101"
 cisco-avpair = "ipsec:access-restrict=fastethernet 0/0"
 cisco-avpair = "ipsec:group-lock=1"
 cisco-avpair = "ipsec:dns-servers=10.1.1.1 10.2.2.2"
 cisco-avpair = "ipsec:firewall=1"
 cisco-avpair = "ipsec:include-local-lan=1"
 cisco-avpair = "ipsec:save-password=1"
 cisco-avpair = "ipsec:wins-servers=10.3.3.3 10.4.4.4"
 cisco-avpair = "ipsec:split-dns=example.com"
 cisco-avpair = "ipsec:ipsec-backup-gateway=10.1.1.1"
 cisco-avpair = "ipsec:ipsec-backup-gateway=10.1.1.2"
 cisco-avpair = "ipsec:pfs=1"
 cisco-avpair = "ipsec:cpp-policy="Enterprise Firewall"
 cisco-avpair = "ipsec:auto-update="Win http://www.example.com 4.0.1"
 cisco-avpair = "ipsec:browser-proxy=bproxy_profile_A"
 cisco-avpair = "ipsec:banner=Xauth banner text here"

The following is an example of a RADIUS user profile that is set up for a group that has group-lock configured. The username is entered in the same format as the user@domain format.

abc@example.com Password = "abcll1111"
cisco-avpair = "ipsec:user-include-local-lan=1"
cisco-avpair = "ipsec:user-save-password=1"
Framed-IP-Address = 10.10.10.10

The following is an example of a standard RADIUS user profile that includes RADIUS IPsec AV pairs. These user attributes will be obtained during Xauth.

ualluall Password = "uall1234"
        cisco-avpair = "ipsec:user-vpn-group=unity"
        cisco-avpair = "ipsec:user-include-local-lan=1"
        cisco-avpair = "ipsec:user-save-password=1"
        Framed-IP-Address = 10.10.10.10

The following example shows that five backup gateways have been configured, that the maximum number of users has been set to 250, and that the maximum number of logins has been set to 2:

crypto isakmp client configuration group sdm
 key 6 RMZPPMRQMSdiZNJg`EBbCWTKSTi\d[
 pool POOL1
 acl 150
 backup-gateway 172.16.12.12
 backup-gateway 172.16.12.13
 backup-gateway 172.16.12.14
 backup-gateway 172.16.12.130
 backup-gateway 172.16.12.131
 max-users 250
 max-logins 2

The following output shows that Easy VPN has been configured with an IPsec virtual tunnel interface.

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network default local 
!
aaa session-id common
!
resource policy
!         
clock timezone IST 0
ip subnet-zero
ip cef
no ip domain lookup
no ip dhcp use vrf connected
!
username lab password 0 lab
!
crypto isakmp policy 3
 authentication pre-share
 group 2
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group easy
 key cisco
 domain foo.com
 pool dpool
 acl 101
crypto isakmp profile vi
   match identity group easy
   isakmp authorization list default
   client configuration address respond
   client configuration group easy
   virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac 
!
crypto ipsec profile vi
 set transform-set set 
 set isakmp-profile vi
!
!
interface Loopback0
 ip address 10.4.0.1 255.255.255.0
!
interface Ethernet0/0
 ip address 10.3.0.2 255.255.255.0
 no keepalive
 no cdp enable
interface Ethernet1/0
 no ip address
 no keepalive
 no cdp enable
!
interface Virtual-Template1 type tunnel
 ip unnumbered Ethernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
!
ip classless
ip route 10.2.0.0 255.255.255.0 10.3.0.1
no ip http server
no ip http secure-server
!         
!
access-list 101 permit ip 10.4.0.0 0.0.0.255 any
no cdp run
!
!
line con 0
line aux 0
line vty 0 4
!
end

The following show crypto ipsec client ezvpn command output displays the mode configuration URL location and version:

Router# show crypto ipsec client ezvpn

Easy VPN Remote Phase: 5
Tunnel name : branch
Inside interface list: Vlan1
Outside interface: FastEthernet0
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.1.209
Mask: 255.255.255.255
Default Domain: cisco.com
Save Password: Allowed
Configuration URL [version]: tftp://172.16.30.2/branch.cfg [11]
Config status: applied, Last successfully applied version: 11
Current EzVPN Peer: 192.168.10.1

The following show crypto isakmp peers config command output displays all manageability information that is sent by the remote device:

Router# show crypto isakmp peers config

Client-Public-Addr=192.168.10.2:500; Client-Assigned-Addr=172.16.1.209; Client-Group=branch; Client-User=branch; Client-Hostname=branch.; Client-Platform=Cisco 1711; Client-Serial=FOC080210E2 (412454448); Client-Config-Version=11; Client-Flash=33292284; Client-Available-Flash=10202680; Client-Memory=95969280; Client-Free-Memory=14992140; Client-Image=flash:c1700-advipservicesk9-mz.ef90241;
Client-Public-Addr=192.168.10.3:500; Client-Assigned-Addr=172.16.1.121; Client-Group=store; Client-User=store; Client-Hostname=831-storerouter.; Client-Platform=Cisco C831; Client-Serial=FOC08472UXR (1908379618); Client-Config-Version=2; Client-Flash=24903676; Client-Available-Flash=5875028; Client-Memory=45298688; Client-Free-Memory=6295596; Client-Image=flash:c831-k9o3y6-mz.ef90241

The following output from the show running-config shows that the Per-User AAA Policy Download with PKI feature has been configured on the Easy VPN server:

Router# show running-config

Building configuration...
Current configuration : 7040 bytes
!
! Last configuration change at 21:06:51 UTC Tue Jun 28 2005
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname GEN
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa group server radius usrgrppki
 server 10.76.248.201 auth-port 1645 acct-port 1646
!
aaa authentication login xauth group usrgrppki
aaa authentication login usrgrp group usrgrppki
aaa authorization network usrgrp group usrgrppki 
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
ip address-pool local
!
!
crypto pki trustpoint ca-server
 enrollment url http://10.7.7.2:80
 revocation-check none
 rsakeypair rsa-pair
 ! Specify the field within the certificate that will be used as a username to do a per-user AAA lookup into the RADIUS database. In this example, the contents of the  commonname will be used to do a AAA lookup. In the absence of this statement, by default  the contents of the "unstructured name" field in the certificate is used for AAA lookup.
 authorization username subjectname commonname
!
!
crypto pki certificate map CERT-MAP 1
 subject-name co yourname
 name co yourname
!
crypto pki certificate chain ca-server
 certificate 02
  308201EE 30820157 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
  14311230 10060355 04031309 63612D73 65727665 72301E17 0D303530 36323832 
  30303731 345A170D 30363036 32383230 30373134 5A301531 13301106 092A8648 
  86F70D01 09021604 47454E2E 30819F30 0D06092A 864886F7 0D010101 05000381 
  8D003081 89028181 00ABF8F0 FDFFDF8D F22098D6 A48EE0C3 F505DD96 C0022EA4 
  EAB95EE8 1F97F450 990BB0E6 F2B7151F C5C79391 93822FE4 DEE5B00C A03412BB 
  9B715AAD D6C31F93 D8802658 AF9A8866 63811942 913D0C02 C3E328CC 1C046E94 
  F73B7C1A 4497F86E 74A627BC B809A3ED 293C15F2 8DCFA217 5160F9A4 09D52044 
  350F85AF 08B357F5 D7020301 0001A34F 304D300B 0603551D 0F040403 0205A030 
  1F060355 1D230418 30168014 F9BC4498 3DA4D51D 451EFEFD 5B1F5F73 8D7B1C9B 
  301D0603 551D0E04 1604146B F6B2DFD1 1FE237FF 23294129 E55D9C48 CCB04630 
  0D06092A 864886F7 0D010104 05000381 81004AFF 2BE300C1 15D0B191 C20D06E0 
  260305A6 9DF610BB 24211516 5AE73B62 78E01FE4 0785776D 3ADFA3E2 CE064432 
  1C93E82D 93B5F2AB 9661EDD3 499C49A8 F87CA553 9132F239 1D50187D 21CC3148 
  681F5043 2F2685BC F544F4FF 8DF535CB E55B5F36 31FFF025 8969D9F8 418C8AB7 
  C569B022 46C3C63A 22DD6516 C503D6C8 3D81
  quit
 certificate ca 01
  30820201 3082016A A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  14311230 10060355 04031309 63612D73 65727665 72301E17 0D303530 36323832 
  30303535 375A170D 30383036 32373230 30353537 5A301431 12301006 03550403 
  13096361 2D736572 76657230 819F300D 06092A86 4886F70D 01010105 0003818D 
  00308189 02818100 BA1A4413 96339C6B D36BD720 D25C9A44 E0627A29 97E06F2A 
  69B268ED 08C7144E 7058948D BEA512D4 40588B87 322C5D79 689427CA 5C54B3BA 
  82FAEC53 F6AC0B5C 615D032C 910CA203 AC6AB681 290D9EED D31EB185 8D98E1E7 
  FF73613C 32290FD6 A0CBDC40 6E4D6B39 DE1D86BA DE77A55E F15299FF 97D7C185 
  919F81C1 30027E0F 02030100 01A36330 61300F06 03551D13 0101FF04 05300301 
  01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 168014F9 
  BC44983D A4D51D45 1EFEFD5B 1F5F738D 7B1C9B30 1D060355 1D0E0416 0414F9BC 
  44983DA4 D51D451E FEFD5B1F 5F738D7B 1C9B300D 06092A86 4886F70D 01010405 
  00038181 003EF397 F4D98BDE A4322FAF 4737800F 1671F77E BD6C45AE FB91B28C 
  F04C98F0 135A40C6 635FDC29 63C73373 5D5BBC9A F1BBD235 F66CE1AD 6B4BFC7A 
  AB18C8CC 1AB93AF3 7AC67436 930E9C81 F43F7570 A8FE09AE 3DEA01D1 DA6BD0CB 
  83F9A77F 1DFAFE5E 2F1F206B F1FDD8BE 6BB57A3C 8D03115D B1F64A3F 7A7557C1 
  09B0A34A DB
  quit
!
!
crypto isakmp policy 10
 group 2
crypto isakmp keepalive 10
crypto isakmp profile ISA-PROF
   match certificate CERT-MAP
   isakmp authorization list usrgrp
   client pki authorization list usrgrp
   client configuration address respond
   client configuration group pkiuser
   virtual-template 2
!
!
crypto ipsec transform-set trans2 esp-3des esp-sha-hmac 
!
crypto ipsec profile IPSEC_PROF
 set transform-set trans2 
!
crypto ipsec profile ISC_IPSEC_PROFILE_1
 set transform-set trans2 
!         
!
crypto call admission limit ike sa 40
!
!
interface Loopback0
 ip address 10.3.0.1 255.255.255.255
 no ip route-cache cef
 no ip route-cache
!
interface Loopback1
 ip address 10.76.0.1 255.255.255.255
 no ip route-cache cef
 no ip route-cache
!
interface Ethernet3/0
 ip address 10.76.248.209 255.255.255.255
 no ip route-cache cef
 no ip route-cache
 duplex half
!
!
interface Ethernet3/2
 ip address 10.2.0.1 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex half
!
!
interface Serial4/0
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface Serial4/1
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface Serial4/2
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!         
interface Serial4/3
 no ip address
 no ip route-cache cef
 no ip route-cache
 shutdown
 serial restart-delay 0
!
interface FastEthernet5/0
 ip address 10.9.4.77 255.255.255.255
 no ip route-cache cef
 no ip route-cache
 duplex half
!
interface FastEthernet6/0
 ip address 10.7.7.1 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex full
!
interface Virtual-Template1 
 no ip address
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 tunnel source Ethernet3/2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROF
!
router eigrp 20
 network 172.16.0.0
 auto-summary
!
ip local pool ourpool 10.6.6.6
ip default-gateway 10.9.4.1
ip classless
ip route 10.1.0.1 255.255.255.255 10.0.0.2
ip route 10.2.3.0 255.255.0.0 10.2.4.4
ip route 10.9.1.0 255.255.0.0 10.4.0.1
ip route 10.76.0.0 255.255.0.0 10.76.248.129
ip route 10.11.1.1 255.255.255.0 10.7.7.2
!
no ip http server
no ip http secure-server
!
!
logging alarm informational
arp 10.9.4.1 0011.bcb4.d40a ARPA
!
!
radius-server host 10.76.248.201 auth-port 1645 acct-port 1646 key cisco
!
control-plane
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
!         
!
end

The following example shows that per-user attributes have been configured on an Easy VPN server:

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login noAAA none
aaa authorization network default local 
!
aaa attribute list per-group
 attribute type inacl "per-group-acl" service ike protocol ip mandatory
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
!
!
username example password 0 example
!
!
crypto isakmp policy 3
 authentication pre-share
 group 2
crypto isakmp xauth timeout 90
!
crypto isakmp client configuration group PerUserAAA
 key cisco
 pool dpool
 crypto aaa attribute list per-group
!
crypto isakmp profile vi
 match identity group PerUserAAA
 isakmp authorization list default
 client configuration address respond
 client configuration group PerUserAAA
 virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac 
!
crypto ipsec profile vi
 set transform-set set 
 set isakmp-profile vi
!
!
interface GigabitEthernet0/0
 description 'EzVPN Peer'
 ip address 192.168.1.1 255.255.255.128
 duplex full
 speed 100
 media-type rj45
 no negotiation auto
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
 no negotiation auto
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile vi
!
ip local pool dpool 10.5.0.1 10.5.0.10
ip classless
!
no ip http server
no ip http secure-server
!
!
ip access-list extended per-group-acl
 permit tcp any any
 deny   icmp any any
logging alarm informational
logging trap debugging
!
control-plane
!
gatekeeper
 shutdown
!
line con 0
line aux 0
 stopbits 1
line vty 0 4
!
!
end

The following is output for an Easy VPN server that has been enabled with Network Admission Control:

Note	Network Admission Control is supported on an Easy VPN server only when the server uses IPsec virtual interfaces. Network Admission Control is enabled on the virtual template interface and applies to all clients that use this virtual template interface.

Router# show running-config

Building configuration...
Current configuration : 5091 bytes
!
version 12.4
!
hostname Router
!
aaa new-model
!
!
aaa authentication login userlist local
!
aaa authentication eou default group radius
aaa authorization network hw-client-groupname local
aaa accounting update newinfo
aaa accounting network acclist start-stop broadcast group radius
aaa session-id common
!
!
! Note 1: EAPoUDP packets will use the IP address of the loopback interface when sending the EAPoUDP hello to the Easy VPN client. Using the IP address ensures that the returning EAPoUDP packets come back encrypted and are associated with the correct virtual access interface. The ip admission (ip admission source-interface Loopback10) command is optional. Instead of using this command, you can specify the IP address of the virtual template to be an address in the inside network space as shown in the configuration of the virtual template below in Note 2.
ip admission source-interface Loopback10
ip admission name test eapoudp inactivity-time 60
!
!
eou clientless username cisco
eou clientless password cisco
eou allow ip-station-id
eou logging
!
username lab password 0 lab
username lab@easy password 0 lab
!
!
crypto isakmp policy 3
  encr 3des
  authentication pre-share
  group 2
!
!
crypto isakmp key 0 cisco address 10.53.0.1
crypto isakmp client configuration group easy
  key cisco
  domain cisco.com
  pool dynpool
  acl split-acl
  group-lock
  configuration url tftp://10.13.0.9/Config-URL_TFTP.cfg
  configuration version 111
!
crypto isakmp profile vi
    match identity group easy
    client authentication list userlist
    isakmp authorization list hw-client-groupname
    client configuration address respond
    client configuration group easy
    accounting acclist
    virtual-template 2
!
crypto ipsec security-association lifetime seconds 120
crypto ipsec transform-set set esp-3des esp-sha-hmac
crypto ipsec transform-set aes-trans esp-aes esp-sha-hmac
crypto ipsec transform-set transform-1 esp-des esp-sha-hmac
crypto ipsec profile vi
  set security-association lifetime seconds 3600
  set transform-set set aes-trans transform-1
  set isakmp-profile vi
!
!
crypto dynamic-map dynmap 1
  set transform-set aes-trans transform-1
  reverse-route
!
interface Loopback10
  ip address 10.61.0.1 255.255.255.255
!
interface FastEthernet0/0
  ip address 10.13.11.173 255.255.255.255
  duplex auto
  speed auto
!
interface FastEthernet0/1
  ip address 10.55.0.1 255.255.255.255
  duplex auto
  speed auto
!
!
interface Virtual-Template2 type tunnel
! Note2: Use the IP address of the loopback10. This ensures that the EAPoUDP packets that are attached to virtual-access interfaces that are cloned from this virtual template carry the source address of the loopback address and that response packets from the VPN client come back encrypted.
!
  ip unnumbered Loopback10
! Enable Network Admission Control for remote VPN clients.
  ip admission test
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vi
!
!
ip local pool dynpool 172.16.2.65 172.16.2.70
ip classless
ip access-list extended ClientException
  permit ip any host 10.61.0.1
ip access-list extended split-acl
  permit ip host 10.13.11.185 any
  permit ip 10.61.0.0 255.255.255.255 any
  permit ip 10.71.0.0 255.255.255.255 any
  permit ip 10.71.0.0 255.255.255.255 10.52.0.0 0.255.255.255
  permit ip 10.55.0.0 255.255.255.255 any
!
ip radius source-interface FastEthernet0/0
access-list 102 permit esp any any
access-list 102 permit ahp any any
access-list 102 permit udp any any eq 21862
access-list 102 permit ospf any any
access-list 102 deny ip any any
access-list 195 deny ospf any any
access-list 195 permit ip 10.61.0.0 255.255.255.255 10.51.0.0 255.255.255.255
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server host 10.13.11.185 auth-port 1645 acct-port 1646 key cisco
radius-server vsa send accounting
radius-server vsa send authentication
!
end

The following example shows that password aging has been configured so that if the password expires the Easy VPN client is notified:

Current configuration : 4455 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xinl-gateway
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-7.9.T
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login USERAUTH passwd-expiry group radius aaa authorization network branch local !
aaa session-id common
!
ip cef
username cisco privilege 15 secret 5 $1$A3HU$bCWjlkrEztDJx6JJzSnMV1 !
!
crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
crypto isakmp client configuration address-pool local dynpool !
crypto isakmp client configuration group branch
  key cisco
  domain cisco.com
  pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac !
crypto isakmp profile profile2
   client authentication list USERAUTH
   match identity group branch
   isakmp authorization list branch
   client configuration address respond
   virtual-template 1
crypto ipsec profile vi
  set transform-set transform-1
interface GigabitEthernet0/0
  description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
  ip address 192.168.1.100 255.255.255.0
  duplex auto
  speed auto
  crypto map dynmap
!
interface GigabitEthernet0/1
  description $ES_LAN$
  ip address 172.19.217.96 255.255.255.0
  duplex auto
  speed auto
!
!interface Virtual-Template1 type tunnel
  ip unnumbered Ethernet0/0
  no clns route-cache
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile vi
!
ip local pool dpool 10.0.0.1 10.0.0.3
!
radius-server host 172.19.220.149 auth-port 1645 acct-port 1646 key cisco radius-server vsa send authentication !
control-plane
!
!
end

In the following example, the split tunnel list named "101" contains the 10.168.0.0/16 network. This network information must be included so that the DNS requests to the internal DNS server of 10.168.1.1 are encrypted.

crypto isakmp client configuration group home
 key abcd
 acl 101
 dns 10.168.1.1. 10.168.1.2

show Output

The following show command output example shows that www.example1.com and www.example2.com have been added to the policy group:

Router# show running-config
 | security group

 crypto isakmp client configuration group 831server
 key abcd
 dns 10.104.128.248
 split-dns www.example1.com
 split-dns www.example2.com
 group home2 key abcd

The following show command output example displays currently configured DNS views:

Router# show ip dns view

DNS View default parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: cisco.com
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    172.16.168.183
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder addresses:
DNS View ezvpn-internal-view parameters:
Logging is off
DNS Resolver settings:
  Domain lookup is enabled
  Default domain name: 
  Domain search list:
  Lookup timeout: 3 seconds
  Lookup retries: 2
  Domain name-servers:
    10.104.128.248
DNS Server settings:
  Forwarding of queries is enabled
  Forwarder addresses:

The following show command output example displays currently configured DNS view lists:

Router# show ip dns view-list

View-list ezvpn-internal-viewlist:
  View ezvpn-internal-view:
    Evaluation order: 10
    Restrict to ip dns name-list: 1
  View default:
    Evaluation order: 20

The following show command output displays DNS name lists:

Router# show ip dns name-list

ip dns name-list 1
    permit www.example1.com
    permit www.example2.com

The following examples display DHCP client proxy output information using show and debug commands.

show Output

Note	Before you can use the show ip dhcp command, the DHCP server must be a Cisco IOS server.

The following show ip dhcp pool command output provides information about the DHCP parameters:

Router# show ip dhcp pool

Pool dynpool :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 254
 Leased addresses               : 1
 Pending event                  : none
 1 subnet is currently in the pool:
 Current index    IP address range          Leased addresses
                  10.3.3.1 - 10.3.3.254     1
 No relay targets associated with class aclass

The following show ip dhcp binding command output provides information about the DHCP bindings:

Router# show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address          Client-ID/                       Lease expiration      Type
                    Hardware address/User name
                    10.3.3.5  0065.7a76.706e.2d63.   Apr 04 2006 06:01 AM  Automatic                     6c69.656e.74

debug Output

The following example shows how the debug crypto isakmp and debug ip dhcp server events commands can be used to troubleshoot your DHCP client proxy support configuration:

*Apr  3 06:01:32.047: ISAKMP: Config payload REQUEST *Apr  3 06:01:32.047: ISAKMP:(1002):checking request:
*Apr  3 06:01:32.047: ISAKMP:    IP4_ADDRESS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NETMASK
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_CONFIG_URL
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_CONFIG_VERSION
*Apr  3 06:01:32.047: ISAKMP:    IP4_DNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_DNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NBNS
*Apr  3 06:01:32.047: ISAKMP:    IP4_NBNS
*Apr  3 06:01:32.047: ISAKMP:    SPLIT_INCLUDE
*Apr  3 06:01:32.047: ISAKMP:    SPLIT_DNS
*Apr  3 06:01:32.047: ISAKMP:    DEFAULT_DOMAIN
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_SAVEPWD
*Apr  3 06:01:32.047: ISAKMP:    INCLUDE_LOCAL_LAN
*Apr  3 06:01:32.047: ISAKMP:    PFS
*Apr  3 06:01:32.047: ISAKMP:    BACKUP_SERVER
*Apr  3 06:01:32.047: ISAKMP:    APPLICATION_VERSION
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_BANNER
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_IPSEC_INT_CONF
*Apr  3 06:01:32.047: ISAKMP:    MODECFG_HOSTNAME
*Apr  3 06:01:32.047: ISAKMP/author: Author request for group homesuccessfully sent to AAA *Apr  3 06:01:32.047: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
*Apr  3 06:01:32.047: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
*Apr  3 06:01:32.047: ISAKMP:(1002):attributes sent in message:
*Apr  3 06:01:32.047:         Address: 10.2.0.0
*Apr  3 06:01:32.047: Requesting DHCP Server0 address 10.3.3.3 *Apr  3 06:01:32.047: DHCPD: Sending notification of DISCOVER:
*Apr  3 06:01:32.047:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:32.047:   DHCPD: circuit id 00000000
*Apr  3 06:01:32.047: DHCPD: Seeing if there is an internally specified pool class:
*Apr  3 06:01:32.047:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:32.047:   DHCPD: circuit id 00000000
*Apr  3 06:01:34.063: DHCPD: Adding binding to radix tree (10.3.3.5) *Apr  3 06:01:34.063: DHCPD: Adding binding to hash tree *Apr  3 06:01:34.063: DHCPD: assigned IP address 10.3.3.5 to client 0065.7a76.706e.2d63.6c69.656e.74.
*Apr  3 06:01:34.071: DHCPD: Sending notification of ASSIGNMENT:
*Apr  3 06:01:34.071:  DHCPD: address 10.3.3.5 mask 255.255.255.0
*Apr  3 06:01:34.071:   DHCPD: htype 1 chaddr aabb.cc00.6600
*Apr  3 06:01:34.071:   DHCPD: lease time remaining (secs) = 86400
*Apr  3 06:01:34.183: Obtained DHCP address 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP:(1002):allocating address 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP: Sending private address: 10.3.3.5 *Apr  3 06:01:34.183: ISAKMP: Sending subnet mask: 255.255.255.0

The following debug crypto ctcp command output displays information about a cTCP session, including comments about the output:

Router# debug crypto ctcp

! In the following two lines, a cTCP SYN packet is received from the client, and the cTCP connection is created.
*Sep 26 11:14:37.135: cTCP: Connection[648B50C0] 10.76.235.21:3519 10.76.248.239:10000: created
*Sep 26 11:14:37.135: cTCP: SYN from 10.76.235.21:3519
! In the following line, the SYN acknowledgement is sent to the client.
*Sep 26 11:14:37.135: cTCP: Sending SYN(680723B2)ACK(100C637) to 10.76.235.21:3519
! In the following two lines, an acknowledgement is received, and connection setup is complete. IKE packets should now be received on this newly created cTCP session.
*Sep 26 11:14:37.135: cTCP: Connection[648B50C0] 10.76.235.21:3519 10.76.248.239:10000:  found
*Sep 26 11:14:37.135: cTCP: ACK from 10.76.235.21:3519
*Sep 26 11:14:37.727: cTCP: Connection[648B50C0] 10.76.235.21:3519 10.76.248.239:10000:  found
*Sep 26 11:14:37.731: cTCP: updating PEER Seq number to 16828803l
*Sep 26 11:14:37.731: cTCP: Pak with contiguous buffer
*Sep 26 11:14:37.731: cTCP: mangling IKE packet from peer: 10.76.235.21:500->3519   10.76.248.239:500->500
*Sep 26 11:14:37.731: cTCP: Connection[648B50C0] 10.76.235.21:3519 10.76.248.239:10000:  found
*Sep 26 11:14:37.799: cTCP: demangling outbound IKE packet: 10.76.248.239:500->500   10.76.235.21:3519->500
*Sep 26 11:14:37.799: cTCP: encapsulating IKE packet
*Sep 26 11:14:37.799: cTCP: updating LOCAL Seq number to 1745298727l
! The above lines show that after the required number of IKE packets are exchanged, IKE and IPsec SAs are created.
*Sep 26 11:14:40.335: cTCP: updating PEER Seq number to 16830431l
*Sep 26 11:14:40.335: cTCP: Pak with particles
*Sep 26 11:14:40.335: cTCP: encapsulating pak
*Sep 26 11:14:40.339: cTCP: datagramstart 0xF2036D8, network_start 0xF2036D8, size 112
*Sep 26 11:14:40.339: cTCP: Pak with contiguous buffer
*Sep 26 11:14:40.339:  cTCP: allocated new buffer
*Sep 26 11:14:40.339: cTCP: updating LOCAL Seq number to 1745299535l
*Sep 26 11:14:40.339: IP: s=10.76.248.239 (local), d=10.76.235.21 (FastEthernet1/1), len 148, cTCP
! The above lines show that Encapsulating Security Payload (ESP) packets are now being sent and received.

The following output example shows that neither a VRF nor an IP address has been defined:

aaa new-model
aaa authentication login VPN group radius
aaa authorization network VPN group radius 
!
ip vrf example1
 rd 1:1
!
crypto isakmp profile example1
 match identity group example1group
 client authentication list VPN
 isakmp authorization list VPN
 client configuration address respond
 virtual-template 10
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
!
crypto ipsec profile example1
 set transform-set TS 
 set isakmp-profile example1
!
interface Virtual-Template10 type tunnel
! The next line shows that neither VRF nor an IP address has been defined.
 no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile example1