R1(config)#crypto map test 120 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R1(config-crypto-map)#match address 105 R1(config-crypto-map)#set peer 192.168.2.2 R1(config-crypto-map)#set transform-set 20 R1(config-crypto-map)#set security-association lifetime seconds 1800 R1(config-crypto-map)#set pfs group5
5. Apply Crypto map to Correct Interface
R1(config)#interface serial 0/0 R1(config-if)#crypto map test *Mar 1 01:33:37.895: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R1#show crypto isakmp policy R1#show crypto ipsec sa
CONFIGURATION ON ROUTER2
SET ISAKMP POLICY ENABLE (SITE TO SITE VPN) Enabling IKE R2(config)#crypto isakmp enable • IKE Phase 1
access-list 105 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
6. Create Crypto Map
R2(config)#crypto map test 120 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#match address 105 R2(config-crypto-map)#set peer 192.168.2.1 R2(config-crypto-map)#set transform-set 20 R2(config-crypto-map)#set security-association lifetime seconds 1800 R2(config-crypto-map)#set pfs group5
7. Apply Crypto map to Correct Interface
R2(config)#interface serial 0/0 R2(config-if)#crypto map test *Mar 1 01:33:37.895: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2#show crypto isakmp policy R2#show crypto ipsec sa
Ng
REMOTE ACCESS VPN (IPSEC WITH CLIENT SOFTWARE) Features in Easy VPN
Easy VPN Server Functionality
1. Mode configuration (MC) Support, IKE MC 2. Extended Authentication support (XAUTH) 3. Dead Peer Detection support 4. Split tunnel support 5. Initial contact 6. Group-based policy control
Task 1 Configure XAUTH • Step 1 Enable AAA on Easy vpn Server R2(config)#aaa new-model • Step 2 Enable AAA Login authentication R2(config)#aaa authentication login futureco-remote-access local • Step 3 Set the Xauth timeout value R2(config)#crypto isakmp xauth timeout 90 • Step 4 Enable IKE Xauth for dynamic crypto map R2(config)#crypto map vpnremotes-map client authentication list futureco-remote-access Task 2 :Create an IP Address Pool R2(config)#ip local pool futureco-remote-pool 192.168.30.101 192.168.30.200 Task 3 :configure Group Policy Lookup R2(config)# aaa authorization network futureco-remote-access local Task 4 Create an ISAKMP Policy for Remote VPN Client R2(config)#crypto isakmp enable R2(config)#crypto isakmp policy 101 R2(config-isakmp)#encryption 3des R2(config-isakmp)#hash md5 R2(config-isakmp)#group 2 R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit Task 5 Define a Group Policy for a MC Push R2(config)#crypto isakmp client configuration group futureco-remote-access R2(config-isakmp-group)#key cisco123 R2(config-isakmp-group)#dns 192.168.104.23 R2(config-isakmp-group)#domain futureco.com R2(config-isakmp-group)#pool futureco-remote-pool
Task 6 : Create Transform Set R2(config)#crypto ipsec transform-set vpnremotes esp-3des esp-md5-hmac Task 7 Create a Dynamic Crypto Map with RRI • Step 1 Create a Dynamic crypto map R2(config)#crypto dynamic-map vpnremotes-map 1 • Step 2 Assign a transform set to crypto map R2(config-crypto-map)#set transform-set vpnremotes • Step 3 Enable RRI R2(config-crypto-map)#reverse-route Task 8 Apply a MC to the Dynamic Crypto Map • Step 1 Configure the Router to respond to MC requests R2(config)#crypto map vpnremotes-map client configuration address respond • Step 2 Enable IKE queries for group policy lookup R2(config)#crypto map vpnremotes-map isakmp authorization list futureco-remote-access • Step 3 Apply changes to dynamic crypto map R2(config)#crypto map vpnremotes-map 1 ipsec-isakmp dynamic vpnremotes-map Task 9 Apply a Dynamic Crypto Map to the Router Outside Interface R2(config)#int s0/0 R2(config-if)#crypto map vpnremotes-map R2(config)#username abc password abc Task 10 Enable Dead Peer Detection R2(config)#crypto isakmp keepalive 30 3