EZ VPN

Configuring EasyVPN Between Cisco Routers

Site2Site IPSec VPN Tunnel with Cisco EasyVPN

Configuring EZVPN

Server (7 Steps)
1. AAA –
2. Pool for the client –
3. Phase 1 – ISAKMP –
4. Phase 2 – IPsec transformset –
5. Crypto Dynamic map – For client that will be learn dnamically.. Transform set will be dynamically downloaded to the client.
6. Crypto Dynamic map
7. Apply to the interface

Client
1. Group name
2. Key
– Wil be use to talk to the server.

http://www.ciscopress.com/articles/article.asp?p=421514&seqNum=3

The Cisco Easy VPN feature, also known as EzVPN, eases IPSec configuration by allowing an almost no-touch configuration of the IPSec client.

EzVPN uses the Unity client protocol, which allows most IPSec VPN parameters to be defined at an IPSec gateway, which is also the EzVPN server. When an EzVPN client initiates an IPSec tunnel connection, the EzVPN server pushes the IPSec policies and other attributes required to form the IPSec tunnel to the EzVPN client and creates the corresponding IPSec tunnel connection. The tunnel on the EzVPN client can be initiated automatically or manually, or it could be traffic triggered, depending on the configuration or type of EzVPN client used. Minimal configuration is required at the EzVPN client. EzVPN provides the following general functions in order to simplify the configuration process:

Negotiating tunnel parameters— This is done with encryption algorithms, SA lifetimes, and so on.
User authentication— This entails validating user credentials by way of XAUTH.
Automatic configuration— Performed by pushing attributes such as IP address, DNS, WINs, and so on, using MODECFG.
The term EzVPN client is used for both Cisco Unity VPN clients, called EzVPN software clients, and the Unity client protocol running on smaller Cisco routers like the 800, 1700, and 2600 series, commonly referred to as EzVPN hardware clients.

Configuration:

aaa new-model
aaa authorization network AUTH local
!
ip local pool ezp 20.20.20.1 20.20.20.20
!
crypto isakmp client configuration group ezc
key cciesec
pool ezp
!
crypto isakmp policy 10
encr 3des
authentication pre-share
hash sha
group 2
!
crypto ipsec transform-set t-set esp-3des esp-md5-hmac
!
crypto dynamic-map dmap 10
set transform-set t-set
reverse-route
!
crypto map cmap isakmp authorization list AUTH
crypto map cmap client configuration address respond
crypto map cmap 10 ipsec-isakmp dynamic dmap
!
int f0/0
crypto map cmap

! CLIENT
crypto ipsec client ezvpn ez
group ezc key cciesec
peer 123.0.0.1
connect auto
mode client
int loop 0
crypto ipsec client ezvpn ez inside

int g1/0
crypto ipsec client ezvpn ez outside

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s