Cisco IOS Easy VPN

Configuring IPSec VPN--IPAQ with Movian client, Easy VPN Server

Configuration Guide

Configuring IPSec VPN between IPAQ with Movian client and Cisco IOS Easy VPN Server

Figure 1
Network Diagram


This document describes how to configure a handheld computer and Cisco IOS router for IPsec VPN connectivity. With VPN connectivity, the handheld computer can connect to Intranet servers privately over the public Internet. The sample configuration presented in this document uses the Movian VPN client software application, the Cisco IOS Easy VPN Server, the IPAQ handheld computer at the remote end, and Cisco 7200 as the server.


The handheld computer-to-Cisco Easy VPN router sample configuration is based on the following assumptions::

  • The IP address at the Cisco Easy VPN Server is static.
  • The IP address at the handheld computer is static or dynamic.
  • All traffic, including Internet traffic, from the Easy VPN Client is forwarded to the hub.
  • Traffic from the remote host is forwarded after applying Network Address Translation/Port Address Translation (NAT/PAT).

Components Used

The sample configuration uses the following releases of the software and hardware:

  • Compaq IPAQ 3630 PDA with Movian VPN Version 3.0.0
  • Cisco 7200V with Cisco IOS® Software, Version 12.2(11)T

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.

Movian Client Configuration Options

The Cisco Easy VPN implements the Cisco Unity Client protocol, which simplifies configuring the detailed information on the client router because most VPN parameters are defined at the VPN remote access server. The server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client protocol. The sample configuration uses the Cisco 1751 for the Easy VPN Server.

This sample configuration uses client mode with the Movian VPN Client. In Client mode, the entire Movian VPN client address undergoes NAT to the mode config ip address that the Easy VPN Server provides.

The Movian VPN Client forwards the Internet traffic to the Easy VPN Server. Direct access to the Cisco 806 Easy VPN Client by traffic other than the encrypted traffic from the Easy VPN Server is denied. An alternative configuration of the Cisco Easy VPN Server called split tunneling forwards the Internet traffic directly without encryption.

For additional information about configuring Easy VPN Server, refer to Cisco IOS Easy VPN Server feature .

Movian VPN Client Configuration

Policy type: Cisco Unified client
Gateway address:
Same authentication configuration
Use Perfect Forward Secrecy Disabled

IKE Suite:
Cipher: 3DES_CBC
Hash: SHA
IPSec Suite: ESPIP_3DES_SHA-96

Soft Client Initial Configuration:
IP address of remote server:
Group Access Information:
Name: groupname
Password: test1234

During Connection:
Username: user
Password: test1234

Cisco 7200 VPN Router Configuration

The following commands show how to configure the router for this sample configuration.

version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
service internal
hostname 7200-3
logging buffered 16000 debugging
aaa new-model
aaa authentication login groupname local
aaa authorization network groupname local 
aaa session-id common
enable password lab
username user password 0 test1234
ip subnet-zero
no ip cef
ip domain name
ip name-server
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key test1234 address
crypto isakmp client configuration group groupname
 key test1234
 pool poolname
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac 
crypto dynamic-map vpn-test 1
 set transform-set vpn-test 
crypto map ws client authentication list local
crypto map ws isakmp authorization list groupname
crypto map ws client configuration address respond
crypto map ws 1 ipsec-isakmp dynamic vpn-test 
interface Ethernet3/0
 ip address
 duplex half
interface Ethernet3/4
 ip address
 duplex half
 crypto map ws
ip local pool poolname
ip default-gateway
ip classless
ip route
ip route Ethernet3/0
ip http server
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4

Verifying the Results

This section provides information you can use to confirm that your configuration is working properly.

To verify the VPN connectivity, follow these steps.

Step 1.   Login to the Hub router.

Step 2.   Using the Movian tools menu, ping and other intranet hosts.

Step 3.   Using Internet Explorer, connect to the intranet and Internet servers.

Step 4.   Make sure to reload the web page to avoid redisplay from the cache memory.

Troubleshooting the Configuration

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.

Note: Before issuing debug commands, see Important Information about Debug Commands .

  • debug crypto isakmp—Displays errors during Phase 1.
  • debug crypto ipsec—Displays errors during Phase 2.
  • debug crypto engine—Displays information from the crypto engine.
  • debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
  • clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
  • clear crypto isakmp—Clears the Phase 1 security associations.
  • clear crypto sa—Clears the Phase 2 security associations.

Related Information

IPsec Support Page

An Introduction to IP Security (IPsec) Encryption

Cisco IOS Easy VPN Client Feature

Cisco IOS Easy VPN Server

Configuring IPsec Network Security

Configuring Internet Key Exchange Security Protocol

Command Lookup Tool (registered customers only)

Technical Support - Cisco Systems