Downloads |
Table Of Contents
Platform-Specific Documentation
Supported Standards, MIBs, and RFCs
Configuring the DHCP Server Pool (Required for Client Mode)
Verifying the DHCP Server Pool
Configuring and Assigning the Cisco Easy VPN Remote Configuration
Verifying the Cisco Easy VPN Configuration
Configuring the VPN 3000 Series Concentrator
Cisco Easy VPN Client in Client Mode (Cisco uBR905/uBR925)
Cisco Easy VPN Client in Client Mode (Cisco 806)
Cisco Easy VPN Client in Client Mode (Cisco 827)
Cisco Easy VPN Client in Client Mode (Cisco 1700 Series)
Network Extension Mode Configurations
Cisco Easy VPN Client in Network-Extension Mode (Cisco uBR905/uBR925)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 806)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 827)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 1700 Series)
VPN Remote Access Server Configurations
VPN Remote Access Server Without Split Tunneling
VPN Remote Access Server Configuration With Split Tunneling
VPN Remote Access Server Configuration With XAUTH
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn xauth
crypto ipsec client ezvpn (global configuration)
crypto ipsec client ezvpn (interface configuration)
show crypto ipsec client ezvpn
debug crypto ipsec client ezvpn
Cisco Easy VPN Remote Feature
OL-1748-02 Rev B0
November 20, 2002Feature History
This document describes the Cisco Easy VPN Remote feature for the Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers, the Cisco 1700 series routers, and the Cisco uBR905 and Cisco uBR925 cable access routers. This document provides information on configuring and monitoring the Cisco Easy VPN Remote feature to create IPSec Virtual Private Network (VPN) tunnels between a supported router and another Cisco router that supports this form of IPSec encryption/decryption.
Note
At the time of this document's publication, the Cisco Easy VPN Remote Phase II feature has been released in Cisco IOS Release 12.2(8)YJ and Cisco IOS Release 12.2(15)T. Cisco recommends using the Phase II feature on Cisco IOS Release 12.2(15)T, as documented in the Cisco Easy VPN Remote Phase II Feature document. If you want to use the Cisco Easy VPN Remote (Phase I) feature on Cisco 800 series routers, you must be using Cisco IOS Release 12.2(4)YA, which is not recommended.
This document includes the following major sections:
•
Feature Overview
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated, and typically requires tedious coordination between network administrators to configure the two routers' VPN parameters.
The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing Cisco's Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server. This server can be a dedicated VPN device such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol.
After the VPN remote access server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a Cisco uBR905 or Cisco uBR925 cable access router, as well as on the Cisco 806/826/827/828 and Cisco 1700 series routers. When the IPSec client then initiates the VPN tunnel connection, the VPN remote access server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.
The Cisco Easy VPN Remote feature provides for automatic management of the following details:
•
•
•
•
•
•
The Cisco Easy VPN Remote feature supports two modes of operation:
•
In client mode, the Cisco Easy VPN Remote feature automatically configures the NAT/PAT translation and access lists that are needed to implement the VPN tunnel. These configurations are automatically created when the IPSec VPN connection is initiated. When the tunnel is torn down, the NAT/PAT and access list configurations are automatically deleted.
The NAT/PAT configuration is created with the following assumptions:
–
–
Tip
Note
•
Both modes of operation also optionally support split tunneling, which allows secure access to corporate resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or other service (thereby eliminating the corporate network from the path for Web access).
Authentication can also be done using Extended Authentication (XAUTH). In this situation, when the VPN remote access server requests XAUTH authentication, the following messages are displayed on the router's console:
EZVPN: Pending XAuth Request, Please enter the following command:EZVPN: crypto ipsec client ezvpn xauthThe user can then provide the necessary user ID, password, and other information by entering the crypto ipsec client ezvpn xauth command and responding to the following prompts.
Note
Figure 1 illustrates the client mode of operation. In this example, the Cisco uBR905 cable access router provides access to two PCs, which have IP addresses in the 10.0.0.0 private network space. These PCs connect to the Ethernet interface on the Cisco uBR905 router, which also has an IP address in the 10.0.0.0 private network space. The Cisco uBR905 router performs NAT/PAT translation over the VPN tunnel, so that the PCs can access the destination network.
Figure 1 Cisco Easy VPN Client Connection
Note
Figure 2 also illustrates the client mode of operation, where a VPN concentrator provides destination endpoints to multiple xDSL clients. In this example, Cisco 800 series routers provide access to multiple small business clients, each of which uses IP addresses in the 10.0.0.0 private network space. The Cisco 800 series routers perform NAT/PAT translation over the VPN tunnel, so that the PCs can access the destination network.
Figure 2 Cisco Easy VPN Client Connection (using VPN concentrator)
Figure 3 illustrates the network extension mode of operation. In this example, the Cisco uBR905 cable access router and Cisco 1700 series router both act as Cisco Easy VPN Remotes, connecting to a VPN 3000 concentrator.
The client hosts are given IP addresses that are fully routable by the destination network over the tunnel. These IP addresses could be either in the same subnet space as the destination network, or they could also be in separate subnets, as long as the destination routers are configured to properly route those IP addresses over the tunnel.
In this example, the PCs and hosts attached to the two routers have IP addresses that are in the same address space as the destination enterprise network. The PCs connect to the Cisco uBR905 router's Ethernet interface, which also has an IP address in the enterprise address space. This provides a seamless extension of the remote network.
Figure 3 Cisco Easy VPN Network Extension Connection
Note
Benefits
•
•
•
•
•
•
•
•
Restrictions
No Manual NAT/PAT Configuration Allowed
The Cisco Easy VPN Remote feature automatically creates the appropriate NAT/PAT configuration for the VPN tunnel. You therefore must not create a manual NAT/PAT configuration on any interface when using the Cisco Easy VPN Remote feature. If NAT/PAT has already been configured on the router, you must remove that configuration before beginning the Cisco Easy VPN Remote configuration.
Only One Destination Peer Supported
The Cisco Easy VPN Remote feature supports the configuration of only one destination peer and tunnel connection. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and NAT/PAT parameters on both the client and server.
Change of IP Address on Inside Interface
Changing the IP address on the inside interface automatically resets the Cisco Easy VPN Remote connection so that the new IP address can be implemented on the tunnel connection.
Required Destination Servers
The Cisco Easy VPN Remote feature requires that the destination peer be a VPN remote access server or VPN concentrator that supports either the VPN Remote Access Server Enhancements feature or the Cisco Unity protocol. At the time of publication, this includes the following platforms when running the indicated software releases:
•
•
•
•
•
•
•
•
•
•
•
•
Note
Digital Certificates Not Supported
In Cisco IOS Release 12.2(13)T, the Cisco Easy VPN Remote feature does not support authentication using digital certificates. Authentication is supported using preshared keys and Extended Authentication (XAUTH).
Only ISAKMP Policy Group 2 Supported on IPSec Servers
The Unity Protocol supports only ISAKMP policies that use group 2 (1024-bit Diffie-Hellman) IKE negotiation, so the IPSec server being used with the Cisco Easy VPN Remote must be configured for a group 2 isakmp policy. The IPSec server cannot be configured for ISAKMP group 1 or group 5 when being used with a Cisco Easy VPN Remote.
Perfect Forward Secrecy Not Supported
The Cisco Easy VPN Remote feature does not support the Perfect Forward Secrecy (PFS) feature that is available on the Cisco VPN 3000 concentrator.
Transform Sets Supported
To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (ESP-DES and ESP-3DES) or transform sets that provide authentication without encryption (ESP-NULL ESP-SHA-HMAC and ESP-NULL ESP-MD5-HMAC).
Changing the IP Address on the LAN Interface on Cisco 800 Series Routers
The Ethernet 0 LAN interface on the Cisco 800 series routers default to a primary IP address in the private network of 10.10.10.0. If you need to change this IP address to match the local network's configuration, you can use either the ip address CLI command or by using the Cisco Router Web Setup (CRWS) web interface.
However, these two techniques differ slightly in how the new IP address is assigned. When using the CLI command, the new IP address is assigned as the primary address for the interface. When using the CRWS interface, the new IP address is assigned as the secondary address, and the existing IP address is preserved as the primary address for the interface. This allows the CRWS interface to maintain the existing connection between the PC web browser and the Cisco 800 series router.
Because of this behavior, the Cisco Easy VPN Remote feature assumes that if a secondary IP address exists on the Ethernet 0 interface, the secondary address should be used as the IP address for the inside interface for the NAT/PAT configuration. If no secondary address exists, the primary IP address will be used for the inside interface address, as is normally done on other platforms. If this behavior is not desired, use the ip address CLI command to change the interface's address, instead of using the CRWS web interface.
USB Interface Not Supported on the Cisco uBR925 Router
The Cisco Easy VPN Remote feature supports only the Ethernet interface on the Cisco uBR925 cable access router. The feature does not support the router's USB interface.
VPN 3000 Configuration
The configuration of the VPN 3000 concentrator has several restrictions when used with the Cisco Easy VPN Remote feature. See the "Configuring the VPN 3000 Series Concentrator" section for more details.
Related Documents
This section lists other documentation related to the configuration and maintenance of the supported routers and the Cisco Easy VPN Remote feature.
Platform-Specific Documentation
Cisco 800 Series Routers
•
•
•
•
•
•
•
Note
Cisco uBR905 and Cisco uBR925 Cable Access Routers
•
•
•
•
•
•
Cisco 1700 Series Routers
•
•
•
•
•
•
•
•
•
Also see the Cisco IOS release notes for Cisco IOS Release 12.2(4)YA:
•
•
•
IPsec and VPN Documentation
For information on the VPN Remote Access Enhancements feature, which provides Cisco Unity client support for the Cisco Easy VPN Remote feature, see the VPN Remote Access Enhancements feature module for Cisco IOS Release 12.2(8)T.
For general information on IPSec and VPN subjects, see the following information in the product literature and IP technical tips sections on Cisco.com:
•
•
•
The following technical documents, available on Cisco.com and the Documentation CD-ROM, also provide more in-depth configuration information:
•
•
•
Note
Supported Platforms
The Cisco Easy VPN Remote client feature described in this document supports the following platforms:
•
•
•
Note
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
The following new or modified MIBs are supported by this feature:
•
•
•
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
The following requirements are necessary to use the Cisco Easy VPN Remote feature:
•
•
Configuration Tasks
See the following sections for configuration tasks for the Cisco Easy VPN Remote feature. Each task in the list is identified as either required or optional.
•
•
•
•
•
Configuring the DHCP Server Pool (Required for Client Mode)
The local router uses the DHCP protocol to assign IP addresses to the PCs that are connected to the router's LAN interface. This requires creating a pool of IP addresses for the router's onboard DHCP server. The DHCP server then assigns an IP address from this pool to each PC when it connects to the router.
In a typical VPN connection, the PCs connected to the router's LAN interface are assigned an IP address in a private address space. The router then uses NAT/PAT to translate those IP addresses into a single IP address that is transmitted across the VPN tunnel connection.
Tip
Use the following procedure to configure the DHCP server pool on the Cisco uBR905/uBR925 cable access routers and the Cisco 1700 series routers:
Note
Verifying the DHCP Server Pool
To verify that the DHCP server pool has been correctly configured, use the following procedure.
Step 1
Router# show ip dhcp poolPool localpool :Current index : 192.168.100.1Address range : 192.168.100.1 - 192.168.100.254Router#Step 2
Router# show ip dhcp importAddress Pool Name: localpoolDomain Name Server(s): 192.168.20.5NetBIOS Name Server(s): 192.168.20.6Domain Name Option: cisco.comRouter#Step 3
Router# show ip dhcp bindingIP address Hardware address Lease expiration Type192.168.100.3 00c0.abcd.32de Nov 01 2001 12:00 AM Automatic192.168.100.5 00c0.abcd.331a Nov 01 2001 12:00 AM AutomaticRouter#
Troubleshooting Tips
If PCs connected to the router's LAN interface cannot obtain an IP address using DHCP, check the following:
•
Router# show running-config | include dhcpno service dhcpip dhcp pool localpoolRouter#If the output from the show running-config command does not include the no service dhcp command, the DHCP server is enabled.
•
•
C:\> ipconfig /allWindows 2000 IP ConfigurationHost Name . . . . . . . . . . . . : MYPC-W2K1Primary DNS Suffix . . . . . . . : cisco.comNode Type . . . . . . . . . . . . : HybridIP Routing Enabled. . . . . . . . : NoWINS Proxy Enabled. . . . . . . . : NoDNS Suffix Search List. . . . . . : cisco.comEthernet adapter Local Area Connection:Connection-specific DNS Suffix . : cisco.comDescription . . . . . . . . . . . : 3Com 3C920 Integrated Fast EthernetController (3C905C-TX Compatible)Physical Address. . . . . . . . . : 01-23-45-67-89-ABDHCP Enabled. . . . . . . . . . . : YesAutoconfiguration Enabled . . . . : YesIP Address. . . . . . . . . . . . : 192.168.100.94Subnet Mask . . . . . . . . . . . : 255.255.254.0Default Gateway . . . . . . . . . : 192.168.100.1DHCP Server . . . . . . . . . . . : 172.16.156.54DNS Servers . . . . . . . . . . . : 172.16.168.183172.16.226.120Primary WINS Server . . . . . . . : 172.16.235.228Secondary WINS Server . . . . . . : 172.16.2.87Lease Obtained. . . . . . . . . . : Monday, October 22, 2001 11:15:32 ALease Expires . . . . . . . . . . : Thursday, October 25, 2001 11:15:32 AMConfiguring and Assigning the Cisco Easy VPN Remote Configuration
The router acting as the IPSec client must create an Cisco Easy VPN Remote configuration and assign it to the outgoing interface. To do so, use the following procedure.
Note
Verifying the Cisco Easy VPN Configuration
To verify that the Cisco Easy VPN Remote configuration has been correctly configured, that the configuration has been assigned to an interface, and that the IPSec VPN tunnel has been established, use the following steps.
Step 1
Router# show crypto ipsec client ezvpnCurrent State: IPSEC ACTIVELast Event: SOCKET UPAddress: 198.1.1.90Mask: 255.255.255.0DNS Primary: 198.1.1.250DNS Secondary: 198.1.1.251NBMS/WINS Primary: 198.1.1.252NBMS/WINS Secondary: 198.1.1.253Router#The following is typical output for a router using network-extension mode:
Router# show crypto ipsec client ezvpnCurrent State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 30.0.0.53Mask: 255.255.255.255Split Tunnel List: 1Address : 30.100.0.0Mask : 255.255.255.128Protocol : 0x0Source Port: 0Dest Port : 0Router#Step 2
Router# show ip nat statisticsTotal active translations: 0 (0 static, 0 dynamic; 0 extended)Outside interfaces:cable-modem0Inside interfaces:Ethernet0Hits: 1489 Misses: 1Expired translations: 1Dynamic mappings:-- Inside Sourceaccess-list 198 pool enterprise refcount 0pool enterprise: netmask 255.255.255.0start 198.1.1.90 end 198.1.1.90type generic, total addresses 1, allocated 0 (0%), misses 0\Router#Step 3
Router# show access-listExtended IP access list 198permit ip 192.1.1.0 0.0.0.255 anyRouter#
Note
The following is a typical display for a Cisco uBR905/uBR925 cable access router configured for client mode with split tunneling:
Router# show access-listExtended IP access list 197deny ip 192.168.100.0 0.0.0.255 172.168.0.128 0.0.0.127deny ip 192.168.100.0 0.0.0.255 172.168.1.128 0.0.0.127permit ip 192.168.100.0 0.0.0.255 anyExtended IP access list 198permit ip 192.168.100.0 0.0.0.255 172.168.0.128 0.0.0.127permit ip 192.168.100.0 0.0.0.255 172.168.1.128 0.0.0.127Router#
Tip
The following is a typical display for a Cisco 827 router configured for client mode with split tunneling:
c827# show access-listExtended IP access list 197deny ip 70.0.0.0 0.255.255.255 30.100.0.0 0.0.0.127 (5 matches)permit ip 70.0.0.0 0.255.255.255 anyExtended IP access list 198permit ip 70.0.0.0 0.255.255.255 30.100.0.0 0.0.0.127 (5 matches)c827#Step 4
Router# show crypto isakmp keyHostname/Address Preshared Key193.1.1.1 hw-client-passwordRouter#
Configuring the VPN 3000 Series Concentrator
This section describes the guidelines required to configure the Cisco VPN 3000 series concentrator for use with Cisco Easy VPN Remotes. As a general rule, you can use the default configuration except for IP addresses, server addresses, and routing configurations, and for the following parameters and options:
Note
•
•
•
•
•
•
•
This proposal is active by default, but verify that it is still an active proposal using the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen.
Note
•
–
–
–
–
–
The Cisco VPN 3000 Series Concentrator is preconfigured with several default security associations but they do not meet the IKE Proposal requirements. To use an IKE Proposal of CiscoVPNClient-3DES-MD5, copy the ESP/IKE-3DES-MD5 security association and modify it to use CiscoVPNClient-3DES-MD5 as its IKE proposal. This is configured on the VPN 3000 series concentrator using the Configuration | Policy Management | Traffic Management | Security Associations screen.
Troubleshooting Tips
To troubleshoot a VPN connection created using the Cisco Easy VPN Remote, use the following suggested techniques.
•
•
•
•
Configuration Examples
This section provides the following configuration examples:
•
•
Client Mode Configurations
This section shows the following examples that demonstrate configurations for the Cisco Easy VPN Remote in the client mode of operation. Also shown are the VPN remote access server configurations that correspond to these client configurations.
•
•
•
•
Note
Cisco Easy VPN Client in Client Mode (Cisco uBR905/uBR925)
The following example configures a Cisco uBR905 cable access router as an IPSec client, using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
•
Note
•
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internal!hostname uBR905Client!!!!clock timezone - 0 6ip subnet-zeroip tftp source-interface cable-modem0ip dhcp excluded-address 192.168.100.1!ip dhcp pool localpoolimport allnetwork 192.168.100.0 255.255.255.0default-router 192.168.100.1lease 1 0 0!ip ssh time-out 120ip ssh authentication-retries 3!!!!crypto ipsec client ezvpn hw-clientpeer 188.185.0.5group hw-client-groupname key hw-client-passwordmode client!!!!!interface Ethernet0ip address 192.168.100.1 255.255.255.0!interface cable-modem0no cable-modem compliant bridgecrypto ipsec client ezvpn hw-client!ip classlessno ip http serverno ip http cable-monitor!snmp-server packetsize 4096snmp-server chassis-idsnmp-server manager!line con 0exec-timeout 0 0line vty 0 4login!scheduler max-task-time 5000endCisco Easy VPN Client in Client Mode (Cisco 806)
The following example configures a Cisco 806 router as an IPSec client using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
Note
•
Note
! Cisco Router Web Setup Template!no service padno service tcp-small-serversno service udp-small-serversservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname 806Router!!ip subnet-zeroip domain-lookupip dhcp excluded-address 10.10.10.1!ip dhcp pool CLIENTimport allnetwork 10.10.10.0 255.255.255.0default-router 10.10.10.1lease 1 0 0!!!crypto ipsec client ezvpn hw-clientpeer 188.185.0.5group hw-client-groupname key hw-client-passwordmode client!!interface Ethernet0ip address 10.10.10.1 255.255.255.0no cdp enablehold-queue 32 in!interface Ethernet1ip address dhcpno cdp enablecrypto ipsec client ezvpn hw-client!ip classlessip http server!!ip route 0.0.0.0 0.0.0.0 Ethernet1!line con 0exec-timeout 120 0stopbits 1line vty 0 4exec-timeout 0 0login local!endCisco Easy VPN Client in Client Mode (Cisco 827)
The following example configures a Cisco 827 router as an IPSec client using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
Note
•
Note
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname c827!!mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3vpdn enable!vpdn-group pppoerequest-dialinprotocol pppoeip mtu adjust!!!!!!crypto ipsec client ezvpn hw-clientgroup hw-client-groupname key hw-client-passwordmode clientpeer 20.0.0.5!!!!!interface Ethernet0ip address 70.0.0.117 255.0.0.0hold-queue 100 out!interface ATM0no ip addressno atm ilmi-keepalivepvc 1/40pppoe-client dial-pool-number 1!dsl operating-mode auto!interface Dialer1ip address 12.0.0.3 255.0.0.0ip mtu 1492encapsulation pppdialer pool 1crypto ipsec client ezvpn hw-client!ip classlessip route 0.0.0.0 0.0.0.0 ATM0ip route 0.0.0.0 0.0.0.0 Dialer1 permanentip route 20.0.0.0 255.0.0.0 12.0.0.13ip http serverip pim bidir-enable!line con 0stopbits 1line vty 0 4login!scheduler max-task-time 5000endCisco Easy VPN Client in Client Mode (Cisco 1700 Series)
The following example configures a Cisco 1700 series router as an IPSec client using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
Note
•
!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 1710!!mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180ip subnet-zeroip dhcp excluded-address 70.0.0.10!ip dhcp pool CLIENTimport allnetwork 70.0.0.0 255.255.255.0default-router 70.0.0.10lease 1 0 0!!!ip ssh time-out 120ip ssh authentication-retries 3!!!!!crypto ipsec client ezvpn hw-clientgroup hw-client-groupname key hw-client-passwordmode clientpeer 30.0.0.2!!!!!interface Ethernet0ip address 50.0.0.10 255.0.0.0half-duplexcrypto ipsec client ezvpn hw-client!interface FastEthernet0ip address 70.0.0.10 255.0.0.0speed auto!ip classlessip route 20.0.0.0 255.0.0.0 Ethernet0ip route 30.0.0.0 255.0.0.0 Ethernet0no ip http serverip pim bidir-enable!!!!line con 0exec-timeout 0 0line aux 0line vty 0 4login!endNetwork Extension Mode Configurations
This section shows the following examples that demonstrate how to configure the Cisco Easy VPN Remote in the network extension mode of operation. Also shown are the VPN remote access server configurations that correspond to these client configurations.
•
•
•
•
Cisco Easy VPN Client in Network-Extension Mode (Cisco uBR905/uBR925)
The following example configures a Cisco uBR905 cable access router as an IPSec client, using the Cisco Easy VPN Remote feature in the network extension mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
•
Note
•
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internal!hostname uBR905Client!!!!clock timezone - 0 6ip subnet-zeroip tftp source-interface cable-modem0ip dhcp excluded-address 172.168.1.1!ip dhcp pool localpoolimport allnetwork 172.168.1.0 255.255.255.248default-router 172.168.1.1lease 1 0 0!!ip ssh time-out 120ip ssh authentication-retries 3!!!!crypto ipsec client ezvpn hw-clientpeer 188.185.0.5group hw-client-groupname key hw-client-passwordmode network-extension!!!!!interface Ethernet0ip address 172.168.1.1 255.255.255.248!interface cable-modem0no cable-modem compliant bridgecrypto ipsec client ezvpn hw-client!ip classlessip route 0.0.0.0 0.0.0.0 cable-modem0no ip http serverno ip http cable-monitor!snmp-server packetsize 4096snmp-server chassis-idsnmp-server manager!line con 0exec-timeout 0 0line vty 0 4login!scheduler max-task-time 5000endCisco Easy VPN Client in Network-Extension Mode (Cisco 806)
The following example configures a Cisco 806 router as an IPSec client using the Cisco Easy VPN Remote feature. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
Note
•
Note
! Cisco Router Web Setup Template!no service padno service tcp-small-serversno service udp-small-serversservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname Router!!ip subnet-zeroip domain-lookup!!ip dhcp excluded-address 172.168.1.1!ip dhcp pool localpoolimport allnetwork 172.168.1.0 255.255.255.248default-router 172.168.1.1lease 1 0 0!!crypto ipsec client ezvpn hw-clientpeer 188.185.0.5group hw-client-groupname key hw-client-passwordmode network-extension!!interface Ethernet0ip address 172.168.1.1 255.255.255.192no cdp enablehold-queue 32 in!interface Ethernet1ip address dhcpno cdp enablecrypto ipsec client ezvpn hw-client!ip classlessip route 172.168.0.0 255.255.255.128 Ethernet1ip http server!!!line con 0exec-timeout 120 0stopbits 1line vty 0 4exec-timeout 0 0login local!endCisco Easy VPN Client in Network-Extension Mode (Cisco 827)
The following example configures a Cisco 827 router as an IPSec client using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
•
•
Note
•
Note
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname c827!!mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3vpdn enable!vpdn-group pppoerequest-dialinprotocol pppoeip mtu adjust!!!!!!crypto ipsec client ezvpn hw-clientgroup hw-client-groupname key hw-client-passwordmode network-extensionpeer 20.0.0.5!!!!!interface Ethernet0ip address 172.168.0.30 255.255.255.192hold-queue 100 out!interface ATM0no ip addressno atm ilmi-keepalivepvc 1/40pppoe-client dial-pool-number 1!dsl operating-mode auto!interface Dialer1ip address 12.0.0.3 255.0.0.0ip mtu 1492encapsulation pppdialer pool 1crypto ipsec client ezvpn hw-client!ip classlessip route 172.168.0.0 255.255.255.128 Dialer1ip route 0.0.0.0 0.0.0.0 ATM0ip route 0.0.0.0 0.0.0.0 Dialer1 permanentip route 20.0.0.0 255.0.0.0 12.0.0.13ip http serverip pim bidir-enable!line con 0stopbits 1line vty 0 4login!scheduler max-task-time 5000endCisco Easy VPN Client in Network-Extension Mode (Cisco 1700 Series)
The following example configures a Cisco 1700 series router as an IPSec client using the Cisco Easy VPN Remote feature in the network-extension mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•
Note
•
!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 1710!!mmi polling-interval 60no mmi auto-configureno mmi pvcmmi snmp-timeout 180ip subnet-zero!!!ip ssh time-out 120ip ssh authentication-retries 3!!ip dhcp excluded-address 70.0.0.10!ip dhcp pool localpoolimport allnetwork 70.0.0.0 255.255.255.248default-router 70.0.0.10lease 1 0 0!!!crypto ipsec client ezvpn hw-clientgroup hw-client-groupname key hw-client-passwordmode network-extensionpeer 30.0.0.2!!!!!interface Ethernet0ip address 50.0.0.10 255.0.0.0half-duplexcrypto ipsec client ezvpn hw-client!interface FastEthernet0ip address 70.0.0.10 255.0.0.0speed auto!ip classlessip route 20.0.0.0 255.0.0.0 Ethernet0ip route 30.0.0.0 255.0.0.0 Ethernet0no ip http serverip pim bidir-enable!!!!line con 0exec-timeout 0 0line aux 0line vty 0 4login!endVPN Remote Access Server Configurations
This configuration describes basic VPN Remote Access server configurations that support the Cisco Easy VPN Remote configurations given in the previous sections. For complete information on configuring these servers, see the VPN Remote Access Enhancements feature module for Cisco IOS Release 12.2(8)T, available on Cisco.com and the Customer Documentation CD-ROM.
•
•
•
VPN Remote Access Server Without Split Tunneling
The following example shows the VPN remote access server that is the destination peer router for the Cisco Easy VPN Remote network-extension mode configurations shown earlier in this section. In addition to the other IPSec configuration commands, the crypto isakmp client configuration group hw-client-groupname defines the attributes for the VPN group that was assigned to the IPSec client router. This includes a matching key value (hw-client-password), and the appropriate routing parameters, such as DNS server, for the IPSec clients.
To support the network extension mode of operation, the ip route command instructs that incoming packets for the 172.168.0.0 network be directed out the cable-modem interface to the Cisco Easy VPN Remote. Other ip route commands might be needed, depending on your network's topology.
Note
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internal!hostname uBR925Server!aaa new-model!!aaa authorization network hw-client-groupname localaaa session-id common!!!clock timezone - 0 6ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3!crypto isakmp policy 1authentication pre-sharegroup 2crypto isakmp client configuration address-pool local dynpool!crypto isakmp client configuration group hw-client-groupnamekey hw-client-passworddns 172.168.0.250 172.168.0.251wins 172.168.0.252 172.168.0.253domain cisco.compool dynpool!!crypto ipsec transform-set transform-1 esp-des esp-sha-hmac!crypto dynamic-map dynmap 1set transform-set transform-1!!crypto map dynmap isakmp authorization list hw-client-groupnamecrypto map dynmap client configuration address respondcrypto map dynmap 1 ipsec-isakmp dynamic dynmap!!!!interface Ethernet0ip address 172.168.0.129 255.255.255.128!interface cable-modem0no cable-modem compliant bridgecrypto map dynmap!interface usb0no ip addressarp timeout 0!ip local pool dynpool 172.168.0.65 172.168.0.127ip classless! Add the appropriate ip route commands for network-extension modeip route 172.168.1.0 255.255.255.248 cable-modem0no ip http serverno ip http cable-monitor!snmp-server manager!line con 0exec-timeout 0 0line vty 0 4!scheduler max-task-time 5000end
Note
VPN Remote Access Server Configuration With Split Tunneling
The following example shows an VPN remote access server configured for a split tunneling configuration with a Cisco Easy VPN Remote. This example is identical to that shown in the "VPN Remote Access Server Without Split Tunneling" section, except for access list 150, which is assigned as part of the crypto isakmp client configuration group hw-client-groupname command. This access list allows the Cisco Easy VPN Remote to use the server to access one additional subnet that is not part of the VPN tunnel, without compromising the security of the IPsec connection.
To support the network extension mode of operation, the ip route command instructs that incoming packets for the 172.168.0.0 network be directed out the cable-modem interface to the Cisco Easy VPN Remote. Other ip route commands might be needed, depending on your network's topology.
Note
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internal!hostname uBR925Server!aaa new-model!!aaa authorization network hw-client-groupname localaaa session-id common!!!clock timezone - 0 6ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3!crypto isakmp policy 1authentication pre-sharegroup 2crypto isakmp client configuration address-pool local dynpool!crypto isakmp client configuration group hw-client-groupnamekey hw-client-passworddns 172.168.0.250 172.168.0.251wins 172.168.0.252 172.168.0.253domain cisco.compool dynpoolacl 150!!crypto ipsec transform-set transform-1 esp-des esp-sha-hmac!crypto dynamic-map dynmap 1set transform-set transform-1!!crypto map dynmap isakmp authorization list hw-client-groupnamecrypto map dynmap client configuration address respondcrypto map dynmap 1 ipsec-isakmp dynamic dynmap!!!!interface Ethernet0ip address 172.168.0.129 255.255.255.128!interface cable-modem0no cable-modem compliant bridgecrypto map dynmap!interface usb0no ip addressarp timeout 0!ip local pool dynpool 172.168.0.65 172.168.0.127ip classless! Add the appropriate ip route commands for network-extension modeip route 172.168.1.0 255.255.255.248 cable-modem0no ip http serverno ip http cable-monitor!access-list 150 permit ip 172.168.0.128 0.0.0.127 anysnmp-server manager!line con 0exec-timeout 0 0line vty 0 4!scheduler max-task-time 5000end
Note
VPN Remote Access Server Configuration With XAUTH
The following example shows an VPN remote access server configured to support XAUTH authentication with a Cisco Easy VPN Remote. This example is identical to that shown in the "VPN Remote Access Server Configuration With Split Tunneling" section, except for the following commands that enable and configure XAUTH authentication:
•
•
•
•
The following commands, which are also present in the non-XAUTH configurations, are also required for XAUTH use:
•
•
•
•
•
•
Tip
Note
version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeno service password-encryptionservice internal!hostname uBR925Server!aaa new-model!!aaa authentication login userlist localaaa authorization network hw-client-groupname localaaa session-id common!username cisco password 7 cisco!!clock timezone - 0 6ip subnet-zero!ip ssh time-out 120ip ssh authentication-retries 3!crypto isakmp policy 1authentication pre-sharegroup 2crypto isakmp client configuration address-pool local dynpoolcrypto isakmp xauth timeout 60!crypto isakmp client configuration group hw-client-groupnamekey hw-client-passworddns 172.168.0.250 172.168.0.251wins 172.168.0.252 172.168.0.253domain cisco.compool dynpoolacl 150!!crypto ipsec transform-set transform-1 esp-des esp-sha-hmac!crypto dynamic-map dynmap 1set transform-set transform-1!!crypto map dynmap client authentication list userlistcrypto map dynmap isakmp authorization list hw-client-groupnamecrypto map dynmap client configuration address respondcrypto map dynmap 1 ipsec-isakmp dynamic dynmap!!!!interface Ethernet0ip address 172.168.0.129 255.255.255.128!interface cable-modem0no cable-modem compliant bridgecrypto map dynmap!interface usb0no ip addressarp timeout 0!ip local pool dynpool 172.168.0.65 172.168.0.127ip classlessip route 172.168.1.0 255.255.255.248 cable-modem0no ip http serverno ip http cable-monitor!access-list 150 permit ip 172.168.0.128 0.0.0.127 anysnmp-server manager!line con 0exec-timeout 0 0line vty 0 4!scheduler max-task-time 5000end
Note
Command Reference
This section documents new or modified commands to support the Cisco Easy VPN Remote feature. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.
This section documents the following commands:
•
•
•
•
•
•
clear crypto ipsec client ezvpn
To reset the Cisco Easy VPN Remote state machine and bring down the Cisco Easy VPN Remote connections on all interfaces, use the clear crypto ipsec client ezvpn command in Privileged EXEC mode. If the Cisco Easy VPN Remote connection for a particular interface is configured for auto connect, this command also initiates a new Cisco Easy VPN Remote connection.
clear crypto ipsec client ezvpn
Syntax Description
This command has no keywords or arguments.
Defaults
No default values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear crypto ipsec client ezvpn command resets the Cisco Easy VPN Remote state machine, bringing down the current Cisco Easy VPN Remote connection and bringing it back up on the interface.
Examples
The following example shows the Cisco Easy VPN Remote state machine being reset.
router# clear crypto ipsec client ezvpnrouter#Related Commands
crypto ipsec client ezvpn xauth
To respond to a pending VPN authorization request, use the crypto ipsec client ezvpn xauth command in Privileged EXEC mode.
crypto ipsec client ezvpn xauth
Syntax Description
This command has no keywords or arguments.
Defaults
No default values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
When making a VPN connection, individual users might also be required to provide authorization information, such as a username or password. When the remote end requires this information, the router displays a message on the router's console instructing the user to enter the crypto ipsec client ezvpn xauth command. The user then uses the CLI to give this command and reply to the following prompts to provide the required information.
Note
Examples
The following example shows an example of the user being prompted to enter the crypto ipsec client ezvpn xauth command. The user then enters the requested information and continues.
router#20:27:39: EZVPN: Pending XAuth Request, Please enter the following command:20:27:39: EZVPN: crypto ipsec client ezvpn xauthrouter# crypto ipsec client ezvpn xauthEnter Username and Password: useridPassword: ************router#Related Commands
crypto ipsec client ezvpn
(interface configuration mode) Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec client ezvpn (global configuration)
To create a Cisco Easy VPN Remote configuration and enter the Cisco Easy VPN Remote configuration mode, use the crypto ipsec client ezvpn command in global configuration mode. To delete the Cisco Easy VPN Remote configuration, use the no form of this command.
crypto ipsec client ezvpn config-name
no crypto ipsec client ezvpn config-name
Note
Syntax Description
Defaults
Newly created Cisco Easy VPN Remote configurations default to the client mode of operation.
Command Modes
Global configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command creates a Cisco Easy VPN Remote configuration and then enters the Cisco Easy VPN Remote configuration mode, at which point you can enter the following subcommands:
•
•
–
–
•
Note
•
•
After configuring the Cisco Easy VPN Remote configuration, use the exit command to exit the Easy VPN configuration mode and return to global configuration mode.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named telecommuter-client being created on a Cisco uBR905/uBR925 cable access router and being assigned to cable interface 0:
router# config trouter(config)# crypto ipsec client ezvpn telecommuter-clientrouter(config-crypto-ezvpn)# group telecommute-group key secret-telecommute-keyrouter(config-crypto-ezvpn)# peer telecommuter-serverrouter(config-crypto-ezvpn)# mode clientrouter(config-crypto-ezvpn)# exitrouter(config)# interface c0router(config-if)# crypto ezvpn telecommuter-clientrouter(config-if)# exitrouter(config)#
Note
The following example shows the Cisco Easy VPN Remote configuration named telecommuter-client being removed from the interface and then deleted:
router# config trouter(config)# int e1router(config-if)# no crypto ipsec client ezvpn telecommuter-clientrouter(config-if)# exitrouter(config)# no crypto ipsec client ezvpn telecommuter-clientrouter(config)#Related Commands
crypto ipsec client ezvpn
(interface configuration mode) Assigns a Cisco Easy VPN Remote configuration to an interface.
crypto ipsec client ezvpn (interface configuration)
To assign a Cisco Easy VPN Remote configuration to an interface, use the crypto ipsec client ezvpn command in interface configuration mode. To remove the Cisco Easy VPN Remote configuration from the interface, use the no form of this command.
crypto ipsec client ezvpn config-name
no crypto ipsec client ezvpn config-name
Note
Syntax Description
Defaults
No default values
Command Modes
Interface configuration
Command History
Usage Guidelines
The crypto ipsec client ezvpn command assigns a Cisco Easy VPN Remote configuration to an interface, enabling the creation of a VPN connection over that interface to the specified VPN peer. If the Cisco Easy VPN Remote configuration is configured for the client mode of operation, this also automatically configures the router for NAT/PAT translation and an associated access list.
The following restrictions apply to the crypto ipsec client ezvpn command:
•
•
For example, on the Cisco uBR905 and Cisco uBR925 cable access routers, the "outside" interface is always the cable interface. On the Cisco 1700 series routers, the FastEthernet interface defaults to being the "inside" interface, so attempting to use the crypto ipsec client ezvpn command on the FastEthernet interface displays an error message.
Note
Examples
The following example shows a Cisco Easy VPN Remote configuration named telecommuter-client being assigned to the cable interface on a Cisco uBR905/uBR925 cable access router:
router# config trouter(config)# interface c0router(config-if)# crypto ipsec client ezvpn telecommuter-clientrouter(config-if)# exitrouter(config)#The following example first shows an attempt to delete the Cisco Easy VPN Remote configuration named telecommuter-client, but the configuration cannot be deleted because it is still assigned to an interface. The configuration is then removed from the interface and then deleted:
router# config trouter(config)# no crypto ipsec client ezvpn telecommuter-clientError: crypto map in use by interface; cannot deleterouter(config)# int e1router(config-if)# no crypto ipsec client ezvpn telecommuter-clientrouter(config-if)# exitrouter(config)# no crypto ipsec client ezvpn telecommuter-clientrouter(config)#The following example shows an attempt to assign a Cisco Easy VPN Remote configuration to more than one interface. This fails because the Cisco Easy VPN Remote feature supports only one tunnel:
router# config trouter(config)# int Ethernet0router(config-if)# crypto ipsec client ezvpn telecommuter-clientrouter(config-if)# int Serial0router(config-if)# crypto ipsec client ezvpn telecommuter-clientError:Crypto EZVPN currently supports only one tunnelrouter(config-if)# exitrouter(config)#The following example shows an attempt on a Cisco 1700 series router to assign a Cisco Easy VPN Remote configuration named telecommuter-client to the FastEthernet interface. This fails because the FastEthernet interface defaults to being the "inside" interface for the NAT/PAT translation:
router-1700# config trouter-1700(config)# int FastEthernet0router-1700(config-if)# crypto ipsec client ezvpn telecommuter-clientError:Crypto EZVPN not supported on interface FastEthernet0router-1700(config-if)# exitrouter-1700(config)#Related Commands
crypto ipsec client ezvpn
(global configuration mode) Creates and modifies a Cisco Easy VPN Remote configuration.
show crypto ipsec client ezvpn
To display the Cisco Easy VPN Remote configuration, use the show crypto ipsec client ezvpn command in Privileged EXEC mode.
show crypto ipsec client ezvpn
Syntax Description
This command has no keywords or arguments.
Defaults
No default values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in client mode:
router# show crypto ipsec client ezvpnCurrent State: IPSEC ACTIVELast Event: SOCKET UPAddress: 198.1.1.89Mask: 255.255.255.0DNS Primary: 198.1.1.250DNS Secondary: 198.1.1.251NBMS/WINS Primary: 198.1.1.252NBMS/WINS Secondary: 198.1.1.253Default Domain: cisco.comrouter#The following example shows a typical display from the show crypto ipsec client ezvpn command for an active VPN connection when the router is in network-extension mode:
router# show crypto ipsec client ezvpnCurrent State: IPSEC_ACTIVELast Event: SOCKET_UPAddress: 30.0.0.53Mask: 255.255.255.255Split Tunnel List: 1Address : 30.100.0.0Mask : 255.255.255.128Protocol : 0x0Source Port: 0Dest Port : 0router#The following example shows a typical display from the show crypto ipsec client ezvpn command for an inactive VPN connection:
router# show crypto ipsec client ezvpnCurrent State: IDLELast Event: REMOVE INTERFACE CFGrouter#Table 1 describes the fields shown by the show crypto ipsec client ezvpn command:
Related Commands
show crypto ipsec transform
Displays the specific configuration for one or all transformation sets.
show tech-support
To display general information about the router when reporting a problem to Cisco technical support, use the show tech-support command in Privileged EXEC mode.
show tech-support [page] [password] [ipmulticast | rsvp]
Syntax Description
Defaults
Does not display passwords and does not page the output.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show tech-support command displays a large amount of configuration, run-time status, and other information about the router for troubleshooting problems. The output of this command can be provided to technical support representatives when reporting a problem.
The show tech-support command automatically displays the output of a number of different show commands. The exact output depends on the platform, configuration, and type of protocols being used. Typically, the output includes the output from the following commands, depending on platform:
Configuration Information
•
•
Run-time State Information
•
•
•
•
•
•
•
Voice Port Information
•
•
•
•
•
Memory Information
•
•
Cisco Easy VPN Configuration Information
•
•
•
•
•
•
•
•
•
•
Tip
Examples
The following shows how to give the show tech-support command:
Router# show tech-supportRelated Commands
debug crypto ipsec client ezvpn
To display information showing the configuration and implementation of the Cisco Easy VPN Remote feature, use the debug crypto ipsec client ezvpn command in privileged EXEC mode. To turn off debugging of the Cisco Easy VPN Remote feature, use the no form of this command.
debug crypto ipsec client ezvpn
no debug crypto ipsec client ezvpn
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
To force the Cisco Easy VPN Remote feature to reestablish the VPN connections, use the clear crypto sa and clear crypto isakmp commands to delete the IPsec security associations and IKE connections, respectively.
Examples
The following example shows debugging of the Cisco Easy VPN Remote feature being turned on, as well as typical debugging messages that appear when the VPN tunnel is created:
router# debug crypto ipsec client ezvpnEzVPN debugging is onrouter#3d17h: EZVPN: New State: READY3d17h: EZVPN: Current State: READY3d17h: EZVPN: Event: MODE_CONFIG_REPLY3d17h: ezvpn_mode_config3d17h: ezvpn_parse_mode_config_msg3d17h: EZVPN: Attributes sent in message:3d17h: DNS Primary: 172.168.0.2503d17h: DNS Secondary: 172.168.0.2513d17h: NBMS/WINS Primary: 172.168.0.2523d17h: NBMS/WINS Secondary: 172.168.0.2533d17h: Default Domain: cisco.com3d17h: EZVPN: New State: SS_OPEN3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_UP3d17h: EZVPN: New State: IPSEC_ACTIVE3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: SOCKET_UPThe following example shows the typical display for a VPN tunnel that is reset with the clear crypto ipsec client ezvpn command:
3d17h: EZVPN: Current State: READY3d17h: EZVPN: Event: RESET3d17h: ezvpn_reconnect_request3d17h: ezvpn_close3d17h: ezvpn_connect_request3d17h: EZVPN: New State: READY3d17h: EZVPN: Current State: READY3d17h: EZVPN: Event: MODE_CONFIG_REPLY3d17h: ezvpn_mode_config3d17h: ezvpn_parse_mode_config_msg3d17h: EZVPN: Attributes sent in message:3d17h: DNS Primary: 172.168.0.2503d17h: DNS Secondary: 172.168.0.2513d17h: NBMS/WINS Primary: 172.168.0.2523d17h: NBMS/WINS Secondary: 172.168.0.2533d17h: Split Tunnel List: 13d17h: Address : 172.168.0.1283d17h: Mask : 255.255.255.1283d17h: Protocol : 0x03d17h: Source Port: 03d17h: Dest Port : 03d17h: Split Tunnel List: 23d17h: Address : 172.168.1.1283d17h: Mask : 255.255.255.1283d17h: Protocol : 0x03d17h: Source Port: 03d17h: Dest Port : 03d17h: Default Domain: cisco.com3d17h: ezvpn_nat_config3d17h: EZVPN: New State: SS_OPEN3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_UP3d17h: EZVPN: New State: IPSEC_ACTIVE3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: SOCKET_UPThe following example shows the typical display for a VPN tunnel that is removed from the interface with the no crypto ipsec client ezvpn command:
4d16h: EZVPN: Current State: IPSEC ACTIVE4d16h: EZVPN: Event: REMOVE INTERFACE CFG4d16h: ezvpn_close_and_remove4d16h: ezvpn_close4d16h: ezvpn_remove4d16h: EZVPN: New State: IDLERelated Commands
debug crypto ipsec
Displays debugging messages for generic IPsec events.
debug crypto isakmp
Displays debugging messages for Internet Key Exchange (IKE) events.
Glossary
AAA—authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).
aggressive mode—This mode eliminates several steps during IKE authentication negotiation (phase 1) between two or more IPSec peers. Aggressive mode is faster than main mode, but not as secure.authentication, authorization, and accounting—See AAA.
authorization—The method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. All authorization methods must be defined through AAA.
IKE—A key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.
CA—certificate authority. A certificate authority (CA) is an entity in a network that issues and manages security credentials and public keys (in the form of X509v3 certificates) for message encryption. As part of a public key infrastructure (PKI), a CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. Certificates generally include the owner's public key, the expiration date of the certificate, the owner's name, and other information about the public key owner.
certification authority—See CA.
Internet Key Exchange—See IKE.
IP Security Protocol—See IPSec.
IPSec—IP Security Protocol. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
main mode—This mode ensures the highest level of security when two or more IPSec peers are negotiating IKE authentication (phase 1). It requires more processing time than aggressive mode.Management Information Base—See MIB.MIB—Management Information Base. Database of network management information that is used and maintained by a network management protocol such as Simple Network Management Protocol (SNMP) or Common Management Information Protocol (MIP). The value of a MIB object can be changed or retrieved using SNMP or CMIP commands, usually through a graphical user interface (GUI) network management system (NMS). MIB objects are organized in a tree structure that includes public (standard) and private (proprietary) branches.peer—A router or device that participates as an endpoint in IPSec and IKE.pre-shared key—A pre-shared key is a shared, secret key that uses IKE for authentication.
QoS—Quality of Service. QoS refers to the capability of a network to provide better service to selected network traffic over various technologies, including Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks that may use any or all of these underlying technologies.
RADIUS—Remote Authentication Dial-In User Service. A distributed client/server system that secures networks against unauthorized access. RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
Remote Authentication Dial-In User Service—See RADIUS.
SA—security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bi-directional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security association—See SA.
Simple Network Management Protocol—See SNMP.
SNMP—Simple Network Management Protocol. An application-layer protocol that provides a message format for communication between SNMP managers and agents.
trap—Message sent by an SNMP agent to a network management system, console, or terminal to indicate the occurrence of a significant event, such as a specifically defined condition or a threshold that was reached.
Virtual Private Network—See VPN.
VPN—virtual private network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunnels to encrypt all information at the IP level.
