Get Full Access to our 735 Cisco Lessons Now Start $1 Trial
You are here: Home » Security

Cisco IPsec Easy VPN Configuration

Cisco Easy VPN is a convenient method to allow remote users to connect to your network using IPsec VPN tunnels. The advantage of Easy VPN is that you don’t have to worry about all the IPSEC security details on the client side. Just configure the remote router, group name, username /password and you are ready to go. In this lesson I’ll show you how to configure Easy VPN on a Cisco IOS router and we’ll use the Cisco VPN client to setup the connection.

This is the topology that we’ll be using:

Cisco easy VPN demo topology

A single router configured for Easy VPN and a computer running Cisco’s VPN client software. Let’s start with the router configuration!

Router Configuration

First we need to enable AAA for authentication, authorization and accounting. We can use this for local authentication (usernames and passwords on the router) or use an external RADIUS server for this.

Be aware that once you enable AAA that your authentication settings of the console and VTY lines are now controlled by AAA. Make sure you don’t lock yourself out of the router or accidentally allow VPN users to access your router.

For simplicity, we’ll use local authentication.

VPN(config)#aaa authentication login default local
VPN(config)#aaa authentication login VPNUSER local
VPN(config)#aaa authorization exec default local
VPN(config)#aaa authorization network VPNGROUP local

The username will be “VPNUSER” and we will use a group called “VPNGROUP”. Let’s configure a password for this user:

VPN(config)#username VPNUSER password CISCO

Our next move is to configure the IKE policy. This is where you set parameters that are used at the IKE negotiation.

VPN(config)#crypto isakmp policy 1
VPN(config-isakmp)#authentication pre-share
VPN(config-isakmp)#encryption aes
VPN(config-isakmp)#group 2

We’ll use AES encryption and diffie hellman group 2. To keep it simple we’ll use a pre-shared key.

For the VPN group we’ll have to configure a number of items. First of all there’s a password but you can also specify some client specific parameters like a DNS server, WINS server, how many users are able to connect etc. Here’s how to do it:

VPN(config)#crypto isakmp client configuration group VPNGROUP
VPN(config-isakmp-group)#key 0 CISCO
VPN(config-isakmp-group)#dns 192.168.1.253
VPN(config-isakmp-group)#wins 192.168.1.253
VPN(config-isakmp-group)#pool VPNPOOL
VPN(config-isakmp-group)#max-users 10
VPN(config-isakmp-group)#netmask 255.255.255.0
VPN(config-isakmp-group)#domain NETWORKLESSONS.LOCAL

The VPN group will use “CISCO” as the password and IP address 192.168.1.253 for the DNS and WINS server. The pool name is called VPNPOOL and this is where we’ll specify the IP addresses for our VPN users:

VPN(config)#ip local pool VPNPOOL 192.168.2.100 192.168.2.200

I’m using subnet 192.168.2.100 for the VPN users. This is a different subnet as our LAN (192.168.1.0 /24).

The next step is to configure a transform-set. This is where we configure our phase 2 authentication and encryption settings:

VPN(config)#crypto ipsec transform-set TRANSFORMSET esp-aes esp-sha-hmac

The transform-set is called “TRANSFORMSET” and we will use AES encryption and SHA for data origin authentication and integrity protection. Now we’ll configure an ISAKMP profile for our VPN group:

VPN(config)#crypto isakmp profile ISAKMPPROFILE
VPN(conf-isa-prof)#match identity group VPNGROUP
VPN(conf-isa-prof)#client authentication list VPNUSER
VPN(conf-isa-prof)#isakmp authorization list VPNGROUP
VPN(conf-isa-prof)#client configuration address respond
VPN(conf-isa-prof)#virtual-template 1

And create a VPN profile that refers to the transform-set and ISAKMP profile that we just created:

VPN(config)#crypto ipsec profile VPNPROFILE
VPN(ipsec-profile)#set transform-set TRANSFORMSET
VPN(ipsec-profile)#set isakmp-profile ISAKMPPROFILE

Last but not least we’ll attach the configuration that we did to a virtual interface which receives the connections from the VPN clients. Instead of configuring an IP address on this interface we’ll tell it to use the IP address of the FastEthernet 0/1 (LAN) interface:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 735 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)
Give Membership a try - it's just $1 ►

512 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,

Forum Replies

  1. Hello Hany.

    I have set up a site to site VPN using Easy VPN in a production environment.

    Easy VPN for a site to site VPN is created using Cisco Configuration Professional GUI for Cisco routers. You connect to both the VPN server and the VPN client routers individually and enter commands using the wizards provided. You can find out more about creating a site to site VPN with Easy VPN on CCP here.

    The configuration I implemented required a group of 7 PCs at a remote site to connect to internal network resources (finance server and internal email) at company hea

    ... Continue reading in our forum

  2. Hello Hany

    Here’s an excerpt from the client side VPN router, that is, the ADSL router at the remote site. Of course it has been sanitised…

    !
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
aaa session-id common
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26
    ... Continue reading in our forum

  3. Thanks Laz. very helpful

  5. Hello Dinesh.

    One thing you might want to look at is to see if it is a routing issue. What internal IP address is the host getting? If it can ping .73 which is on the NAT router, but not .74, it gives me the impression that .74 doesn’t know where to respond to the ping. That’s the first thing I would check.

    Take a look and let us know so that if needed, we can continue to help with the troubleshooting.

    I hope this has been helpful!

    Laz

22 more replies! Ask a question or join the discussion by visiting our Community Forum