Table Of Contents
Cisco Easy VPN Remote Feature
Feature Overview
Benefits
Restrictions
Related Documents
Platform-Specific Documentation
IPsec and VPN Documentation
Supported Platforms
Supported Standards, MIBs, and RFCs
Prerequisites
Configuration Tasks
Configuring the DHCP Server Pool (Required for Client Mode)
Verifying the DHCP Server Pool
Troubleshooting Tips
Configuring and Assigning the Cisco Easy VPN Remote Configuration
Verifying the Cisco Easy VPN Configuration
Configuring the VPN 3000 Series Concentrator
Troubleshooting Tips
Configuration Examples
Client Mode Configurations
Cisco Easy VPN Client in Client Mode (Cisco uBR905/uBR925)
Cisco Easy VPN Client in Client Mode (Cisco 806)
Cisco Easy VPN Client in Client Mode (Cisco 827)
Cisco Easy VPN Client in Client Mode (Cisco 1700 Series)
Network Extension Mode Configurations
Cisco Easy VPN Client in Network-Extension Mode (Cisco uBR905/uBR925)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 806)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 827)
Cisco Easy VPN Client in Network-Extension Mode (Cisco 1700 Series)
VPN Remote Access Server Configurations
VPN Remote Access Server Without Split Tunneling
VPN Remote Access Server Configuration With Split Tunneling
VPN Remote Access Server Configuration With XAUTH
Command Reference
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn xauth
crypto ipsec client ezvpn (global configuration)
crypto ipsec client ezvpn (interface configuration)
show crypto ipsec client ezvpn
show tech-support
debug crypto ipsec client ezvpn
Glossary
Cisco Easy VPN Remote Feature
OL-1748-02 Rev B0
November 20, 2002
Feature History
Release
|
Modification
|
12.2(4)YA
|
This feature was introduced for the Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers, the Cisco 1700 series routers, and the Cisco uBR905 and Cisco uBR925 cable access routers.
|
12.2(13)T
|
Support for this feature was added to the Cisco IOS Release 12.2 T train for the Cisco 1700 series routers, and the Cisco uBR905 and Cisco uBR925 cable access routers. (Cisco IOS Release 12.2(13)T does not support this feature on any Cisco 800 series routers.)
|
This document describes the Cisco Easy VPN Remote feature for the Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers, the Cisco 1700 series routers, and the Cisco uBR905 and Cisco uBR925 cable access routers. This document provides information on configuring and monitoring the Cisco Easy VPN Remote feature to create IPSec Virtual Private Network (VPN) tunnels between a supported router and another Cisco router that supports this form of IPSec encryption/decryption.
Note 
At the time of this document's publication, the Cisco Easy VPN Remote Phase II feature has been released in Cisco IOS Release 12.2(8)YJ and Cisco IOS Release 12.2(15)T. Cisco recommends using the Phase II feature on Cisco IOS Release 12.2(15)T, as documented in the Cisco Easy VPN Remote Phase II Feature document. If you want to use the Cisco Easy VPN Remote (Phase I) feature on Cisco 800 series routers, you must be using Cisco IOS Release 12.2(4)YA, which is not recommended.
This document includes the following major sections:
•Feature Overview
•Supported Platforms
•Supported Standards, MIBs, and RFCs
•Prerequisites
•Configuration Tasks
•Configuration Examples
•Command Reference
•Glossary
Feature Overview
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated, and typically requires tedious coordination between network administrators to configure the two routers' VPN parameters.
The Cisco Easy VPN Remote feature eliminates much of this tedious work by implementing Cisco's Unity Client protocol, which allows most VPN parameters to be defined at a VPN remote access server. This server can be a dedicated VPN device such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol.
After the VPN remote access server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a Cisco uBR905 or Cisco uBR925 cable access router, as well as on the Cisco 806/826/827/828 and Cisco 1700 series routers. When the IPSec client then initiates the VPN tunnel connection, the VPN remote access server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.
The Cisco Easy VPN Remote feature provides for automatic management of the following details:
•Negotiating tunnel parameters—Addresses, algorithms, lifetime, and so on.
•Establishing tunnels according to the parameters.
•Automatically creating the NAT/PAT translation and associated access lists that are needed, if any.
•Authenticating users—Making sure users are who they say they are, by way of usernames, group names and passwords.
•Managing security keys for encryption and decryption.
•Authenticating, encrypting, and decrypting data through the tunnel.
The Cisco Easy VPN Remote feature supports two modes of operation:
•Client—Specifies that Network Address Translation/Port Address Translation (NAT/PAT) be done, so that the PCs and other hosts at the client end of the VPN tunnel form a private network that does not use any IP addresses in the destination server's IP address space.
In client mode, the Cisco Easy VPN Remote feature automatically configures the NAT/PAT translation and access lists that are needed to implement the VPN tunnel. These configurations are automatically created when the IPSec VPN connection is initiated. When the tunnel is torn down, the NAT/PAT and access list configurations are automatically deleted.
The NAT/PAT configuration is created with the following assumptions:
–The ip nat inside command is applied to the FastEthernet0 (Cisco 1700 series) or Ethernet0 (Cisco 806, Cisco 826, Cisco 827, Cisco 828 routers, Cisco uBR905, Cisco uBR925) interface.
–The ip nat outside command is applied to the interface that is configured with the Cisco Easy VPN Remote configuration. (On the Cisco uBR905 and Cisco uBR925 routers, this is always the Cable-modem0 interface. On the Cisco 800 series and Cisco 1700 series routers, this will be the WAN interface configured with the Cisco Easy VPN Remote configuration.)
Tip The NAT/PAT translation and access-list configurations that are created by the Cisco Easy VPN Remote feature are not written to either the startup or running configuration files. These configurations, however, can be displayed using the show ip nat statistics and show access-list commands.
Note Because the Cisco Easy VPN Remote feature automatically creates a NAT/PAT configuration for the VPN tunnel, you must not create a manual NAT/PAT configuration on any interface when using the Cisco Easy VPN Remote feature. If NAT/PAT has already been configured on the router, you must remove that configuration before beginning the Cisco Easy VPN Remote configuration.
•Network Extension—Specifies that the PCs and other hosts at the client end of the VPN tunnel should be given IP addresses that are fully routable and reachable by the destination network over the tunneled network, so that they form one logical network. PAT is not used, which allows the client PCs and hosts to have direct access to the PCs and hosts at the destination network.
Both modes of operation also optionally support split tunneling, which allows secure access to corporate resources through the VPN tunnel while also allowing Internet access through a connection to an ISP or other service (thereby eliminating the corporate network from the path for Web access).
Authentication can also be done using Extended Authentication (XAUTH). In this situation, when the VPN remote access server requests XAUTH authentication, the following messages are displayed on the router's console:
EZVPN: Pending XAuth Request, Please enter the following command:
EZVPN: crypto ipsec client ezvpn xauth
The user can then provide the necessary user ID, password, and other information by entering the crypto ipsec client ezvpn xauth command and responding to the following prompts.
Note The timeout for entering the username and password is determined by the configuration of the VPN remote access server. For servers running Cisco IOS software, this timeout value is specified by the crypto isakmp xauth timeout command.
Figure 1 illustrates the client mode of operation. In this example, the Cisco uBR905 cable access router provides access to two PCs, which have IP addresses in the 10.0.0.0 private network space. These PCs connect to the Ethernet interface on the Cisco uBR905 router, which also has an IP address in the 10.0.0.0 private network space. The Cisco uBR905 router performs NAT/PAT translation over the VPN tunnel, so that the PCs can access the destination network.
Figure 1 Cisco Easy VPN Client Connection
Note The diagram in Figure 1 could also represent a split tunneling connection, in which the client PCs can access public resources in the global Internet without including the corporate network in the path for the public resources.
Figure 2 also illustrates the client mode of operation, where a VPN concentrator provides destination endpoints to multiple xDSL clients. In this example, Cisco 800 series routers provide access to multiple small business clients, each of which uses IP addresses in the 10.0.0.0 private network space. The Cisco 800 series routers perform NAT/PAT translation over the VPN tunnel, so that the PCs can access the destination network.
Figure 2 Cisco Easy VPN Client Connection (using VPN concentrator)
Figure 3 illustrates the network extension mode of operation. In this example, the Cisco uBR905 cable access router and Cisco 1700 series router both act as Cisco Easy VPN Remotes, connecting to a VPN 3000 concentrator.
The client hosts are given IP addresses that are fully routable by the destination network over the tunnel. These IP addresses could be either in the same subnet space as the destination network, or they could also be in separate subnets, as long as the destination routers are configured to properly route those IP addresses over the tunnel.
In this example, the PCs and hosts attached to the two routers have IP addresses that are in the same address space as the destination enterprise network. The PCs connect to the Cisco uBR905 router's Ethernet interface, which also has an IP address in the enterprise address space. This provides a seamless extension of the remote network.
Figure 3 Cisco Easy VPN Network Extension Connection
Note For information on configuration the VPN 3000 concentrator for use with the Cisco Easy VPN Remote feature, please see the "Configuring the VPN 3000 Series Concentrator" section.
Benefits
•The centrally stored configurations allow dynamic configuration of end-user policy, required less manual configuration by end-users and field technicians, reducing errors and further service calls.
•The local VPN configuration is independent of the remote peer's IP address, allowing the provider to change equipment and network configurations as needed, with little or no reconfiguration of the end-user equipment.
•Provides for centralized security policy management.
•Enables large-scale deployments with rapid user provisioning.
•Removes the need for end-users to purchase and configure external VPN devices.
•Removes the need for end-users to install and configure VPN client software on their PCs.
•Offloads the creation and maintenance of the VPN connections from the PC to the router.
•Reduces interoperability problems between the different PC-based software VPN clients, external hardware-based VPN solutions, and other VPN applications.
Restrictions
No Manual NAT/PAT Configuration Allowed
The Cisco Easy VPN Remote feature automatically creates the appropriate NAT/PAT configuration for the VPN tunnel. You therefore must not create a manual NAT/PAT configuration on any interface when using the Cisco Easy VPN Remote feature. If NAT/PAT has already been configured on the router, you must remove that configuration before beginning the Cisco Easy VPN Remote configuration.
Only One Destination Peer Supported
The Cisco Easy VPN Remote feature supports the configuration of only one destination peer and tunnel connection. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and NAT/PAT parameters on both the client and server.
Change of IP Address on Inside Interface
Changing the IP address on the inside interface automatically resets the Cisco Easy VPN Remote connection so that the new IP address can be implemented on the tunnel connection.
Required Destination Servers
The Cisco Easy VPN Remote feature requires that the destination peer be a VPN remote access server or VPN concentrator that supports either the VPN Remote Access Server Enhancements feature or the Cisco Unity protocol. At the time of publication, this includes the following platforms when running the indicated software releases:
•Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers—Cisco IOS Release 12.2(4)YA or later
•Cisco 1700 series—Cisco IOS Release 12.2(4)YA or later
•Cisco 2600 series—Cisco IOS Release 12.2(8)T or later
•Cisco 3620—Cisco IOS Release 12.2(8)T or later
•Cisco 3640—Cisco IOS Release 12.2(8)T or later
•Cisco 3660—Cisco IOS Release 12.2(8)T or later
•Cisco 7100 series VPN routers—Cisco IOS Release 12.2(8)T or later
•Cisco 7200 series routers—Cisco IOS Release 12.2(8)T or later
•Cisco 7500 series routers—Cisco IOS Release 12.2(8)T or later
•Cisco uBR905 and Cisco uBR925 cable access routers—Cisco IOS Release 12.2(4)YA or later
•Cisco VPN 3000 series—Software Release 3.11 or later
•Cisco PIX 500 series—Software Release 6.0 or later
Note Unless otherwise indicated, the above platforms must be running either Cisco IOS Release 12.2(13)T, Cisco IOS Release 12.2(8)T, or later, to provide Cisco Unity server support.
Digital Certificates Not Supported
In Cisco IOS Release 12.2(13)T, the Cisco Easy VPN Remote feature does not support authentication using digital certificates. Authentication is supported using preshared keys and Extended Authentication (XAUTH).
Only ISAKMP Policy Group 2 Supported on IPSec Servers
The Unity Protocol supports only ISAKMP policies that use group 2 (1024-bit Diffie-Hellman) IKE negotiation, so the IPSec server being used with the Cisco Easy VPN Remote must be configured for a group 2 isakmp policy. The IPSec server cannot be configured for ISAKMP group 1 or group 5 when being used with a Cisco Easy VPN Remote.
Perfect Forward Secrecy Not Supported
The Cisco Easy VPN Remote feature does not support the Perfect Forward Secrecy (PFS) feature that is available on the Cisco VPN 3000 concentrator.
Transform Sets Supported
To ensure a secure tunnel connection, the Cisco Easy VPN Remote feature does not support transform sets that provide encryption without authentication (ESP-DES and ESP-3DES) or transform sets that provide authentication without encryption (ESP-NULL ESP-SHA-HMAC and ESP-NULL ESP-MD5-HMAC).
Changing the IP Address on the LAN Interface on Cisco 800 Series Routers
The Ethernet 0 LAN interface on the Cisco 800 series routers default to a primary IP address in the private network of 10.10.10.0. If you need to change this IP address to match the local network's configuration, you can use either the ip address CLI command or by using the Cisco Router Web Setup (CRWS) web interface.
However, these two techniques differ slightly in how the new IP address is assigned. When using the CLI command, the new IP address is assigned as the primary address for the interface. When using the CRWS interface, the new IP address is assigned as the secondary address, and the existing IP address is preserved as the primary address for the interface. This allows the CRWS interface to maintain the existing connection between the PC web browser and the Cisco 800 series router.
Because of this behavior, the Cisco Easy VPN Remote feature assumes that if a secondary IP address exists on the Ethernet 0 interface, the secondary address should be used as the IP address for the inside interface for the NAT/PAT configuration. If no secondary address exists, the primary IP address will be used for the inside interface address, as is normally done on other platforms. If this behavior is not desired, use the ip address CLI command to change the interface's address, instead of using the CRWS web interface.
USB Interface Not Supported on the Cisco uBR925 Router
The Cisco Easy VPN Remote feature supports only the Ethernet interface on the Cisco uBR925 cable access router. The feature does not support the router's USB interface.
VPN 3000 Configuration
The configuration of the VPN 3000 concentrator has several restrictions when used with the Cisco Easy VPN Remote feature. See the "Configuring the VPN 3000 Series Concentrator" section for more details.
Related Documents
This section lists other documentation related to the configuration and maintenance of the supported routers and the Cisco Easy VPN Remote feature.
Platform-Specific Documentation
Cisco 800 Series Routers
•Cisco 806 Router Hardware Installation Guide
•Cisco 826 Router Hardware Installation Guide
•Cisco 827 Router Hardware Installation Guide
•Cisco 828 and SOHO 78 Routers Hardware Installation Guide
•Cisco 806 Software Configuration Guide
•Cisco 827 Router Software Configuration Guide
•Cisco 828 Router and SOHO 78 Router Software Configuration Guide
Note To use the Cisco Easy VPN Remote (Phase I) feature on Cisco 800 series routers, you must be using Cisco IOS Release 12.2(4)YA, which is not recommended. Cisco recommends using the Phase II version of this feature on Cisco IOS Release 12.2(15)T and later releases.
Cisco uBR905 and Cisco uBR925 Cable Access Routers
•Cisco uBR925 Cable Access Router Hardware Installation Guide
•Cisco uBR905 Hardware Installation Guide
•Cisco uBR905/uBR925 Cable Access Router Software Configuration Guide
•Cisco uBR925 Cable Access Router Subscriber Setup Quick Start Card
•Cisco uBR905 Cable Access Router Subscriber Setup Quick Start Card
•Cisco uBR925 Cable Access Router Quick Start User Guide
Cisco 1700 Series Routers
•Cisco 1700 Series Router Software Configuration Guide
•Cisco 1710 Security Router Hardware Installation Guide
•Cisco 1710 Security Router Software Configuration Guide
•Cisco 1720 Series Router Hardware Installation Guide
•Cisco 1721 Access Router Hardware Installation Guide
•Cisco 1750 Series Router Hardware Installation Guide
•Cisco 1751 Router Hardware Installation Guide
•Cisco 1751 Router Software Configuration Guide
•Cisco 1760 Modular Access Router Hardware Installation Guide
Also see the Cisco IOS release notes for Cisco IOS Release 12.2(4)YA:
•SOHO 70 and Cisco 800 Series—Release Notes for Release 12.2(4)YA
•Release Notes for Cisco uBR905 and Cisco uBR925 Cable Access Routers for Cisco IOS Release 12.2 YA
•Cisco 1700 Series—Release Notes for Release 12.2(4)YA
IPsec and VPN Documentation
For information on the VPN Remote Access Enhancements feature, which provides Cisco Unity client support for the Cisco Easy VPN Remote feature, see the VPN Remote Access Enhancements feature module for Cisco IOS Release 12.2(8)T.
For general information on IPSec and VPN subjects, see the following information in the product literature and IP technical tips sections on Cisco.com:
•Deploying IPsec—Provides an overview of IPsec encryption and its key concepts, along with sample configurations. Also provides a link to many other documents on related topics.
•Certificate Authority Support for IPsec Overview—Describes the concept of digital certificates and how they are used to authenticate IPsec users.
•An Introduction to IP Security (IPsec) Encryption—Provides a step-by-step description of how to configure IPsec encryption.
The following technical documents, available on Cisco.com and the Documentation CD-ROM, also provide more in-depth configuration information:
•Cisco IOS Security Configuration Guide, Cisco IOS Release 12.2—Provides an overview of Cisco IOS security features.
•Cisco IOS Security Command Reference, Cisco IOS Release 12.2—Provides a reference for each of the Cisco IOS commands used to configure IPsec encryption and related security features.
•Cisco IOS Software Command Summary, Cisco IOS Release 12.2—Summarizes the Cisco IOS commands used to configure all Release 12.1 security features.
Note Additional documentation on IPsec becomes available on Cisco.com and the Documentation CD-ROM as new features and platforms are added. Cisco Press also publishes several books on this subject—go to http://www.ciscopress.com for more information.
Supported Platforms
The Cisco Easy VPN Remote client feature described in this document supports the following platforms:
•Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers
•Cisco uBR905 and Cisco uBR925 cable access routers
•Cisco 1700 series routers
Note To use the Cisco Easy VPN Remote (Phase I) feature on Cisco 800 series routers, you must be using Cisco IOS Release 12.2(4)YA, which is not recommended. Cisco recommends using the Phase II version of this feature on Cisco IOS Release 12.2(15)T and later releases.
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
http://www.cisco.com/go/fn
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
The following new or modified MIBs are supported by this feature:
•CISCO-IPSEC-FLOW-MONITOR-MIB—Contains attributes describing IPSec-based VPNs (IETF IPSec Working Group Draft).
•CISCO-IPSEC-MIB—Describes Cisco implementation-specific attributes for Cisco routers implementing IPSec VPNs.
•CISCO-IPSEC-POLICY-MAP-MIB—Extends the CISCO-IPSEC-FLOW-MONITOR-MIB to map dynamically instantiated structures to the policies, transforms, cryptomaps, and other structures that created or are using them.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
The following requirements are necessary to use the Cisco Easy VPN Remote feature:
•A Cisco 806, Cisco 826, Cisco 827, and Cisco 828 router, Cisco 1700 series router, or Cisco uBR905 or Cisco uBR925 cable access router running Cisco IOS Release 12.2(13)T or later, configured as an Cisco Easy VPN Remote.
•Another Cisco router or VPN concentrator that supports the VPN Remote Access Server feature or the Unity Client protocol and configured as a VPN remote access server. See the "Required Destination Servers" section for a detailed list.
Configuration Tasks
See the following sections for configuration tasks for the Cisco Easy VPN Remote feature. Each task in the list is identified as either required or optional.
•Configuring the DHCP Server Pool (Required for Client Mode)
•Verifying the DHCP Server Pool
•Configuring and Assigning the Cisco Easy VPN Remote Configuration
•Verifying the Cisco Easy VPN Configuration
•Configuring the VPN 3000 Series Concentrator
Configuring the DHCP Server Pool (Required for Client Mode)
The local router uses the DHCP protocol to assign IP addresses to the PCs that are connected to the router's LAN interface. This requires creating a pool of IP addresses for the router's onboard DHCP server. The DHCP server then assigns an IP address from this pool to each PC when it connects to the router.
In a typical VPN connection, the PCs connected to the router's LAN interface are assigned an IP address in a private address space. The router then uses NAT/PAT to translate those IP addresses into a single IP address that is transmitted across the VPN tunnel connection.
Tip Configuring the DHCP server pool is not normally needed on the Cisco 800 series routers because this is automatically done when using the Cisco Router Web Setup (CRWS) web interface that is available on those routers. Also, the DHCP server pool is not normally needed if using a router, such as the Cisco 827, with an ATM interface configured for PPPoE connections.
Use the following procedure to configure the DHCP server pool on the Cisco uBR905/uBR925 cable access routers and the Cisco 1700 series routers:
| |
Command
|
Purpose
|
Step 1
|
Router(config)# ip dhcp pool pool-name
|
Creates a DHCP Server address pool named pool-name and enters DHCP pool configuration mode.
|
Step 2
|
Router(dhcp-config)# network ip-address
[mask | /prefix-length]
|
Specifies the IP network number and subnet mask of the DHCP address pool that is to be used for the PCs connected to the router's local Ethernet interface. This network number and subnet mask must specify the same subnet as the IP address assigned to the Ethernet interface.
The subnet mask can also be specified as a prefix length that specifies the number of bits in the address portion of the subnet address. The prefix length must be preceded by a forward slash (/).
|
Step 3
|
Router(dhcp-config)# default-router
address [address2 ... address8]
|
Specifies the IP address of the default router for a DHCP client. You must specify at least one address. You can optionally specify additional addresses, up to a total of eight addresses per command.
Tip The first IP address for the default-router option should be the IP address that is assigned to the router's Ethernet address.
|
Step 4
|
Router(dhcp-config)# import all
|
Imports the following DHCP option parameters from a central DHCP server into the router's local DHCP database:
•Domain Name
•DNS Server
•NetBIOS WINS Server
Note This option requires that a central DHCP server be configured to provide the DHCP options. The central DHCP server should be on the same subnet as was configured using the network option. (On Cisco IOS routers, this is done using the ip dhcp database command.) If you are using the PPP/IPCP protocol on the WAN interface, or the client on the WAN interface supports the Easy IP feature, the central DHCP server can be on a different subnet or network.
|
| |
Note You can also specify the DHCP option parameters manually by using the domain-name, dns-server, and netbios-name-server options but this is not recommended. Almost all installations should use the import all option to ensure that the router is configured with the proper DHCP parameters.
|
Step 5
|
Router(dhcp-config)# lease {days
[hours][minutes] | infinite}
|
(Optional) Specifies the duration of the DHCP lease. The default is a one-day lease.
|
Step 6
|
Router(dhcp-config)# exit
|
Leaves DHCP pool configuration mode.
|
Step 7
|
Router(config)# ip dhcp excluded-address
lan-ip-address
|
Excludes the specified IP address from the DHCP server pool. The lan-ip-address should be the IP address assigned to the router's LAN interface (for example, the Ethernet0 on the Cisco uBR905/uBR925 routers and FastEthernet0 on the Cisco 1700 series routers).
|
Note The ip dhcp pool command supports a number of options for configuring the DHCP server pool. These other options are typically not needed for a Cisco Easy VPN Remote configuration.
Verifying the DHCP Server Pool
To verify that the DHCP server pool has been correctly configured, use the following procedure.
Step 1 Use the show ip dhcp pool command in Privileged EXEC mode to display the server pools that have been created:
Router# show ip dhcp pool
Current index : 192.168.100.1
Address range : 192.168.100.1 - 192.168.100.254
Step 2 If you used the import all option when you created the DHCP server pool, use the show ip dhcp import command to display the options that have been imported from the central DHCP server:
Router# show ip dhcp import
Address Pool Name: localpool
Domain Name Server(s): 192.168.20.5
NetBIOS Name Server(s): 192.168.20.6
Domain Name Option: cisco.com
Step 3 To display the IP addresses that the DHCP server has assigned, use the show ip dhcp binding command:
Router# show ip dhcp binding
IP address Hardware address Lease expiration Type
192.168.100.3 00c0.abcd.32de Nov 01 2001 12:00 AM Automatic
192.168.100.5 00c0.abcd.331a Nov 01 2001 12:00 AM Automatic
Troubleshooting Tips
If PCs connected to the router's LAN interface cannot obtain an IP address using DHCP, check the following:
•Verify that the DHCP server has not been disabled on the router. The DHCP server is enabled by default, but it might have been disabled using the no service dhcp command. To check this, use the show running-config command:
Router# show running-config | include dhcp
If the output from the show running-config command does not include the no service dhcp command, the DHCP server is enabled.
•Use the show ip dhcp binding command to display the IP addresses that have already been assigned. Verify that the address pool has not been exhausted. If necessary, recreate the pool to create a larger pool of addresses.
•On a Windows PC that is connected to the router's LAN interface, use the ipconfig /all command to display its IP address configuration, including the DHCP server address.
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : MYPC-W2K1
Primary DNS Suffix . . . . . . . : cisco.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cisco.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : cisco.com
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 01-23-45-67-89-AB
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.100.94
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 192.168.100.1
DHCP Server . . . . . . . . . . . : 172.16.156.54
DNS Servers . . . . . . . . . . . : 172.16.168.183
Primary WINS Server . . . . . . . : 172.16.235.228
Secondary WINS Server . . . . . . : 172.16.2.87
Lease Obtained. . . . . . . . . . : Monday, October 22, 2001 11:15:32 A
Lease Expires . . . . . . . . . . : Thursday, October 25, 2001 11:15:32 AM
Configuring and Assigning the Cisco Easy VPN Remote Configuration
The router acting as the IPSec client must create an Cisco Easy VPN Remote configuration and assign it to the outgoing interface. To do so, use the following procedure.
Note If you have previously configured NAT/PAT translation on the router, you must first remove that configuration before beginning the Cisco Easy VPN Remote configuration. Use the show running-config | include nat command to display any NAT/PAT configuration commands that might exist—if any commands appear, use the no form of the commands to remove that configuration before proceeding.
| |
Command
|
Purpose
|
Step 1
|
router(config)# crypto ipsec client ezvpn
name
|
Creates an Cisco Easy VPN Remote configuration named name and enters Cisco Easy VPN Remote configuration mode.
|
Step 2
|
router(config-crypto-ezvpn)# group
group-name key group-key
|
Specifies the IPSec group and IPSec key value to be associated with this configuration.
Note The group-name must match the group defined on the IPSec server. On Cisco IOS routers, use the crypto isakmp client configuration group and crypto map dynmap isakmp authorization list commands.
Note The group-key must match the key defined on the IPSec server. On Cisco IOS routers, use the crypto isakmp client configuration group command.
|
Step 3
|
router(config-crypto-ezvpn)# peer
[ip-address | hostname]
|
Specifies the IP address or hostname for the destination peer. This is typically the IP address on the destination router's WAN interface.
Note You must have a DNS server configured and available to use the hostname option.
|
Step 4
|
router(config-crypto-ezvpn)# mode {client
| network-extension}
|
Specifies the type of VPN connection that should be made:
•client—Specifies that the router is configured for VPN client operation, using NAT/PAT address translation.
•network-extension—Specifies that the router is to become a remote extension of the enterprise network at the destination of the VPN connection.
|
Step 5
|
router(config-crypto-ezvpn)# exit
|
Leaves Cisco Easy VPN Remote configuration mode.
|
Step 6
|
router(config)# interface interface
|
Enters interface configuration mode for the interface. This interface will become the "outside" interface for the NAT/PAT translation.
|
Step 7
|
router(config-if)# crypto ipsec client
ezvpn name
|
Assigns the Cisco Easy VPN Remote configuration to the interface. This automatically creates the necessary NAT/PAT translation parameters and initiates the VPN connection.
Note You can assign the Cisco Easy VPN Remote configuration to only one interface. You cannot assign the configuration to the interface that defaults to being the "inside" interface for the NAT/PAT translation. On the Cisco 1700 series routers this is the FastEthernet0 interface. On the Cisco 800 series routers this could be either the Ethernet0 or Dialer1 interface, depending on which is applicable. On the Cisco uBR905/uBR925 cable access routers, this is the Ethernet0 interface.
|
Step 8
|
router(config-if)# exit
|
Leaves interface configuration mode.
|
Step 9
|
router(config)# exit
|
Leaves global configuration mode.
|
Verifying the Cisco Easy VPN Configuration
To verify that the Cisco Easy VPN Remote configuration has been correctly configured, that the configuration has been assigned to an interface, and that the IPSec VPN tunnel has been established, use the following steps.
Step 1 Display the current state of the Cisco Easy VPN Remote connection using the show crypto ipsec client ezvpn command. The following is typical output for a router using client mode:
Router# show crypto ipsec client ezvpn
Current State: IPSEC ACTIVE
DNS Secondary: 198.1.1.251
NBMS/WINS Primary: 198.1.1.252
NBMS/WINS Secondary: 198.1.1.253
The following is typical output for a router using network-extension mode:
Router# show crypto ipsec client ezvpn
Current State: IPSEC_ACTIVE
Step 2 Display the NAT/PAT configuration that was automatically created for the VPN connection, using the show ip nat statistics command. The "Dynamic mappings" section of this display gives the details for the NAT/PAT translation that is occurring on the VPN tunnel.
Router# show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
access-list 198 pool enterprise refcount 0
pool enterprise: netmask 255.255.255.0
start 198.1.1.90 end 198.1.1.90
type generic, total addresses 1, allocated 0 (0%), misses 0\
Step 3 In client mode, the NAT/PAT translation one or more access lists that are also dynamically configured at the time the VPN tunnel is initiated. Display this access list using the show access-list command. The following is a typical display for a client configuration without split tunneling:
Extended IP access list 198
permit ip 192.1.1.0 0.0.0.255 any
Note In this example, the Cisco Easy VPN Remote configuration creates access list 198 for the VPN tunnel NAT/PAT translation. The exact numbering of the access list can vary, depending on the other access lists that have been configured on the router. Do not assume that the VPN tunnel will use the same access list every time the connection is initiated.
The following is a typical display for a Cisco uBR905/uBR925 cable access router configured for client mode with split tunneling:
Extended IP access list 197
deny ip 192.168.100.0 0.0.0.255 172.168.0.128 0.0.0.127
deny ip 192.168.100.0 0.0.0.255 172.168.1.128 0.0.0.127
permit ip 192.168.100.0 0.0.0.255 any
Extended IP access list 198
permit ip 192.168.100.0 0.0.0.255 172.168.0.128 0.0.0.127
permit ip 192.168.100.0 0.0.0.255 172.168.1.128 0.0.0.127
Tip Network extension mode without split tunneling does not need any access lists and thus does not create them. Network extension mode with split tunneling typically creates a single access list.
The following is a typical display for a Cisco 827 router configured for client mode with split tunneling:
Extended IP access list 197
deny ip 70.0.0.0 0.255.255.255 30.100.0.0 0.0.0.127 (5 matches)
permit ip 70.0.0.0 0.255.255.255 any
Extended IP access list 198
permit ip 70.0.0.0 0.255.255.255 30.100.0.0 0.0.0.127 (5 matches)
Step 4 Display the destination IPSec peer and the key value being used with the show crypto isakmp key command:
Router# show crypto isakmp key
Hostname/Address Preshared Key
193.1.1.1 hw-client-password
Configuring the VPN 3000 Series Concentrator
This section describes the guidelines required to configure the Cisco VPN 3000 series concentrator for use with Cisco Easy VPN Remotes. As a general rule, you can use the default configuration except for IP addresses, server addresses, and routing configurations, and for the following parameters and options:
Note You must be using software release 3.11 or later for the Cisco VPN 3000 series concentrator to support Cisco Easy VPN Remotes.
•IPSec Tunnel Protocol—Enable the IPSec tunnel protocol so it is available for users. This is configured on the VPN 3000 series concentrator by clicking the General tab on the Configuration | User Management | Base Group screen.
•IPSec group—Configure the VPN 3000 series concentrator with a group name and password that matches the values configured for the Cisco Easy VPN Remote configuration on the router. These values are configured on the router with the group group-name key group-key command, and are configured on the VPN 3000 series concentrator using the Configuration | User Management | Groups screen.
•Perfect Forward Secrecy—The Cisco Easy VPN Remote does not support the Perfect Forward Secrecy (PFS) option. This option must be set to Disabled in the Configuration | Policy Management | Traffic Management | Security Associations screens.
•Group Lock—If you are defining multiple users in multiple groups on the VPN 3000 series concentrator, you must check the Group Lock box in the IPSec tab to prevent users in one group from logging in with another group's parameters. For example, if you have configured one group for split tunneling access and another group without split tunneling access, the Group Lock will prevent users in the second group from gaining access to the split tunneling features. The Group Lock checkbox appears in the IPSec tab in the Configuration | User Management | Base Group screen and in the IPSec tab in the Configuration | User Management | Groups | Add/Modify screens.
•XAUTH—To use extended authentication (XAUTH), set the Authentication parameter to None. The Authentication parameter appears in the IPSec tab in the Configuration | User Management | Base Group screen and in the IPSec tab in the Configuration | User Management | Groups | Add/Modify screens.
•Split Tunneling—The Configuration | User Management | Base Group, Mode Configuration Parameters Tab screen includes a Split Tunnel option with a checkbox that says "Allow the networks in the list to bypass the tunnel." When using the Cisco Easy VPN Remote feature, you must not click this checkbox because it is intended only for software VPN clients and will not work with hardware clients such as the Cisco Easy VPN Remote feature.
•IKE Proposals—The Cisco VPN 3000 Series Concentrator is preconfigured with a default IKE proposal, CiscoVPNClient-3DES-MD5, that can be used with Cisco Easy VPN Remotes. This IKE proposal supports preshared keys with extended authentication (XAUTH) using the MD5/HMAC-128 algorithm, and Diffie-Hellman Group 2.
This proposal is active by default, but verify that it is still an active proposal using the Configuration | System | Tunneling Protocols | IPSec | IKE Proposals screen.
Note You can also use the default IKE proposals IKE-DES-MD5 and IKE-3DES-MD5, but they do not enable XAUTH support by default.
•Create a new IPSec Security Association—Cisco Easy VPN Remotes use a security association with the following parameters:
–Authentication Algorithm=ESP/MD5/HMAC-128
–Encryption Algorithm=DES-56 or 3DES-168 (recommended)
–Encapsulation Mode=Tunnel
–Digital Certificate=None (Use Preshared Keys)
–IKE Proposal=CiscoVPNClient-3DES-MD5 (preferred)
The Cisco VPN 3000 Series Concentrator is preconfigured with several default security associations but they do not meet the IKE Proposal requirements. To use an IKE Proposal of CiscoVPNClient-3DES-MD5, copy the ESP/IKE-3DES-MD5 security association and modify it to use CiscoVPNClient-3DES-MD5 as its IKE proposal. This is configured on the VPN 3000 series concentrator using the Configuration | Policy Management | Traffic Management | Security Associations screen.
Troubleshooting Tips
To troubleshoot a VPN connection created using the Cisco Easy VPN Remote, use the following suggested techniques.
•Enable debugging of the Cisco Easy VPN Remote feature using the debug crypto ipsec client ezvpn command.
•Enable debugging of IPSec and Internet Key Exchange (IKE) events using the debug crypto ipsec and debug crypto isakmp commands.
•Display the active IPSec VPN connections using the show crypto engine connections active command.
•To reset the VPN connection, use the clear crypto ipsec client ezvpn command. If you have debugging enabled, you might prefer to use the clear crypto sa and clear crypto isakmp commands.
Configuration Examples
This section provides the following configuration examples:
•Client Mode Configurations
•Network Extension Mode Configurations
•VPN Remote Access Server Configurations
Client Mode Configurations
This section shows the following examples that demonstrate configurations for the Cisco Easy VPN Remote in the client mode of operation. Also shown are the VPN remote access server configurations that correspond to these client configurations.
•Cisco Easy VPN Client in Client Mode (Cisco uBR905/uBR925)
•Cisco Easy VPN Client in Client Mode (Cisco 806)
•Cisco Easy VPN Client in Client Mode (Cisco 827)
•Cisco Easy VPN Client in Client Mode (Cisco 1700 Series)
Note Typically, users will configure the Cisco 800 series routers with the CRWS web interface, not by entering CLI commands. However, the configurations shown here for the Cisco 800 series routers display typical configurations that can be used if manual configuration is desired.
Cisco Easy VPN Client in Client Mode (Cisco uBR905/uBR925)
The following example configures a Cisco uBR905 cable access router as an IPSec client, using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•Routing mode—The no cable-modem compliant bridge command places the router in routing mode. IP routing, such as RIPv2, is not activated because the VPN configuration will direct all traffic to the destination point of the VPN tunnel.
•DHCP server pool—The ip dhcp pool command creates a pool of IP addresses to be assigned to the PCs connected to the router's Ethernet interface. (On the Cisco uBR925 cable access router, this pool also applies to the PC connected to the router's USB interface.) The pool assigns addresses in the class C private address space (192.168.100.0) and configures each PC so that its default route is 192.168.100.1, which is the IP address assigned to the router's Ethernet interface. The DHCP lease period is 1 day.
•Cisco Easy VPN Remote configuration—The first crypto ipsec client ezvpn hw-client command (global configuration mode) creates an Cisco Easy VPN Remote configuration named hw-client. This configuration specifies a group name of hw-client-groupname and a shared key value of hw-client-password, and it sets the peer destination to the IP address 188.185.0.5 (which is the address assigned to the interface connected to the Internet on the destination peer router). The Cisco Easy VPN Remote configuration is configured for the default operations mode of client.
Note If DNS is also configured on the router, the peer option also supports a hostname instead of an IP address.
•The second crypto ipsec client ezvpn hw-client command (interface configuration mode) assigns the Cisco Easy VPN Remote configuration to the cable interface, so that all traffic received and transmitted on the cable interface is sent through the VPN tunnel.
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
ip tftp source-interface cable-modem0
ip dhcp excluded-address 192.168.100.1
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
ip ssh authentication-retries 3
crypto ipsec client ezvpn hw-client
group hw-client-groupname key hw-client-password
ip address 192.168.100.1 255.255.255.0
no cable-modem compliant bridge
crypto ipsec client ezvpn hw-client
snmp-server packetsize 4096
scheduler max-task-time 5000
Cisco Easy VPN Client in Client Mode (Cisco 806)
The following example configures a Cisco 806 router as an IPSec client using the Cisco Easy VPN Remote feature in the client mode of operation. This example shows the following components of the Cisco Easy VPN Remote configuration:
•DHCP server pool—The ip dhcp pool command creates a pool of IP addresses to be assigned to the PCs connected to the router's Ethernet0 interface. The pool assigns addresses in the class C private address space (192.168.100.0) and configures each PC so that its default route is 192.168.100.1, which is the IP address assigned to the router's Ethernet interface. The DHCP lease period is 1 day.
•Cisco Easy VPN Remote configuration—The first crypto ipsec client ezvpn hw-client command (global configuration mode) creates an Cisco Easy VPN Remote configuration named hw-client. This configuration specifies a group name of hw-client-groupname and a shared key value of hw-client-password, and it sets the peer destination to the IP address 188.185.0.5 (which is the address assigned to the interface connected to the Internet on the destination peer router). The Cisco Easy VPN Remote configuration is configured for the default operations mode of client.
Note If DNS is also configured on the router, the peer option also supports a hostname instead of an IP address.
•The second crypto ipsec client ezvpn hw-client command (interface configuration mode) assigns the Cisco Easy VPN Remote configuration to the Ethernet1 interface, so that all traffic received and transmitted on that interface is sent through the VPN tunnel.
Note To use the Cisco Easy VPN Remote (Phase I) feature on Cisco 800 series routers, you must be using Cisco IOS Release 12.2(4)YA, which is not recommended. Cisco recommends using the Phase II version of this feature on Cisco IOS Release 12.2(15)T and later releases.
! Cisco Router Web Setup Template
no service tcp-small-servers
no service udp-small-servers
service timestamps debug uptime
service timestamps log uptime
service password-encryption
ip dhcp excluded-address 10.10.10.1
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
crypto ipsec client ezvpn hw-client
group hw-client-groupname key hw-client-password
ip address 10.10.10.1 255.255.255.0
crypto ipsec client ezvpn hw-client
