Cisco IPSec Easy VPN Server Configuration Guide
Introduction
The Cisco Easy VPN server allows a remote user to connect the corporate network using an IPSec
tunnel. Easy VPN servers can be deployed in a Cisco IS router or an !S! appliance. To connect with
the VPN server" we use a Cisco VPN client so#tware that can be installed on an operating system. The
Easy VPN #eature minimi$es the con#iguration re%uirement at a remote location where we can put all
the con#iguration on a VPN server and push the access policies upon a VPN tunnel connection #rom a
Cisco VPN server.
• This document will show you how to con#igure an Easy VPN Server on a Cisco IS &outer.
Network Diagram
Configuration Tasks
'. Enable !!! on the router.
(. Create a )ser account.
*. Con#igure I+E Policy.
,. -e#ine .roup policy in#ormation.
/. Con#igure Phase ( policy 0IPSec Trans#orm1set2
3. 4ind IPSec con#iguration with a Virtual Inter#ace.
Now we can go into detail and con#igure each task which is listed above.
1. Ena!"ing ### on t$e router
!!! is enabled using the 5aaa newmodel5 command. 6e can either de#ine the !!! locally on a router
or point out an e7ternal T!C!CS8 or &!-I)S server #or authentication" authori$ation and accounting.
!!! identi#ies the level o# access that has been granted to each user and monitor the user activity to
produce accounting in#ormation. In this e7ample I am con#iguring !!! locally on a router.
&outer0con#ig29aaa new1model
&outer0con#ig29aaa authentication login de#ault local
&outer0con#ig29aaa authentication login VPN1)SE&1!)T: local
&outer0con#ig29aaa authori$ation e7ec de#ault local
&outer0con#ig29aaa authori$ation network VPN1.&)P local
%. Creating &ser #ccount
&outer0con#ig29username tony privilege '/ password mypassword
'. Configuring I(E Po"icy
:ere we enable the I+E Policy con#iguration where you can speci#y the parameters that are used during
an I+E negotiation or Phase ' policy negotiation.
&outer0con#ig29crypto isakmp policy '
&outer0con#ig1isakmp29authentication pre1share
&outer0con#ig1isakmp29encryption *des
&outer0con#ig1isakmp29group (
). Defining Grou* Po"icy information
6e have to create a group and con#igure all the parameters that need to be pushed into the client as
soon as it success#ully authenticate to the group. The parameters de#ined in this e7ample are;
Pre1shared key ; The key is used #or authentication to the group.
-NS < 6ins server ; )sers authenticating to this group will get this -NS and 6INS server IP.
=a71)sers ; =a7imum number o# users allowed to connect simultaneously.
&outer0con#ig29 crypto isakmp client con#iguration group vpngroup
&outer0con#ig1isakmp1group29 key 3 mysecurekey
&outer0con#ig1isakmp1group29 dns '>.>.>.'>
&outer0con#ig1isakmp1group29 wins '>.>.>.'>
&outer0con#ig1isakmp1group29 pool VPN1P?1'
&outer0con#ig1isakmp1group29 ma71users (>
&outer0con#ig1isakmp1group29 netmask (//.(//.(//.>
&outer0con#ig1isakmp1group29 domain tony.com
The pool should contain the IP5s that is distributed to the VPN clients as soon as it establish a
connection to the VPN server. 0Note; The pool should contain a di##erent subnet o# IP5s than your
internal ?!N.2 Create the pool using the below command;
&outer0con#ig29ip local pool VPN1P?1' '@(.'3A.'.' '@(.'3A.'.(>
+. Configure P$ase % *o"icy
a. IPSec Transform,set
IPSec Trans#orm1set is de#ined #or data encryption and phase ( authentication. The actual data
encryption is happening in this phase. Create a trans#orm1set using the below command;
&outer0con#ig29crypto ipsec trans#orm1set VPN1T&!NSB&=1SET esp1*des esp1sha1hmac
&outer0c#g1crypto1trans29e7it
!. Creating IS#(-P Profi"e
Create an IS!+=P pro#ile that will match the client group 0vpngroup2 and mention the authentication
and authori$ation used by the pro#ile.
&outer0con#ig29crypto isakmp pro#ile IS!+=P1P&BI?E1'
&outer0con#1isa1pro#29match identity group vpngroup
&outer0con#1isa1pro#29client authentication list VPN1)SE&1!)T:
&outer0con#1isa1pro#29isakmp authori$ation list VPN1.&)P
&outer0con#1isa1pro#29client con#iguration address respond
&outer0con#1isa1pro#29virtual1template (
Now apply this trans#orm1set to a VPN pro#ile named VPN1P&BI?E
&outer0con#ig29crypto ipsec pro#ile VPN1P&BI?E
&outer0ipsec1pro#ile29set trans#orm1set VPN1T&!NSB&=1SET
&outer0ipsec1pro#ile29set isakmp1pro#ile IS!+=P1P&BI?E1'
.. /inding t$e configuration wit$ a Virtua" Interface
The last step is to bind all the con#igurations to a virtual inter#ace that will receive all the incoming
VPN client connections. The virtual inter#ace should be unnumbered to a physical inter#ace" usually to
the internal ?!N inter#ace.
&outer0con#ig29inter#ace virtual1template ( type tunnel
&outer0con#ig1i#29ip unnumbered .igabitEthernet>C>
&outer0con#ig1i#29 tunnel mode ipsec ipv,
&outer0con#ig1i#29 tunnel protection ipsec pro#ile VPN1P&BI?E
Easy VPN and N#T e0em*tion
Now we need to e7empt N!T #or the VPN users. 6e need to put a 5no N!T5 statement #or the VPN
tra##ic" that means i# there is a VPN tra##ic then do not N!T. 6e have to put the below con#iguration to
achieve the same;
ip nat inside source list '(> inter#ace .igabitEthernet>C' overload 0.i>C' is the Internet #acing
inter#ace2
access1list '(> deny ip '>.>.>.> >.(//.(//.(// '@(.'3A.'.> >.>.>.(//
access1list '(> permit ip '>.>.>.> >.(//.(//.(// any
:ere the access1list '(> will deny the local subnet 0?!N subnet2 to access the VPN users and allow all
other tra##ic.
There we #inish our Easy VPN server con#iguration. Now you can download and install a Cisco VPN
client so#tware on your operating system and con#igure it by re#erring the below screenshot.
Cisco VPN client download link ;
https;CCdocs.google.comC#olderCdC>4$w4byVri.+kS.VDTmEEd>7CV)Cedit
:ost ; Public IP address o# the Easy VPN Server
.roup !uthentication;
Name; 5group name5
Password; 5group password5
Save the con#iguration and click connect to establish the VPN connection. Fou will be prompted #or a
username and password as below.
Enter the correct user credentials in order establish the VPN connection success#ully with Easy VPN
server #rom your computer.
Easy VPN and 1one /ased 2irewa""
Bor more in#ormation about how to allow Easy VPN server through a Gone 4ased Birewall re#er )sing
IPSec VPN with Gone14ased Policy Birewall
Verification and Trou!"es$ooting of Easy VPN
Verification Command 3ist 4
• show crypto ipsec sa
• show crypto ipsec spi1lookup
• show crypto isakmp pro#ile
• show crypto isakmp policy
• show crypto isakmp sa
• show crypto isakmp peers
• show crypto engine connections active
Trou!"es$ooting Command 3ist 4
• debug crypto isakmp H-isplays errors during Phase '.
• debug crypto isakmp H-isplays errors during Phase (.
• debug crypto isakmp H-isplays in#ormation #rom the crypto engine.
• clear crypto connection connection1id Islot J rsm J vipK HTerminates an encrypted session
currently in progress. Encrypted sessions normally terminate when the session times out. 0)se
the show crypto cisco connections command to see the connection1id value.2
• clear crypto isakmp HClears the Phase ' security associations.
• clear crypto sa HClears the Phase ( security associations.
Bor more IPSec troubleshooting command list
visit http;CCwww.cisco.comCenC)SCtechCtk/A*Ctk*L(CtechnologiesMtechMnote>@'A3a>>A>>@,@c/.shtml
Fou can also #ind the con#iguration e7ample o# Cisco IPSec Site1to1site VPN in
http;CCyadhutony.blogspot.inC(>'(C'(Ccisco1ipsec1site1to1site1vpn.html