Cisco EZVPN Configuration

Configuring EasyVPN Between Cisco Routers

Site2Site IPSec VPN Tunnel with Cisco EasyVPN

Configuring EZVPN

Server (7 Steps)
1. AAA –
2. Pool for the client –
3. Phase 1 – ISAKMP –
4. Phase 2 – IPsec transformset –
5. Crypto Dynamic map – For client that will be learn dnamically.. Transform set will be dynamically downloaded to the client.
6. Crypto Dynamic map
7. Apply to the interface

1. Group name
2. Key
– Wil be use to talk to the server.

The Cisco Easy VPN feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.

EzVPN uses the Unity client protocol, which allows most IPSec VPN parameters to be defined at an IPSec gateway, which is also the EzVPN server. When an EzVPN client initiates an IPSec tunnel connection, the EzVPN server pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The tunnel on the EzVPN client can be initiated automatically or manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. Minimal configuration is required at the EzVPN client. EzVPN provides the following general functions in order to simplify the configuration process:

Negotiating tunnel parameters— This is done with encryption algorithms, SA lifetimes, and so on.
User authentication— This entails validating user credentials by way of XAUTH.
Automatic configuration— Performed by pushing attributes such as IP address, DNS, WINs, and so on, using MODECFG.
The term EzVPN client is used for both Cisco Unity VPN clients, called EzVPN software clients, and the Unity client protocol running on smaller Cisco routers like the 800, 1700, and 2600 series, commonly referred to as EzVPN hardware clients.


aaa new-model
aaa authorization network AUTH local
ip local pool ezp
crypto isakmp client configuration group ezc
key cciesec
pool ezp
crypto isakmp policy 10
encr 3des
authentication pre-share
hash sha
group 2
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
crypto dynamic-map dmap 10
set transform-set t-set
crypto map cmap isakmp authorization list AUTH
crypto map cmap client configuration address respond
crypto map cmap 10 ipsec-isakmp dynamic dmap
int f0/0
crypto map cmap

crypto ipsec client ezvpn ez
group ezc key cciesec
connect auto
mode client
int loop 0
crypto ipsec client ezvpn ez inside

int g1/0
crypto ipsec client ezvpn ez outside

Q. Why a default route is pushed down to the Cisco Easy VPN Remote after the VPN tunnel is up?
A. With no split tunneling, all the traffic needs to be encrypted and sent over the tunnel. Since VTI uses routing to decide which traffic needs to be encrypted, a default route needs to be installed in the case of no-split tunneling. Cisco Easy VPN installs a default route that has a metric value of 1. Any configured default route on the Easy VPN Remote needs to have a metric value greater than 1, so the default route installed by the Cisco Easy VPN Server has precedence over the configured one.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s