Exploring Remote Access VPN (Easy VPN) on Cisco Router with Cisco Secure Access Control Server 5.x
There are times when you want your employees to have a secure access to your corporate network resources through your Cisco router, along with the option to centrally manage their access with easy and manageable configuration rollout on Cisco routers. Allowing remote users to access corporate resources using IPSec on Cisco routers can be implemented with a feature called Easy VPN.
The main advantage of Easy VPN is that IPSec policies are centrally managed on the server (Head end router providing IPSec feature) and are pushed to client devices. This policy push is known as Mode Configuration. This requires minimum configuration on the end-user side. The IPSec policies can be configured on a RADIUS server and then downloaded to an Easy VPN server, further reducing configuration required on the Easy VPN server.
In this article we will focus on the Easy VPN server configuration required when we want IPSec policies to be pushed from a Cisco Secure Access Control Server 5.x as our RADIUS server.
Since this is client server architecture in which we have a Cisco router as an Easy VPN Server, performing the responsibility of a server, the client end responsibility is fulfilled by:
Before getting into configuration, let’s look at a typical scenario. Suppose that some employees in your organization work remotely and are often required to access information on the corporate network. Up until now they would dial up to get their work done. Due to the increased risk of data theft, you are now required to stop the dial-up access for remote workers and must come up with a solution to provide secure access to corporate resources. Since you already have a Cisco router, you can use it as a server to provide IPSec services allowing remote workers to connect using a client (in our case it will be Cisco VPN client for Windows).
The following figure summarizes our scenario. In this scenario we have two head-end routers: one with the role of primary Easy VPN server and the other as a secondary Easy VPN server.
Let us look at the configuration for Easy VPN Server and RADIUS server.
Configuring the Easy VPN Server
1. Configure the Easy VPN server to the lookup policy from the RADIUS server.
In this configuration the command ‘aaa authorization network ezvpn-author group radius’ tells us that the configuration for Easy VPN group (policies) must be downloaded from a RADIUS server.
Since you are using the RADIUS server for the policy download, it makes sense to add the user’s authentication from the RADIUS server, too. So we have included Xauth, as you can see in the command ‘aaa authentication login ezvpn-authen group radius’. Authentication (Xauth) and authorization (RADIUS server policy download) for both lists are called in later in the configuration. At this stage we have simply defined the authentication and authorization lists; currently they are not being called or applied anywhere.
The command ‘ip radius source-interface FastEthernet0’ ensures that any RADIUS request sent from the router to the RADIUS server contains the source IP (NAS-IP-Address) as the router’s FastEthernet0 IP address.
2. Because this is IPSec you must configure the IPSec policies for Phase I and Phase II.
3. Configure the Mode configuration and Xauth.
You can also instruct the device to add a static route dynamically for the connecting remote clients. In this example we have achieved it with the command ‘reverse-route’.
Problem Description (continued…)
Before you move ahead to next configuration step, let’s add more information in our problem description. Now we are required to allow two sets or groups of remote users to connect to the corporate network. Each set must be assigned a different IP address. Most important, the remote users of one group should not be allowed to connect using the profile of the other group, because each group has a unique set of policies for accessing the corporate network.
4. Assign the IP address for the remote clients.
If you intend to assign a particular IP address to each user from the RADIUS server, then this step can be skipped. Otherwise, this step is essential as remote clients must have an IP address in order to be able to connect. Here we will create two local IP pools on router.
Because you are using the split tunneling feature in the current scenario, we need ACLs to specify interesting traffic. Also, in order to simulate an internal network we will create two loopback interfaces. A reference is made to these configurations later in this article.
That is it! We are done with the Easy VPN server configuration.
The next part of the puzzle that we need to put together with the Easy VPN server configuration is the RADIUS server configuration.
Problem Description (continued…)
Let us be more specific about the requirement so that we can configure our RADIUS server. In our requirement we need to create two group policies:
Policy for ‘ezvpn-group1’:
Policy for ‘ezvpn-group2’:
Before you start configuring the RADIUS server, let’s take a moment to understand the component that will make it work. In order to make it work you must send a certain RADIUS AV pair. In this article I am assuming that you already know how to configure the Easy VPN server group locally on a Cisco IOS router. For an Easy VPN group to allow remote clients to connect, you must define it somewhere and define its policies underneath it, as explained in following document:http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1517290
When you move a group and policy to a RADIUS server, the same concept applies; the only difference is that everything is configured on the RADIUS server rather than locally on a router. The following tables provide you with the local policy element mapping with RADIUS AV pair mapping.
Group level policy elements:
User level policy elements:
Requirements for Easy VPN Group configuration on RADIUS server: