Overview
This document provides a sample configuration for Cisco® Enhanced Easy VPN Remote connecting to a primary Easy VPN server with crypto map configuration, and connecting to an enhanced Easy VPN server with dial backup when the primary VPN server fails. This enhanced Easy VPN configuration uses Dynamic Virtual Tunnel Interface (DVTI).
Figure 1. Network Diagram
CISCO ENHANCED EASY VPN WITH DVTI
Cisco Enhanced Easy VPN is a new method for configuring Easy VPN using DVTIs. It can be used on both the Easy VPN Server and Easy VPN Remote routers. It relies on Virtual Tunnel Interface (VTI) to create a virtual access interface for every new Easy VPN tunnel. The configuration of the virtual access interface is cloned from a virtual template configuration. The cloned configuration includes the IP Security (IPSec) configuration and any Cisco IOS® Software feature configured on the virtual template interface, such as quality of service (QoS), NetFlow, or access control lists (ACLs).
With Cisco Enhanced Easy VPN, users can provide highly secure connectivity for remote-access VPNs. Enhanced Easy VPN can be combined with Cisco AVVID (Architecture for Voice, Video and Integrated Data) to deliver converged voice, video, and data over IP networks.
BENEFITS
• Simplifies Management-Customers can use the Cisco IOS virtual template to clone, on demand, new virtual access interfaces for IPSec. This simplifies VPN configuration complexity, which translates into reduced costs. In addition, existing management applications now can monitor separate interfaces for different sites.
• Provides a Routable Interface-Cisco IOS IPSec DVTIs support all types of IP routing protocols. Customers can use these capabilities to connect larger office environments, such as branch offices.
• Improves Scaling-IPSec DVTIs use single security associations per site to cover different types of traffic, thus enabling improved scaling.
• Offers Flexibility in Defining Features-An IPSec DVTI is an encapsulation within its own interface. This offers flexibility of defining features for clear-text traffic on IPSec VTIs, and features for encrypted traffic on physical interfaces.
CONFIGURATION SUMMARY
This spoke router uses reliable static routing to discover when the primary Cisco Easy VPN Server fails. Reliable static routing uses the IP SLA monitor feature to monitor a remote destination. The reliable static routing does polling of the Easy VPN server availability every 10 seconds. When connectivity to the primary server fails, the reliable static routes are removed from the routing table and Easy VPN replaces the active crypto map with the backup crypto map. This enables a floating static route to become active and initiate a crypto session over the backup path. The floating static route causes the traffic to be encrypted by the backup path and to be forwarded out the dialup interface.
During the primary network path failure, the IP SLA monitor continues to monitor the primary server availability. When the IP SLA monitor detects that the primary Easy VPN Server is reachable, it will reinstall the reliable static route in the routing table, replacing the floating static route, and will reactivate the primary crypto map. While traffic is being forwarded to the primary server, the backup path becomes idle, causing the dialup to time out and bring down the backup interface.
The traffic is forwarded to or from the IPSec tunnel interface by virtue of the IP routing table lookup. Routes are dynamically learned during Internet Key Exchange (IKE) Mode configuration exchange and inserted into the routing table pointing to the virtual access interface.
This configuration allows for split tunneling. With split tunneling, remote users can send traffic destined to the Internet directly without going onto the IPSec tunnel.
The remote router is using dynamic IP addresses, a typical configuration for DSL and cable connectivity. The remote router is also using Network Extension Mode. In this mode, the remote subnet is visible to the hub network. This enables the support of devices such as voice over IP (VoIP) phones located at the remote site. This configuration can be used for User Mode as well.
This configuration shows two types of Easy VPN tunnels: a traditional Easy VPN tunnel using the primary path and an Enhanced Easy VPN tunnel with DVTI using the backup path. The two different types of tunnels were used for the purpose of demonstration only; both tunnels can be of the same type. With a traditional Easy VPN tunnel, one or more IPSec security associations are created for each IPSec tunnel (depending on the server configuration); each IPSec security association allows a specific source and destination IP address on the IPSec tunnel. With Enhanced Easy VPN, only one IPSec security association is created for each IPSec tunnel with any source to any destination IP addresses.
For more information about the IPSec DVTI feature, see "IPSec Virtual Tunnel Interface" (a link is provided in the Related Information section of this document).
LIMITATIONS
This guide provides a sample of Easy VPN configuration with DVTI configuration only.
• This guide does not cover a full security audit on the router. It is recommended that users run a Cisco Router and Security Device Manager (SDM) security audit in Wizard Mode to secure the router.
• An initial router configuration step is not shown in the steps. The full configuration is shown in the following section.
• This configuration guide enables split tunneling. Split tunneling is enabled on the hub by the ACL command under the crypto isakmp client configuration mode. To disable the split tunneling on the remote, remove the ACL command from the Easy VPN Server.
• The spoke is configured with Port Address Translation (PAT) to provide connectivity over the Internet. The spoke configuration requires Cisco IOS Software Release 12.4(4)T to work.
• This configuration uses Network Extension Mode. For details on configuring User Mode, please review documentation for Cisco Easy VPN Remote or Server.
• This configuration does not include multicast.
COMPONENTS USED
The sample configuration uses the following releases of the software and hardware:
• Cisco IOS Software Release 12.4(4)T
• Cisco 1841, 3725, and 7206 routers
Figure 1 illustrates a sample network configuration.
The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.
REMOTE ROUTER CONFIGURATION
version 12.4
!
hostname C1841-41
!
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name yourdomain.com
ip name-server 30.30.30.10
ip name-server 30.30.30.11
ip ssh version 1
ip sla 1
icmp-echo 10.0.149.203 source-interface FastEthernet0/1
timeout 10000
threshold 1000
frequency 11
ip sla schedule 1 life forever start-time now
!
chat-script Dialout ABORT ERROR ABORT BUSY "" "AT" OK "ATDT \T" TIMEOUT 45 CONN
modemcap entry modem:MSC=&FS0=8
!
username cisco password 0 cisco
!
track 123 rtr 1 reachability
!
crypto isakmp keepalive 10
!
crypto ipsec client ezvpn bup
connect auto
group cisco key cisco
local-address Async0/0/0
mode network-extension
peer 10.0.149.221
virtual-interface 1
xauth userid mode interactive
crypto ipsec client ezvpn ez
connect auto
group cisco key cisco
local-address FastEthernet0/1
backup bup track 123
mode network-extension
peer 10.0.149.203
virtual-interface 1
xauth userid mode interactive
!
!
interface FastEthernet0/0
ip address 192.168.41.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto ipsec client ezvpn bup inside
crypto ipsec client ezvpn ez inside
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
crypto ipsec client ezvpn ez
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
!
interface Vlan1
no ip address
!
interface Async0/0/0
bandwidth 56
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer in-band
dialer fast-idle 10800
dialer enable-timeout 20
dialer wait-for-carrier-time 75
dialer string 60341
dialer hold-queue 100 timeout 75
dialer-group 1
async dynamic address
async dynamic routing
async mode dedicated
no fair-queue
ppp authentication pap callin
ppp pap sent-username lab password 0 lab
crypto ipsec client ezvpn bup
routing dynamic
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.149.203 track 123
ip route 0.0.0.0 0.0.0.0 Async0/0/0 240 permanent
ip route 10.0.149.221 255.255.255.255 Async0/0/0
ip route 10.0.149.203 255.255.255.255 dhcp
!
!
ip http server
no ip http secure-server
!
dialer-list 1 protocol ip permit
!
!
control-plane
!
line con 0
exec-timeout 0 0
line aux 0
exec-timeout 0 0
modem InOut
modem autoconfigure type modem
transport input all
transport output all
stopbits 1
speed 1200
flowcontrol hardware
line 0/0/0
exec-timeout 0 0
modem InOut
modem autoconfigure discovery
transport input all
transport output all
stopbits 1
speed 115200
flowcontrol hardware
line vty 0 4
exec-timeout 0 0
privilege level 15
password lab
login local
transport input telnet ssh
!
End
STATUS DURING NORMAL OPERATION
C1841-41#show crypto session detail
Crypto session current status
Code: C-IKE Configuration mode, D-Dead Peer Detection
K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.0.149.203 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.149.203
Desc: (none)
IKE SA: local 10.0.35.4/500 remote 10.0.149.203/500 Active
Capabilities:CD connid:1010 lifetime:23:58:32
IPSEC FLOW: permit ip 192.168.41.0/255.255.255.0 192.168.20.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 85 drop 0 life (KB/Sec) 4457034/3504
Outbound: #pkts enc'ed 85 drop 0 life (KB/Sec) 4457034/3504
IPSEC FLOW: permit ip 192.168.41.0/255.255.255.0 192.168.71.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4528189/3504
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4528189/3504
C1841-41#show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 10.0.149.203 to network 0.0.0.0
C 192.168.41.0/24 is directly connected, FastEthernet0/0
S 192.168.20.0/24 [1/0] via 0.0.0.0, Virtual-Access3
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.35.0/24 is directly connected, FastEthernet0/1
S 10.0.149.221/32 is directly connected, Async0/0/0
S 10.0.149.203/32 [1/0] via 10.0.35.216
S 192.168.71.0/24 [1/0] via 0.0.0.0, Virtual-Access3
S* 0.0.0.0/0 [1/0] via 10.0.149.203
C1841-41#show dialer
As0/0/0-dialer type = IN-BAND ASYNC NO-PARITY
Idle timer (120 secs), Fast idle timer (10800 secs)
Wait for carrier (75 secs), Re-enable (20 secs)
Dialer state is idle
Dial String Successes Failures Last DNIS Last status
60341 3 0 19:30:26 successful Default
C1841-41#show interfaces virtual-access 3
Virtual-Access3 is up, line protocol is up
Hardware is Virtual Access interface
Interface is unnumbered. Using address of FastEthernet0/1 (10.0.35.4)
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL
Tunnel vaccess, cloned from Virtual-Template1
Vaccess status 0x44, loopback not set
Keepalive not set
Tunnel source 10.0.35.4 (FastEthernet0/1), destination 10.0.149.203
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 0 bits/sec, 1 packets/sec
70708 packets input, 4525312 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
70759 packets output, 4528576 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
C1841-41#sh int asyn 0/0/0
Async0/0/0 is up (spoofing), line protocol is up (spoofing)
Hardware is GT96K SmartSCM Integrated Modem
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit, DLY 100000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive not set
DTR is pulsed for 5 seconds on reset
Last input 19:28:46, output 19:28:46, output hang never
Last clearing of "show interface" counters 20:06:53
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 65
Queueing strategy: fifo
Output queue: 0/10 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2885 packets input, 260171 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
3101 packets output, 294363 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 output buffer failures, 0 output buffers swapped out
0 carrier transitions
DCD=down DSR=up DTR=up RTS=up CTS=up
LOGS DURING THE NETWORK FAILURE
C1841-41#
*Oct 28 17:47:29.907: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client) User= Group=ci
sco Server_public_addr=10.0.149.203
*Oct 28 17:47:48.399: %LINK-3-UPDOWN: Interface Async0/0/0, changed state to up
*Oct 28 17:47:49.399: %LINEPROTO-5-UPDOWN: Line protocol on Interface Async0/0/0
, changed state to up
*Oct 28 17:47:52.031: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User= Group=cisc
o Server_public_addr=10.0.149.221
STATUS DURING THE BACKUP PATH
C1841-41#show crypto session detail
Crypto session current status
Code: C-IKE Configuration mode, D-Dead Peer Detection
K-Keepalives, N-NAT-traversal, X-IKE Extended Authentication
Interface: Async0/0/0
Session status: UP-ACTIVE
Peer: 10.0.149.221 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.0.149.221
Desc: (none)
IKE SA: local 172.21.0.22/500 remote 10.0.149.221/500 Active
Capabilities:CD connid:1011 lifetime:23:57:08
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 128 drop 0 life (KB/Sec) 4539054/3436
Outbound: #pkts enc'ed 128 drop 0 life (KB/Sec) 4539054/3436
C1841-41#show ip route
Codes: C-connected, S-static, R-RIP, M-mobile, B-BGP
D-EIGRP, EX-EIGRP external, O-OSPF, IA-OSPF inter area
N1-OSPF NSSA external type 1, N2-OSPF NSSA external type 2
E1-OSPF external type 1, E2-OSPF external type 2
i-IS-IS, su-IS-IS summary, L1-IS-IS level-1, L2-IS-IS level-2
ia-IS-IS inter area, *-candidate default, U-per-user static route
o-ODR, P-periodic downloaded static route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S 192.168.72.0/24 [1/0] via 0.0.0.0, Virtual-Access2
172.21.0.0/32 is subnetted, 2 subnets
C 172.21.0.22 is directly connected, Async0/0/0
C 172.21.0.11 is directly connected, Async0/0/0
C 192.168.41.0/24 is directly connected, FastEthernet0/0
S 192.168.20.0/24 [1/0] via 0.0.0.0, Virtual-Access2
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
C 10.0.35.0/24 is directly connected, FastEthernet0/1
S 10.0.149.221/32 is directly connected, Async0/0/0
S 10.0.149.203/32 [1/0] via 10.0.35.216
S* 0.0.0.0/0 is directly connected, Async0/0/0
C1841-41#show dialer
As0/0/0-dialer type = IN-BAND ASYNC NO-PARITY
Idle timer (120 secs), Fast idle timer (10800 secs)
Wait for carrier (75 secs), Re-enable (20 secs)
Dialer state is data link layer up
Dial