Guest

Cisco IOS Easy VPN

Configuring IPSec VPN--IPAQ with Movian client, Easy VPN Server

Configuration Guide


Configuring IPSec VPN between IPAQ with Movian client and Cisco IOS Easy VPN Server




Figure 1
Network Diagram

Introduction

This document describes how to configure a handheld computer and Cisco IOS router for IPsec VPN connectivity. With VPN connectivity, the handheld computer can connect to Intranet servers privately over the public Internet. The sample configuration presented in this document uses the Movian VPN client software application, the Cisco IOS Easy VPN Server, the IPAQ handheld computer at the remote end, and Cisco 7200 as the server.

Prerequisites

The handheld computer-to-Cisco Easy VPN router sample configuration is based on the following assumptions::

  • The IP address at the Cisco Easy VPN Server is static.
  • The IP address at the handheld computer is static or dynamic.
  • All traffic, including Internet traffic, from the Easy VPN Client is forwarded to the hub.
  • Traffic from the remote host is forwarded after applying Network Address Translation/Port Address Translation (NAT/PAT).

Components Used

The sample configuration uses the following releases of the software and hardware:

  • Compaq IPAQ 3630 PDA with Movian VPN Version 3.0.0
  • Cisco 7200V with Cisco IOS® Software, Version 12.2(11)T

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.

Movian Client Configuration Options

The Cisco Easy VPN implements the Cisco Unity Client protocol, which simplifies configuring the detailed information on the client router because most VPN parameters are defined at the VPN remote access server. The server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol. The sample configuration uses the Cisco 1751 for the Easy VPN Server.

This sample configuration uses client mode with the Movian VPN Client. In Client mode, the entire Movian VPN client address undergoes NAT to the mode config ip address that the Easy VPN Server provides.

The Movian VPN Client forwards the Internet traffic to the Easy VPN Server. Direct access to the Cisco 806 Easy VPN Client by traffic other than the encrypted traffic from the Easy VPN Server is denied. An alternative configuration of the Cisco Easy VPN Server called split tunneling forwards the Internet traffic directly without encryption.

For additional information about configuring Easy VPN Server, refer to Cisco IOS Easy VPN Server feature .

Movian VPN Client Configuration

Policy type: Cisco Unified client
Gateway address: 172.19.202.23
Same authentication configuration
Use Perfect Forward Secrecy Disabled

IKE Suite:
GRP2_DH-1024
Cipher: 3DES_CBC
Hash: SHA
IPSec Suite: ESPIP_3DES_SHA-96

Soft Client Initial Configuration:
IP address of remote server: 172.19.202.23
Group Access Information:
Name: groupname
Password: test1234

During Connection:
Username: user
Password: test1234

Cisco 7200 VPN Router Configuration

The following commands show how to configure the router for this sample configuration.

version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service internal
!
hostname 7200-3
!
logging buffered 16000 debugging
aaa new-model
!
!
aaa authentication login groupname local
aaa authorization network groupname local 
aaa session-id common
enable password lab
!
username user password 0 test1234
ip subnet-zero
no ip cef
!
!
ip domain name cisco.com
ip name-server 171.68.1.1
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key test1234 address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group groupname
 key test1234
 dns 171.68.1.1
 wins 171.68.1.2
 domain cisco.com
 pool poolname
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
!
crypto dynamic-map vpn-test 1
 set transform-set vpn-test 
 reverse-route
!
crypto map ws client authentication list local
crypto map ws isakmp authorization list groupname
crypto map ws client configuration address respond
crypto map ws 1 ipsec-isakmp dynamic vpn-test 
!
!
interface Ethernet3/0
 ip address 10.0.149.203 255.255.255.128
 duplex half
!
interface Ethernet3/4
 ip address 10.0.149.23 255.255.255.128
 duplex half
 crypto map ws
!
!
ip local pool poolname 10.0.149.230 10.0.149.235
ip default-gateway 10.0.149.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.149.1
ip route 10.0.149.1 255.255.255.255 Ethernet3/0
ip http server
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end

Verifying the Results

This section provides information you can use to confirm that your configuration is working properly.

To verify the VPN connectivity, follow these steps.


Step 1.   Login to the Hub router.

Step 2.   Using the Movian tools menu, ping www.cisco.com and other intranet hosts.

Step 3.   Using Internet Explorer, connect to the intranet and Internet servers.

Step 4.   Make sure to reload the web page to avoid redisplay from the cache memory.

Troubleshooting the Configuration

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.

Note: Before issuing debug commands, see Important Information about Debug Commands .

  • debug crypto isakmp—Displays errors during Phase 1.
  • debug crypto ipsec—Displays errors during Phase 2.
  • debug crypto engine—Displays information from the crypto engine.
  • debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
  • clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
  • clear crypto isakmp—Clears the Phase 1 security associations.
  • clear crypto sa—Clears the Phase 2 security associations.

Related Information

IPsec Support Page

An Introduction to IP Security (IPsec) Encryption

Cisco IOS Easy VPN Client Feature

Cisco IOS Easy VPN Server

Configuring IPsec Network Security

Configuring Internet Key Exchange Security Protocol

Command Lookup Tool (registered customers only)

Technical Support - Cisco Systems