Server (7 Steps)
1. AAA –
2. Pool for the client –
3. Phase 1 – ISAKMP –
4. Phase 2 – IPsec transformset –
5. Crypto Dynamic map – For client that will be learn dnamically.. Transform set will be dynamically downloaded to the client.
6. Crypto Dynamic map
7. Apply to the interface
1. Group name
– Wil be use to talk to the server.
The Cisco Easy VPN feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.
EzVPN uses the Unity client protocol, which allows most IPSec VPN parameters to be defined at an IPSec gateway, which is also the EzVPN server. When an EzVPN client initiates an IPSec tunnel connection, the EzVPN server pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The tunnel on the EzVPN client can be initiated automatically or manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. Minimal configuration is required at the EzVPN client. EzVPN provides the following general functions in order to simplify the configuration process:
Negotiating tunnel parameters— This is done with encryption algorithms, SA lifetimes, and so on.
User authentication— This entails validating user credentials by way of XAUTH.
Automatic configuration— Performed by pushing attributes such as IP address, DNS, WINs, and so on, using MODECFG.
The term EzVPN client is used for both Cisco Unity VPN clients, called EzVPN software clients, and the Unity client protocol running on smaller Cisco routers like the 800, 1700, and 2600 series, commonly referred to as EzVPN hardware clients.
aaa authorization network AUTH local
ip local pool ezp 18.104.22.168 22.214.171.124
crypto isakmp client configuration group ezc
crypto isakmp policy 10
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
crypto dynamic-map dmap 10
set transform-set t-set
crypto map cmap isakmp authorization list AUTH
crypto map cmap client configuration address respond
crypto map cmap 10 ipsec-isakmp dynamic dmap
crypto map cmap
crypto ipsec client ezvpn ez
group ezc key cciesec
int loop 0
crypto ipsec client ezvpn ez inside
crypto ipsec client ezvpn ez outside
Q. Why a default route is pushed down to the Cisco Easy VPN Remote after the VPN tunnel is up?
A. With no split tunneling, all the traffic needs to be encrypted and sent over the tunnel. Since VTI uses routing to decide which traffic needs to be encrypted, a default route needs to be installed in the case of no-split tunneling. Cisco Easy VPN installs a default route that has a metric value of 1. Any configured default route on the Easy VPN Remote needs to have a metric value greater than 1, so the default route installed by the Cisco Easy VPN Server has precedence over the configured one.