The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default)

Similar documents
Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

How To Get A New Phone System For Your Business

CISCO CONTENT SWITCHING MODULE SOFTWARE VERSION 4.1(1) FOR THE CISCO CATALYST 6500 SERIES SWITCH AND CISCO 7600 SERIES ROUTER

CISCO PIX SECURITY APPLIANCE LICENSING

NetFlow Feature Acceleration

Cisco Conference Connection

PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION LIST VERSUS ONLINE CERTIFICATE STATUS PROTOCOL

Abstract. SZ; Reviewed: WCH 6/18/2003. Solution & Interoperability Test Lab Application Notes 2003 Avaya Inc. All Rights Reserved.

Cisco PBX Interoperability: Lucent/Avaya Definity G3si V7 PBX with CallManager using Analog FXS and FXO Interfaces as an MGCP Gateway

Cisco 2-Port OC-3/STM-1 Packet-over-SONET Port Adapter

CISCO IP PHONE SERVICES SOFTWARE DEVELOPMENT KIT (SDK)

Cisco 1841 MyDigitalShield BYOG Integration Guide

THE CISCO CRM COMMUNICATIONS CONNECTOR GIVES EMPLOYEES SECURE, RELIABLE, AND CONVENIENT ACCESS TO CUSTOMER INFORMATION

Application Notes SL1000/SL500 VPN with Cisco PIX 501

Module 6 Configure Remote Access VPN

Cisco Router and Security Device Manager File Management

CISCO IOS IP SERVICE LEVEL AGREEMENT

Cisco Router and Security Device Manager Dial-Backup Solution

Cisco CNS NetFlow Collection Engine Version 4.0

CISCO MDS 9000 FAMILY PERFORMANCE MANAGEMENT

CISCO METRO ETHERNET SERVICES AND SUPPORT

It looks like your regular telephone.

CISCO SMALL AND MEDIUM BUSINESS CLASS VOICE SOLUTIONS: CISCO CALLMANAGER EXPRESS BUNDLES

CISCO IOS SOFTWARE FEATURE PACKS FOR THE CISCO 1700 SERIES MODULAR ACCESS ROUTERS AND CISCO 1800 SERIES (MODULAR) INTEGRATED SERVICES ROUTERS

Cisco Blended Agent: Bringing Call Blending Capability to Your Enterprise

IS YOUR OLD PHONE SYSTEM HANGING UP YOUR DISTRICT? CISCO K 12 DIRECT LINE SOLUTION FOR IP COMMUNICATIONS

CISCO IOS SOFTWARE RELEASES 12.4 MAINLINE AND 12.4T FEATURE SETS FOR THE CISCO 3800 SERIES ROUTERS

Cisco GLBP Load Balancing Options

Cisco Secure Access Control Server Solution Engine

CISCO WIRELESS SECURITY SUITE

E-Seminar. Financial Management Internet Business Solution Seminar

THE BUSINESS CASE FOR MANAGED SERVICES IN SMALL AND MEDIUM-SIZED BUSINESSES

How To Monitor Cisco Secure Pix Firewall Using Ipsec And Snmp Through A Pix Tunnel

Cisco IT Data Center and Operations Control Center Tour

HIGH-DENSITY PACKET VOICE DIGITAL SIGNAL PROCESSOR MODULE FOR CISCO IP COMMUNICATIONS SOLUTION

CISCO IOS SOFTWARE RELEASES 12.4 MAINLINE AND 12.4T FEATURE SETS FOR THE CISCO 2800 SERIES ROUTERS

Cisco 7200 and 7500 Series Routers

Lab Configure a PIX Firewall VPN

Cisco CNS NetFlow Collection Engine Version 5.0

CISCO NETWORK CONNECTIVITY CENTER

iguring an IPSec Tunnel Cisco Secure PIX Firewall to Checkp

LAN-Cell to Cisco Tunneling

CISCO 7304 SERIES ROUTER PORT ADAPTER CARRIER CARD

CISCO AIRONET POWER INJECTOR

Network Security 2. Module 6 Configure Remote Access VPN

Cisco WebEx Social Compatibility Guide

Figure 1. The Cisco Aironet Power Injectors Provide Inline Power to Cisco Aironet Access Points and Bridges

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and SDM

CISCO CATALYST 3750 SERIES SWITCHES

SDM: Site to Site IPsec VPN Between ASA/PIX and an IOS Router Configuration Example


Want to Improve Communication to Parents? Make it Simple.

Empower Your Law Firm with Your Next Phone System

CISCO NETWORK CONNECTIVITY CENTER MPLS MANAGER 1.0

Deploying IPSec VPN in the Enterprise

CISCO SFP OPTICS FOR PACKET-OVER-SONET/SDH AND ATM APPLICATIONS

NETWORK AVAILABILITY IMPROVEMENT SUPPORT OPERATIONAL RISK MANAGEMENT ANALYSIS

Cisco Aironet 1130AG Series

Cisco IOS Telephony Services Survivable/Standby Remote Site Telephony

IP Networking and the Advantages of consolidation

Cisco Systems GigaStack Gigabit Interface Converter

Cisco PIX Device Manager v3.0

Lab 6.5.9b Configure a Secure VPN Using IPSec between a PIX and a VPN Client using CLI

Combined voice and data solution supports Orange s ongoing success in the UK business market

CISCO ISDN BRI S/T WIC FOR THE CISCO 1700, 1800, 2600, 2800, 3600, 3700, AND 3800 SERIES

CISCO ATA 186 ANALOG TELEPHONE ADAPTOR

Cisco SMB Class Solutions Your Next Phone System Purchase

Serial Connectivity Network Modules for the 2600, 3600, and 3700 Series (NM-1HSSI, NM-4T, NM-4A/S, NM-8A/S, NM-16A/S, NM-16A, NM-32A)

Cisco Outbound Option

Cisco IOS Firewall Intrusion Detection System

Cisco 2600XM DSL Router Bundles

CISCO IP PHONE EXPANSION MODULE 7914

Cisco Solution Incentive Program Asia Pacific

CISCO MEETINGPLACE FOR OUTLOOK 5.3

CISCO CATALYST 6500 SUPERVISOR ENGINE 32

Cisco 7200 Series Enterprise WAN Aggregation Application

Godinich Consulting. VPN's Between Mikrotik and 3rd Party Devices

Packet Tracer Configuring VPNs (Optional)

Internal IT Staff at a Serbian Children s Hospital Takes Innovative Approach to Outpatient Care

Cisco AVVID Network Enterprise Data Center Solution Overview

External Authentication with Cisco Router with VPN and Cisco EZVpn client Authenticating Users Using SecurAccess Server by SecurEnvoy

CISCO ATA 188 ANALOG TELEPHONE ADAPTOR

CISCO CATALYST 6500 SERIES CONTENT SWITCHING MODULE

Table of Contents. Cisco Configuring IPSec Cisco Secure VPN Client to Central Router Controlling Access

CISCO ISDN BRI S/T WIC FOR THE CISCO 1700, 1800, 2600, 2800, 3600, 3700, AND 3800 SERIES

Most Common DMVPN Troubleshooting Solutions

E-Seminar. E-Commerce Internet Business Solution Seminar

CISCO 100BASE-X SFP FOR FAST ETHERNET SFP PORTS

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

IP Communications for the Small or Autonomous Branch Office

Chapter 8 Lab A: Configuring a Site-to-Site VPN Using Cisco IOS and CCP

CISCO CALLMANAGER EXPRESS 3.2

The Palace of Versailles Goes Digital, Increasing Revenue and Enhancing Overall Visitor Experience

CISCO MEETINGPLACE MANAGED SERVICE

Cisco Systems Brings World-Class Online Banking Solutions to State Bank of India

Cisco Intelligent Contact Management Enterprise Edition

How To Outtask Metro Ether To A Managed Service Provider

PREVENTING WORM AND VIRUS OUTBREAKS WITH CISCO SELF-DEFENDING NETWORKS

Configuring DHCP for ShoreTel IP Phones

Transcription:

CONFIGURATION GUIDE CONFIGURING CISCO IOS EASY VPN REMOTE WITH CLIENT MODE AND XAUTH Figure 1 Network Diagram 20.20.20.0 Xauth 30.30.30.0 C1751V Easy VPN Server C800 Easy VPN Client 10.10.10.0 IPsec Tunnel Easy VPN INTRODUCTION This document describes how to configure a router-to-router Easy VPN Solution based on the Cisco IOS Easy VPN Client and Cisco IOS Remote Access Server features. The sample configuration uses Cisco 831 for the client and Cisco 1751 for the server. The Cisco Easy VPN negotiates tunnel parameters and establishes IPsec tunnels. Xauth adds another level of authentication that identifies the user who requests the IPsec connection. PREREQUISITES The router-to-router Easy VPN sample configuration is based on the following assumptions: The IP address at the Cisco Easy VPN Server is static. The IP address at the Cisco Easy VPN Client is dynamic. All traffic, including Internet traffic, from the Cisco Easy VPN Client is forwarded to the hub. Traffic from the remote hosts is forwarded after applying Network Address Translation/Port Address Translation (NAT/PAT). User level authentication is used for authorizing VPN access. COMPONENTS USED The sample configuration uses the following releases of the software and hardware: Cisco 831 with Cisco IOS Software Release 12.3(2)XA Cisco 1751V with Cisco IOS Software Release 12.2(8)T Figure 1 illustrates the network for the sample configuration. All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 1 of 8

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. In a live network, it is imperative to understand the potential impact of any command before implementing it. EASY VPN CONFIGURATIONS The Cisco Easy VPN implements the Cisco Unity Client protocol, which simplifies configuring the detailed information on the client router because most VPN parameters are defined at the VPN remote access server. The server can be a dedicated VPN device, such as a VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS Software router that supports the Cisco Unity Client protocol. The sample configuration uses the Cisco 1751 for the Easy VPN Server. This sample configuration uses client mode on the remote Easy VPN Client. In Client mode, the entire LAN behind the Easy VPN client undergoes NAT to the mode config ip address that is pushed down by the Easy VPN Server. The Cisco 831 forwards the Internet traffic to the Easy VPN Server. Direct access to the Cisco 831 by traffic other than the encrypted traffic from the Easy VPN Server is denied. Using the Xauth feature, the client waits for a username/password challenge after the IKE SA has been established. When the end user responds to the challenge, the response is forwarded to the IPsec peers for an additional level of authentication. The information that is entered is checked against the AAA server. For additional information about configuring Easy VPN Client, refer to Cisco IOS Easy VPN Client feature. CISCO 831 VPN ROUTER CONFIGURATION version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption hostname Cisco831 enable password cisco username cisco password 0 cisco ip subnet-zero no ip domain-lookup ip domain-name cisco.com ip dhcp excluded-address 10.10.10.1 ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 option 150 ip 30.30.30.200 dns-server 30.30.30.60 ip ssh time-out 120 ip ssh authentication-retries 3 crypto ipsec client ezvpn hw-client group hw-client-groupname key hw-client-password mode client All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 2 of 8

peer 20.20.20.2 interface Ethernet0 description connected to BRANCH LAN ip address 10.10.10.1 255.255.255.0 no cdp enable interface Ethernet1 description connected to INTERNET ip address 20.20.20.1 255.255.255.0 no cdp enable crypto ipsec client ezvpn hw-client ip classless ip route 0.0.0.0 0.0.0.0 Ethernet1 ip route 30.30.30.0 255.255.255.0 Ethernet1 ip http server ip pim bidir-enable line con 0 exec-timeout 120 0 stopbits 1 line vty 0 4 exec-timeout 0 0 no login length 0 scheduler max-task-time 5000 end CISCO 1751V VPN ROUTER CONFIGURATION version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption service internal hostname Cisco1751 aaa new-model aaa authentication login userlist local aaa authorization network hw-client-groupname local aaa session-id common enable password cisco username cisco password 0 cisco memory-size iomem 15 clock timezone - 0 6 ip subnet-zero no ip source-route ip domain-name cisco.com All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 3 of 8

ip audit notify log ip audit po max-events 100 crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local dynpool crypto isakmp xauth timeout 60 crypto isakmp client configuration group hw-client-groupname key hw-client-password dns 30.30.30.10 30.30.30.11 wins 30.30.30.12 30.30.30.13 domain cisco.com pool dynpool crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac crypto dynamic-map dynmap 1 set transform-set transform-1 reverse-route crypto map dynmap client authentication list userlist crypto map dynmap isakmp authorization list hw-client-groupname crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap interface Ethernet0/0 description connected to INTERNET ip address 20.20.20.2 255.255.255.0 half-duplex no cdp enable crypto map dynmap interface FastEthernet0/0 description connected to HQ LAN ip address 30.30.30.1 255.255.255.0 speed auto no cdp enable ip local pool dynpool 30.30.30.20 30.30.30.30 ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0/0 no ip http server ip pim bidir-enable line con 0 line aux 0 line vty 0 4 password cisco end All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 4 of 8

VERIFYING THE RESULTS This section provides information that can be used to confirm that configuration is working properly. Verifying the Cisco 831 Status Cisco831#clear cryp ips cli ez Cisco831#clear cryp sa Cisco831#clear cryp isa Current State: XAUTH_REQ Last Event: XAUTH_REQUEST Cisco831# Cisco831#crypto ipsec client ezvpn xauth Username: : cisco Password: : cisco Current State: XAUTH_REPLIED Last Event: XAUTH_REQ_INFO_READY Current State: READY Last Event: CONN_DOWN Current State: XAUTH_REQ Last Event: XAUTH_REQUEST Current State: IPSEC_ACTIVE Last Event: SOCKET_UP Address: 30.30.30.2 Mask: 255.255.255.255 DNS Primary: 30.30.30.10 DNS Secondary: 30.30.30.11 NBMS/WINS Primary: 30.30.30.12 NBMS/WINS Secondary: 30.30.30.13 Default Domain: cisco.com Cisco831#show crypto ipsec sa interface: Ethernet1 Crypto map tag: Ethernet1-head-0, local addr. 20.20.20.1 local ident (addr/mask/prot/port): (30.30.30.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 20.20.20.2 PERMIT, flags={origin_is_acl,} #pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 20.20.20.1, remote crypto endpt.: 20.20.20.2 path mtu 1500, media mtu 1500 current outbound spi: 7C1E9826 inbound esp sas: spi: 0x54C859CF(1422416335) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 5 of 8

slot: 0, conn id: 2000, flow_id: 1, crypto map: Ethernet1-head-0 sa timing: remaining key lifetime (k/sec): (4607999/3404) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x7C1E9826(2082379814) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: Ethernet1-head-0 sa timing: remaining key lifetime (k/sec): (4607996/3395) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Verifying the Cisco 1751 Status Cisco1751#show crypto ipsec sa interface: Ethernet0/0 Crypto map tag: dynmap, local addr. 20.20.20.2 protected vrf: local ident (addr/mask/prot/port): (30.30.30.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (30.30.30.20/255.255.255.255/0/0) current_peer: 20.20.20.1:500 PERMIT, flags={} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 13, #pkts decrypt: 13, #pkts verify 13 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 20.20.20.2, remote crypto endpt.: 20.20.20.1 path mtu 1500, media mtu 1500 current outbound spi: 239C766E inbound esp sas: spi: 0xE89E6649(3902694985) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 200, flow_id: 1, crypto map: dynmap sa timing: remaining key lifetime (k/sec): (4458452/3335) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x239C766E(597456494) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 201, flow_id: 2, crypto map: dynmap sa timing: remaining key lifetime (k/sec): (4458454/3335) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Cisco1751#show crypto isakmp sa dst src state conn-id slot 20.20.20.2 20.20.20.1 QM_IDLE 1 0 All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 6 of 8

Cisco1751#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 0 200 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 0 538 201 Ethernet0/0 20.20.20.2 set HMAC_SHA+3DES_56_C 133 0 TROUBLESHOOTING THE CONFIGURATION Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output. Note: Before issuing debug commands, see Important Information about Debug Commands. debug crypto isakmp Displays errors during Phase 1. debug crypto ipsec Displays errors during Phase 2. debug crypto engine Displays information from the crypto engine. debug ip your routing protocol Displays information about routing transactions of the routing protocol. clear crypto connection connection-id [slot rsm vip] Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value. clear crypto isakmp Clears the Phase 1 security associations. clear crypto sa Clears the Phase 2 security associations. RELATED INFORMATION IPsec Support Page An Introduction to IP Security (IPsec) Encryption Cisco VPN Client Feature Cisco IOS Easy VPN Server Configuring IPSec Network Security Configuring Internet Key Exchange Security Protocol Command Lookup Tool (registered customers only) Technical Support Cisco Systems All contents are Copyright 1992 2004 All rights reserved. Important Notices and Privacy Statement. Page 7 of 8

Corporate Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems International BV Haarlerbergpark Haarlerbergweg 13-19 1101 CH Amsterdam The Netherlands www-europe.cisco.com Tel: 31 0 20 357 1000 Fax: 31 0 20 357 1100 Americas Headquarters 170 West Tasman Drive San Jose, CA 95134-1706 USA www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters 168 Robinson Road #28-01 Capital Tower Singapore 068912 www.cisco.com Tel: +65 6317 7777 Fax: +65 6317 7799 Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina Australia Austria Belgium Brazil Bulgaria Canada Chile China PRC Colombia Costa Rica Croatia Cyprus Czech Republic Denmark Dubai, UAE Finland France Germany Greece Hong Kong SAR Hungary India Indonesia Ireland Israel Italy Japan Korea Luxembourg Malaysia Mexico The Netherlands New Zealand Norway Peru Philippines Poland Portugal Puerto Rico Romania Russia Saudi Arabia Scotland Singapore Slovakia Slovenia South Africa Spain Sweden Switzerland Taiwan Thailand T urkey Ukraine United Kingdom United States V enezuela Vietnam Zimbabwe All contents are Copyright 1992 2004 All rights reserved. Cisco, Cisco Systems, and the Cisco Systems logo are registered trademarks of and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0403R) 204026_ETMG_SH_06.04

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information