Cisco IPSec Easy VPN Server Configuration Guide

Introduction
The Cisco Easy VPN server allows a remote user to connect the corporate network using an IPSec
tunnel. Easy VPN servers can be deployed in a Cisco IS router or an !S! appliance. To connect with
the VPN server" we use a Cisco VPN client so#tware that can be installed on an operating system. The
Easy VPN #eature minimi$es the con#iguration re%uirement at a remote location where we can put all
the con#iguration on a VPN server and push the access policies upon a VPN tunnel connection #rom a
Cisco VPN server.
This document will show you how to con#igure an Easy VPN Server on a Cisco IS &outer.
Network Diagram

Configuration Tasks
'. Enable !!! on the router.
(. Create a )ser account.
*. Con#igure I+E Policy.
,. -e#ine .roup policy in#ormation.
/. Con#igure Phase ( policy 0IPSec Trans#orm1set2
3. 4ind IPSec con#iguration with a Virtual Inter#ace.
Now we can go into detail and con#igure each task which is listed above.
1. Ena!"ing ### on t$e router
!!! is enabled using the 5aaa newmodel5 command. 6e can either de#ine the !!! locally on a router
or point out an e7ternal T!C!CS8 or &!-I)S server #or authentication" authori$ation and accounting.
!!! identi#ies the level o# access that has been granted to each user and monitor the user activity to
produce accounting in#ormation. In this e7ample I am con#iguring !!! locally on a router.
&outer0con#ig29aaa new1model
&outer0con#ig29aaa authentication login de#ault local
&outer0con#ig29aaa authentication login VPN1)SE&1!)T: local
&outer0con#ig29aaa authori$ation e7ec de#ault local
&outer0con#ig29aaa authori$ation network VPN1.&)P local

%. Creating &ser #ccount
&outer0con#ig29username tony privilege '/ password mypassword
'. Configuring I(E Po"icy
:ere we enable the I+E Policy con#iguration where you can speci#y the parameters that are used during
an I+E negotiation or Phase ' policy negotiation.
&outer0con#ig29crypto isakmp policy '
&outer0con#ig1isakmp29authentication pre1share
&outer0con#ig1isakmp29encryption *des
&outer0con#ig1isakmp29group (
). Defining Grou* Po"icy information
6e have to create a group and con#igure all the parameters that need to be pushed into the client as
soon as it success#ully authenticate to the group. The parameters de#ined in this e7ample are;
Pre1shared key ; The key is used #or authentication to the group.
-NS < 6ins server ; )sers authenticating to this group will get this -NS and 6INS server IP.
=a71)sers ; =a7imum number o# users allowed to connect simultaneously.
&outer0con#ig29 crypto isakmp client con#iguration group vpngroup
&outer0con#ig1isakmp1group29 key 3 mysecurekey
&outer0con#ig1isakmp1group29 dns '>.>.>.'>
&outer0con#ig1isakmp1group29 wins '>.>.>.'>
&outer0con#ig1isakmp1group29 pool VPN1P?1'
&outer0con#ig1isakmp1group29 ma71users (>
&outer0con#ig1isakmp1group29 netmask (//.(//.(//.>
&outer0con#ig1isakmp1group29 domain tony.com

The pool should contain the IP5s that is distributed to the VPN clients as soon as it establish a
connection to the VPN server. 0Note; The pool should contain a di##erent subnet o# IP5s than your
internal ?!N.2 Create the pool using the below command;
&outer0con#ig29ip local pool VPN1P?1' '@(.'3A.'.' '@(.'3A.'.(>
+. Configure P$ase % *o"icy
a. IPSec Transform,set

IPSec Trans#orm1set is de#ined #or data encryption and phase ( authentication. The actual data
encryption is happening in this phase. Create a trans#orm1set using the below command;
&outer0con#ig29crypto ipsec trans#orm1set VPN1T&!NSB&=1SET esp1*des esp1sha1hmac
&outer0c#g1crypto1trans29e7it
!. Creating IS#(-P Profi"e
Create an IS!+=P pro#ile that will match the client group 0vpngroup2 and mention the authentication
and authori$ation used by the pro#ile.
&outer0con#ig29crypto isakmp pro#ile IS!+=P1P&BI?E1'
&outer0con#1isa1pro#29match identity group vpngroup
&outer0con#1isa1pro#29client authentication list VPN1)SE&1!)T:
&outer0con#1isa1pro#29isakmp authori$ation list VPN1.&)P
&outer0con#1isa1pro#29client con#iguration address respond
&outer0con#1isa1pro#29virtual1template (

Now apply this trans#orm1set to a VPN pro#ile named VPN1P&BI?E
&outer0con#ig29crypto ipsec pro#ile VPN1P&BI?E
&outer0ipsec1pro#ile29set trans#orm1set VPN1T&!NSB&=1SET
&outer0ipsec1pro#ile29set isakmp1pro#ile IS!+=P1P&BI?E1'
.. /inding t$e configuration wit$ a Virtua" Interface
The last step is to bind all the con#igurations to a virtual inter#ace that will receive all the incoming
VPN client connections. The virtual inter#ace should be unnumbered to a physical inter#ace" usually to
the internal ?!N inter#ace.
&outer0con#ig29inter#ace virtual1template ( type tunnel
&outer0con#ig1i#29ip unnumbered .igabitEthernet>C>
&outer0con#ig1i#29 tunnel mode ipsec ipv,
&outer0con#ig1i#29 tunnel protection ipsec pro#ile VPN1P&BI?E
Easy VPN and N#T e0em*tion
Now we need to e7empt N!T #or the VPN users. 6e need to put a 5no N!T5 statement #or the VPN
tra##ic" that means i# there is a VPN tra##ic then do not N!T. 6e have to put the below con#iguration to
achieve the same;
ip nat inside source list '(> inter#ace .igabitEthernet>C' overload 0.i>C' is the Internet #acing
inter#ace2
access1list '(> deny ip '>.>.>.> >.(//.(//.(// '@(.'3A.'.> >.>.>.(//
access1list '(> permit ip '>.>.>.> >.(//.(//.(// any
:ere the access1list '(> will deny the local subnet 0?!N subnet2 to access the VPN users and allow all
other tra##ic.
There we #inish our Easy VPN server con#iguration. Now you can download and install a Cisco VPN
client so#tware on your operating system and con#igure it by re#erring the below screenshot.
Cisco VPN client download link ;
https;CCdocs.google.comC#olderCdC>4$w4byVri.+kS.VDTmEEd>7CV)Cedit

:ost ; Public IP address o# the Easy VPN Server
.roup !uthentication;
Name; 5group name5
Password; 5group password5
Save the con#iguration and click connect to establish the VPN connection. Fou will be prompted #or a
username and password as below.

Enter the correct user credentials in order establish the VPN connection success#ully with Easy VPN
server #rom your computer.
Easy VPN and 1one /ased 2irewa""
Bor more in#ormation about how to allow Easy VPN server through a Gone 4ased Birewall re#er )sing
IPSec VPN with Gone14ased Policy Birewall
Verification and Trou!"es$ooting of Easy VPN
Verification Command 3ist 4
show crypto ipsec sa
show crypto ipsec spi1lookup
show crypto isakmp pro#ile
show crypto isakmp policy
show crypto isakmp sa
show crypto isakmp peers
show crypto engine connections active
Trou!"es$ooting Command 3ist 4
debug crypto isakmp H-isplays errors during Phase '.
debug crypto isakmp H-isplays errors during Phase (.
debug crypto isakmp H-isplays in#ormation #rom the crypto engine.
clear crypto connection connection1id Islot J rsm J vipK HTerminates an encrypted session
currently in progress. Encrypted sessions normally terminate when the session times out. 0)se
the show crypto cisco connections command to see the connection1id value.2
clear crypto isakmp HClears the Phase ' security associations.
clear crypto sa HClears the Phase ( security associations.
Bor more IPSec troubleshooting command list
visit http;CCwww.cisco.comCenC)SCtechCtk/A*Ctk*L(CtechnologiesMtechMnote>@'A3a>>A>>@,@c/.shtml
Fou can also #ind the con#iguration e7ample o# Cisco IPSec Site1to1site VPN in
http;CCyadhutony.blogspot.inC(>'(C'(Ccisco1ipsec1site1to1site1vpn.html